Encrypted SNI

Encrypted Server Name Indication

3 minute read

Required expertise level : Advanced

Platform : Any

What is Server Name Indication (SNI)?

Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) network encrypted protocol.

SNI was originally standardized in 2003, it’s wide implementation is a big part of today’s Internet infrastructure, mainly because it allowed hosting multiple websites with different domain names on the same webserver.

Since then, the SNI header is a main target in any Deep Packet Inspection (DPI) operations, to preliminarily detect traffic to specific host before blocking. read more about SNI and the issues it presents

What is Encrypted SNI and how can it help?

How to test Encrypted SNI?

Some projects are trying to test for the best implementation of ESNI, or how to integrate it with major software stacks i.e. Nginx, and OpenSSL.

If you are interested in a deeper technical understanding of ESNI you can check out these projects

Server Side

Currently, the only stable and tested server side implementation of ESNI is CloudFlare.

All you have to do is to enable TLS 1.3

Log in to your CloudFlare account, select your domain name, go to > SSL/TLS options, choose > Edge Certificates, and make sure > TLS 1.3 is enabled.

Client Side

Mozilla Firefox latest releases are shipped with TLSv1.3 and ESNI extension support, yet, it doesn’t come enabled by default for now.

To enable ESNI support in Mozilla Firefox

  • Make Firefox is updated to latest release

  • Enable DNS over HTTPS (DoH) in Preferences > Network Settings > Enable DNS over HTTPS

  • Enable ESNI extension support
    • Open a new tab and type the address about:config
    • Click Accept the Risk and Continue
    • Search for network.security.esni.enabled
    • Click on the value to change it from False to True
  • Restart your browser and test your settings here

Resources and readings

Last modified September 23, 2020: fix mistake in esni, again (14fe824)