Your IP:
Your Location:
Your Status:
VeePN Blog VeePN Blog
  • Apps
    • All Apps
    • Windows
    • Mac
    • Linux
    • iOS
    • Android
    • Smart TV
    • Fire TV
    • Andriod TV
    • Apple TV
    • Router
    • Xbox
    • PlayStation
    • Chrome
    • Firefox
    • Edge
  • Features
    • All Features
    • VPN Servers
    • Double VPN
    • No Log VPN
    • Kill Switch
    • NetGuard
    • Extra Features
  • What is VPN?
    • How does a VPN work?
    • Access Content
    • Unblock Websites
    • VPN for Gaming
    • Streaming Media
    • Streaming Music
    • VPN for Netflix
    • Internet Privacy
    • Anonymous IP
    • Conceal Identity
    • Prevent Tracking
    • Save Money
    • Online Security
    • VPN Encryption
    • What’s my IP
    • Hide your IP
  • Pricing
  • Help
Get VeePN
Digital identity Safe surfing Mobile security Wireless security Big brother
More categories
Good to know Online threats Entertainment Hackerwatch Cryptocurrency
Digital identity Safe surfing
More
Mobile security Wireless security Big brother Good to know Online threats Entertainment Hackerwatch Cryptocurrency
Digital identity Safe surfing Mobile security Wireless security Big brother Good to know Online threats Entertainment Hackerwatch Cryptocurrency
Search
Blog Big brother

What Privacy-Conscious Users Should Know About Encrypted SNI

VeePN Research Lab
March 9, 2023
Big brother
9 min read
What Privacy-Conscious Users Should Know About Encrypted SNI

Secure your digital life with VeePN

  • Privacy on any Wi-Fi
  • Unlimited bandwidth
  • One account, 10 devices
  • 2 500+ servers in 89 locations
Get VeePN Now
Quick Navigation
1. What is SNI?
2. What is encrypted SNI (ESNI)?
3. How encrypted SNI helps avoid censorship
4. What else do you need to stay private with encrypted SNI?
5. Other ways to enhance your online privacy
6. FAQs

Did you know that your online privacy can be compromised as soon as you request the server to enter a particular website? The thing is that the TLS 1.3 security protocol, which is supposed to protect your data from being tracked, lacks encryption at the very beginning of client-server communication. This is due to the SNI TLS extension that helps access websites with the same IPs, yet lessens users’ security at the same time. 

Luckily, there is a solution to this issue called encrypted SNI (ESNI). It provides an additional encryption layer to keep your data away from hackers, censors, and online snoopers. But how does ESNI work exactly and is it enough to ensure your anonymity? Read on to find out.   

What is SNI?

First of all, let’s cover the basics and explain the SNI meaning. 

Server Name Indication (SNI) is an extension to the transport layer security (TLS) protocol which specifies a hostname in the TLS handshake. Simply put, the core purpose of SNI is to address the problem of accessing websites hosted on the same server and having the same IPs. 

The mismatch between the common name or domain name of a website and an SSL certificate results in a “Your connection is not private” error. 

"Your connection is not private" error

SNI helps avoid this error by enabling multiple IPs at the same TLS certificate. It streamlines the communication between a client’s device and a server hosting multiple websites with different domain names. But how exactly does it work, and what does it have to do with your privacy? Let’s clear things up. 

How does SNI work?

When a user’s device is sending a request to a server, their communication starts with the TLS handshake. This is the process of exchanging certain messages between the two parties involved. At this point, they verify each other, arrange the cryptographic algorithms, and adjust session keys. And here comes the SNI extension. It makes the hostname known at the beginning of the TLS process, called Client Hello, not afterward. As a result, there is no mismatch between your request and the website’s domain name.

HTTPS without SNI
HTTPS with SNI

For example, you want to enter https://www.examplewebsite.com, which is hosted on the same IP address as https://www.anotherwebsite.com, https://www.examplewebsite.io, and some others. Thanks to the SNI extension, the connection will be instantly established, although the website’s name doesn’t match the SSL certificate name. 

However, while SNI solves one of the most significant TLS issues, it causes another one instead. The initial phase of the TLS handshake lacks encryption, so this part of the users’ journeys compromises their privacy. Fortunately, you can overcome this challenge with the encrypted SNI.  

What is encrypted SNI (ESNI)?

