Encrypted SNI on Google Chrome?

Hi guys, Google Chrome or Safari don’t support ESNI (encrypted sni) yet?

Im using correctly 1.1.1.1 and DNS over HTTPS on my Macbook (via Cloudflared proxy) but I don’t know how to use Encrypted SNI in my laptop or Chrome Browser, that is the last Security Check left on https://www.cloudflare.com/ssl/encrypted-sni/

2 Likes

By switching to Firefox :slight_smile:

Google simply does not support it at this point, so Firefox is your best bet.

3 Likes

eSNI is still an evolving standard, Firefox and Cloudflare just decided to implement a draft before the standard was finalized. Chrome will likely implement it as soon as it’s finalized.

https://crbug.com/908132

You can track the standard at https://datatracker.ietf.org/doc/draft-ietf-tls-esni/

This will stay as the “solution” until chrome implements it.

1 Like

I’d like to add that eSNI is going to be a huge issue in terms of rollout. Chrome is used everywhere from schools to enterprises and they would not be happy if their internet filtering software stopped working overnight. I imagine we’ll see a rollout like DoH where any managed policies set up on the device will prevent the user from enabling eSNI.

I dont think these use cases should serve as reason not to roll it out or to delay it. The very idea of encryption in these contexts is to prevent third parties from eavesdropping. If they want filtering, they should do it openly and install adequate software on the clients.

1 Like

I hope not, the only hurdle is BYOD which can’t really be solved in a secure manner since the router doing SNI filtering looks the same as the ISP/gov doing SNI filtering.

Chrome still doesn’t support ESNI?
How about the betas? Nighlies? Canaries? Roadmap?

Neithet Chrome support it

Filtering (where you control the client policies and trusted root certs) will still be just as possible, but will require the extra step of converting an IP address to it’s corresponding certificate hostname…at least where there is only one. For most cases, enterprise networks will still be able to inspect/filter while “unknown” entities will not.

It’s not as trivial as converting IP address to “certificate hostname” (umm, I guess you meant “Subject” and “Subject Alternative Name”/SAN).

Your server certificate could be issued to multiple domains and wildcard subdomains (from different domain names too!) using SAN.

So same IP and same certificate could host both filtered and not filtered web pages.

For example, until a few years ago Cloudflare issued same certificate to multiple customers with different domain names, so multiple customers shared same certificate and banning a tuple IP/certificate could ban innocent web domain.

1 Like