this post was submitted on 05 Oct 2023
299 points (98.1% liked)
Firefox
20428 readers
50 users here now
/c/firefox
A place to discuss the news and latest developments on the open-source browser Firefox.
Rules
1. Adhere to the instance rules
2. Be kind to one another
3. Communicate in a civil manner
Reporting
If you would like to bring an issue to the moderators attention, please use the "Create Report" feature on the offending comment or post and it will be reviewed as time allows.
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
The problem doesn’t involve DNS, it’s after that step.
SNI is when your browser connects to the server. A server may host multiple sites on the same IP, so your browser says “I would like to open an encrypted session to lemmy.ml”. It does this in the clear. If it was an unencrypted http site it would be in headers, but in https those headers aren’t passed until after the encrypted session is set up, so there has to be some way for the server to know the specific site. Anybody listening to SNI traffic knows the exact site you connected to, even if there are hundreds at that ip.
This adds a public key to the DNS record, so your browser is able to encrypt that initial hello message before the https session is encrypted. Someone listening might see something like “ECH: randomgibberish” but the server can decrypt it.