#ELI5: Why we should quietly stop #DomainFronting and instead pursue #EncryptedSNI

We use encryption to send messages privately from a web-browser (like Firefox) to a web-server (like apache) which is running on a computer somewhere in the world; to get this privacy we lock the messages in an “envelope” of encryption, which means that nobody can read the messages unless they have the magic “keys” that are needed to open the envelope.

The problem is: many years ago someone worked out that it’s a lot cheaper to have a bunch of (Apache?) web-servers for different websites on a single computer, and when you have that situation there’s a problem: which of the dozens of web-servers is the one which is meant to receive the encrypted message?

You can’t reasonably give the same envelope to all of them to see if it works for just one of them; that would be wasteful; so somebody came up with the idea of writing the name of the server (providing a Server Name Indication, or SNI) in cleartext on the front of the envelope.

SNI meant that if there were web servers for Alice.COM, and Bob.ORG on the same machine, then the envelope could be delivered to the machine’s address (123 West Street, Boston) and handed directly to Alice or Bob by the machine, for them to decrypt.

Some clever people worked out that they could use this system to get a kind of privacy: if Alice actually owns the house at 123 West St, and if Bob is wanted by the police for being a democracy activist, then people who wanted to mail Bob could write “Alice.COM” in cleartext on the outside of the envelope, and they could encrypt the message for Alice, but when the message begins with “Dear Bob ,…” then Alice would heave an exasperated sigh and hand the message over to Bob to be read.

Alice would be acting as a “front” for Bob, and hence “Domain Fronting”. The problem with this domain fronting is that it adminstratively stresses Alice and gets politically messy: the police can claim that Alice is somehow complicit in Bob’s crimes so they might block sending any mail to Alice, plus also it’s less efficient — Alice has to sort through HER mailbox and use HER keys on behalf of Bob.

This is annoying for Alice, not to mention: what happens if and when Bob moves house? Suddenly there’s a big kerfuffle because everyone has had to gear-up specially, with custom code, to perform this domain-fronting trick on the assumption that Bob lives at Alice’s house.

But also: taking a step back, there’s the whole problem of writing names in cleartext on envelopes. Every person in the world who is not in an Alice/Bob kind of situation, but who wants to use HTTPS, ends up still doing the same write-in-cleartext thing to ALL their traffic.

This means that if Victoria wants to write a message to PlannedParenthood she has to write the PlannedParenthood.COM SNI on the front of her envelopes, too; and Victoria’s ISP (who for some reason is generically against abortion) can just trash those messages entirely (“server not available”) or can attack them with some sort of man-in-the-middleware.

Recently some clever people at Mozilla, Apple, Cloudflare, etc, have worked out a way that the envelopes still get addressed in cleartext (123 West Street, Boston) but the SNI (Alice.COM, Bob.ORG, PlannedParenthood.COM) is encrypted.

Encrypted SNI means that ISPs will not be able to editorialise traffic to PlannedParenthood, that Alice no longer has to “front” for Bob and suffer both administrative complexity and moral complicity — messages instead can once again be delivered directly to Bob — and that overall the messages which are passed back and forth, to and from all of the above are a lot less fingerprintable.

However, as you’ll have guessed: the security services of the world have long been profiting from SNI and from other “features” of older forms of HTTPS, and the idea of losing all this bountiful metadata is painful to them — hence they are fighting tooth-and-nail against the new TLS1.3 which we believe so-far is largely unfingerprintable, close to anonymous, and quite unmolested by weaknesses proposed by the intelligence community:

https://www.theregister.co.uk/2018/03/23/tls_1_3_approved_ietf/

…however: they are going around looking for divisions that can be leveraged into “See, even the supposed ‘Good Guys’ want to keep SNI!”

In short: by pursuing the propping-up of Domain Fronting rather than deprecating it and instead pursuing rapid adoption of TLS1.3 and Encrypted SNI, we risk advancing the arguments of the surveillance community whilst simultaenously retarding the growth of protocols that would provide us all with more secure & end-to-end (not even Alice-fronting-for-…) communication.

For more, see: https://en.m.wikipedia.org/wiki/Server_Name_Indication