Now, when you know what SNI is and how it works, let’s clarify the meaning of encrypted SNI. 

Encrypted server name indication (encrypted SNI or ESNI) is an additional feature of the SNI extension aimed at securing the initial phase of the TLS handshake.  

Without SNI encryption, hackers can use various techniques, such as phishing or man-in-the-middle (MITM) attacks, to trick users, steal sensitive information, or redirect them to malicious websites. And that is the main reason why ESNI was created. It’s set to secure SNI as the most vulnerable stage of the TLS process, preventing online snoopers and third parties from spotting clients’ requests at the Client Hello. 

Let’s look at how secure SNI works in more detail.

How does encrypted SNI work?

The key goal of encrypted SNI is to secure the connection between a client’s device and a server at the very beginning of their communication. The problem is that at the Client Hello stage, the TLS encryption keys aren’t yet approved. 

How does SNI work?

To eliminate this vulnerability, encrypted SNI provides an alternative solution – a public key attached to the DNS record. This approach helps verify and secure the connection before the TLS protocol encrypts a user query. A client uses a public key that encrypts the SNI record, which can then be decrypted only by the relevant server.

How does encrypted SNI work?

To be more precise, here’s how exactly SNI encryption works:

  1. A user’s device sends a request to a DNS server to discover the site’s IP address.  
  2. The DNS server’s response includes the website’s IP address and encrypted public key.
  3. The device sends a Client Hello request to the IP address, while the SNI is encrypted with the help of the private key.
  4. The server delivers the website’s TLS certificate.
  5. While the TLS handshake process occurs, no third parties can monitor the user’s current activity thanks to the encrypted SNI. 

Unfortunately, SNI encryption is currently not supported by most web services and browsers. Some rare exceptions are Mozilla Firefox and Cloudflare. As for the most common uses of ESNI, it doesn’t only protect from nosy snoopers, but is also one of the most widespread approaches to resisting online censorship. 

How encrypted SNI helps avoid censorship

Online freedom is one of the greatest concerns these days. According to the Freedom House, only eighteen countries have free access to the global web. Governments of totalitarian and authoritarian states strive to control the browsing activities to prevent people from viewing international resources and communicating via social networks or messengers. 

In particular, online censors use SNI as the most vulnerable part of the TLS 1.3 encryption to determine users’ online activities and limit their access to certain content. At the Client Hello stage, censors, along with other third parties, can easily detect which server a person is trying to access and block it. 

How censors use SNI to monitor users

And that’s where Encrypted SNI comes to the rescue. It provides more Internet freedom by protecting every single stage of the user’s request to the server and hiding their traffic from Internet service providers (ISPs) and other third parties. However, to be completely reliable, ESNI can be empowered with some additional security measures.    

What else do you need to stay private with encrypted SNI?

Except for ESNI itself, some additional security protocols will help you avoid unwanted monitoring even more effectively. Let’s take a closer look at the most important ones.

DNS over HTTPS (DoH) protocol

Even if you’re using ESNI, meticulous snoopers can still find a way to take a peek at your traffic. So it’s worth getting an extra security layer such as DNS over HTTPS protocol (DoH), which runs DNS queries through an additional HTTPS encryption session. 

DNS over TLS (DoT) protocol

DNS over TLS (DoT) is another powerful network security protocol that encrypts DNS queries and responses through the TLS protocol.  

Domain Name System Security Extensions (DNSSEC) 

This set of specifications strengthens DNS protocols by ensuring cryptographic SNI authentication of responses coming from authoritative DNS servers. With the help of DNSSEC, you can enhance your protection against various cyber threats, such as DNS spoofing and hijacking.  

Other ways to enhance your online privacy

If you’re striving to complete anonymity when surfing the web, there are many alternative ways to make your online activities invisible and well-protected. In addition to encrypted SNI with DoH, DoT, and DNSSEC protocols, you may consider the following Internet privacy tips. 

1. Choose the most private browser

Many aspects of your online anonymity depend on the chosen browser. And guess what? The most popular browsers, such as Google Chrome, Microsoft Edge, and Safari, lack many important security features. At the same time, some less-known options can better protect you from third-party monitoring. To name a few, these are Ungoogled Chromium, Iridium, LibreWolf, Brave, Mozilla Firefox, and The Tor Browser.

