Cloudflare Encrypted SNI feature is critical for keeping user browsing data private.

Bobcares responds to all inquiries, large or small, as part of our Server Management service.

Let’s take a closer look at Cloudflare Encrypted SNI.

Cloudflare Encrypted SNI

Encrypted server name indication (ESNI) by Cloudflare is a critical feature for keeping user browsing data private. It prevents snooping third parties from monitoring the TLS handshake process in order to determine which websites users are visiting. ESNI accomplishes this by encrypting the server name indication (SNI) portion of the TLS handshake, as the name implies.

SNI instructs a web server which TLS certificate to display at the start of a client-server connection. SNI is a TLS protocol extension that allows a server to host multiple TLS certificates at the same IP address.

Consider SNI to be the apartment number on a mailing address: multiple apartments are in one building, so each apartment requires a unique number to be distinguished. Similarly, while the IP address identifies the server, a client device must include SNI in its first message to the server to indicate which website (which apartment) it is attempting to access.

How does SNI work?

SNI is a minor but critical component of the first step in the TLS handshake. The “client hello” message is the first message in a TLS handshake. The client requests to see the web server’s TLS certificate as part of this message. The server expects to include the certificate in its response.

The issue is that many web servers host multiple websites, each with its own TLS certificate. If the server displays the incorrect one, the client will be unable to securely connect to the desired website, resulting in a “The connection is not private” error.

SNI solves this issue by indicating which website the client is attempting to access. Surprisingly, no encryption can occur until the TLS handshake is successfully completed using SNI. As a result, because the client hello message is sent at the start of the TLS handshake, regular SNI is not encrypted.

Any attacker watching the connection between the client and the server could deduce which website the client was connecting to by reading the SNI portion of the handshake, even if all subsequent communications are indecipherable to the attacker.

How does encrypted SNI function?

ESNI protects SNI by encrypting the SNI portion of the client hello message (and only this part). Encryption works only when both sides of a communication — in this case, the client and the server — have the key for encrypting and decrypting the information, just as two people can use the same locker only if they both have a key to the locker. The ESNI encryption key must communicate in another way because the client hello message is sent before the client and server have negotiated TLS encryption keys.

The answer is public key cryptography. The web server adds a public key to its DNS record, so that when the client searches for the correct server, it also finds the server’s public key. This is similar to leaving a house key in a lockbox outside one’s home so that a visitor can enter safely. The client can then use the public key to encrypt its SNI record so that it can only be decrypted by that specific server.

Browser compatibility

Cloudflare makes every effort to support as many different user agents (browsers, API clients, and so on) as possible. However, the list of supported browsers varies by SSL product. Cloudflare Universal SSL only works with browsers and API clients that support the TLS protocol’s Server Name Indication (SNI) extension.

[Looking for a solution to another query? We are just a click away.]

Conclusion

To sum up, our Support team delved deeper into Cloudflare Encrypted SNI.