2. Use a proxy server

You can also hide your online activities by spoofing your IP address and rerouting your traffic to a proxy server. However, while being quite effective for bypassing certain online limitations, proxy servers cannot fully protect your identity since they do not encrypt your connection. As a result, a proxy won’t keep you away from viruses and other cyber threats. 

3. Protect yourself with a VPN

When it comes to private browsing and online security, a virtual private network (VPN) is probably the most powerful solution. A reliable VPN service can help you stay completely anonymous since your data travels through an encrypted tunnel and cannot be compromised by third parties. In general, VPN tools are focused on the following purposes:

  • Hiding your IP address to make your online presence invisible to third parties
  • Providing privacy and security features to protect your personal data from various cyber threats, including MITM attacks, phishing, and DDoS attacks
  • Ensuring access to the free Internet and fighting against online censorship

Want to stay secure online? Try VeePN! It’s a trustworthy VPN service that protects your data thanks to the most powerful AES-256 encryption protocol. On top of that, VeePN provides the  NetGuard feature to keep you safe from online trackers, intrusive ads, and third-party monitoring. And, if your VPN connection suddenly fails, VeePN will ensure no sensitive data will be lost with the help of the KillSwitch feature.

FAQs

What is SNI?

Server Name Indication (SNI) is a TLS security protocol extension that helps avoid hostname mismatch in the TLS handshake. It streamlines the communication between a client device and a server by revealing the hostname at the initial Client Hello stage. However, this TLS phase lacks encryption and is vulnerable to third-party monitoring.

What is encrypted SNI?

Encrypted SNI (ESNI) is an extra privacy feature securing the Client Hello phase of the TLS handshake. It encrypts SNI extension with the help of a DNS public key. As a result, the communication between a client’s device and a server becomes inaccessible for hackers and online snoopers. For more details, read this article.   

Does TLS 1.3 support SNI?

Although the SNI extension wasn’t originally added to the TLS 1.3 protocol, it has become its essential component. Without TLS SNI, it’s impossible to run multiple SSL certificates on the same IP address. If TLS 1.3 lacks SNI, your connection to a server will likely be interrupted by a “Your connection is not private” error.

Knowledge is power, VeePN is freedom
Get VeePN Now
30-day money-back guarantee
Keep your personal data private.
Protect yourself with VeePN
Get VeePN Now Learn More
Written by VeePN Research Lab VeePN Research Lab is dedicated to provide you latest posts about internet security and privacy.
Related Posts
Am I Being Throttled? How Сan I Stop This Right Now?
Am I Being Throttled? How Сan I Stop This Right Now?
Good to know 8 min read

Am I Being Throttled? How Сan I Stop This Right Now?

Imagine you’re surfing the web, streaming your favorite Netflix show, or playing an online game. Then, all of a sudden, your Internet speed becomes terribly slow. Is there any problem with your router, or maybe your neighbors are piggybacking your connection? Could be, but there is another common reason for poor online speed known as Internet throttling. Keep reading to find out how to check if you’re being throttled by your Internet service provider (ISP) and what you can do to stop them.

VeePN Research Lab
March 31
What Is OpenVPN and Should You Use It?
What Is OpenVPN and Should You Use It?
Good to know 9 min read

What Is OpenVPN and Should You Use It?

You may have bumped into this term when searching for a VPN app for your needs. But if you’re more into virtual private networks, you probably know that OpenVPN is not exactly a VPN service (although it does have a client app). Instead, it’s one of the most powerful and stable VPN protocols. But what does it do, and should you use it? To answer these questions, we must dive a bit deeper into some tech details. Keep reading to learn all you should know about OpenVPN, explained in simple terms.

VeePN Research Lab
March 31
VPN Not Connecting? Here are Simple Steps to Fix It
VPN Not Connecting? Here are Simple Steps to Fix It
Good to know 7 min read

VPN Not Connecting? Here are Simple Steps to Fix It

Your VPN not working can be a pain in the neck. An intimidating one. But fear not — you don’t need to be super tech-savvy to solve it yourself. We’ve got a list of simple fixes you can try. Whether you’re using outdated software, have a weak Internet connection, or are using the wrong login credentials, we’ve got you covered. 

So, let’s get started and get your VPN up and running. 

VeePN Research Lab
March 30
© 2023 VeePN. All Rights Reserved.