Closing the Gap: How ESNI and Encrypted DNS Will Help End Internet Surveillance
Even with HTTPS rising to more than 70% of page loads worldwide, Internet users are still susceptible to having their browsing swept up by mass surveillance through two channels: their DNS requests and the fact that when they first connect to a server over HTTPS, the domain name they’re visiting is visible in the clear. Two protocols will fix that: DNS over TLS (or DNS over HTTPS), and encrypted Server Name Indication. This talk will explain what these protocols are and why they’re important. Even more importantly, we’ll explain how these protocols are actually being deployed, and why there’s a danger that increasing security may actually lead to more censorship or less privacy, depending on your trust model, through centralization of encrypted DNS services.
The first half will be an explanation of SNI and DNS leakage of domain name traffic (and why HTTPS isn’t enough), and how this is used for censorship, monitoring, and domain hijacking by nation-state adversaries and ISPs. We’ll talk briefly about how domain fronting worked, too.
Then, I’ll explain ESNI at a deeper technical level, as well as modern DoT and DoH proposals. I’ll also explain where we are today with deployment, and the current outlook.
The final part will be a call-to-action: what can you do to help the adoption and improvement of these protocols, and help us encrypt the entire Internet?
Some beginner technical background will be required (i.e. understand the purpose of DNS), but hopefully I’ll do a good job at explaining the rest!
Sydney is a Staff Technologist at EFF. She primarily works on EFF’s “encrypting the net” initiative to secure all TCP packets. Her current mission is to finally secure email delivery via STARTTLS Everywhere. She also develops the Let’s Encrypt Certbot client, which secures communications with web users via HTTPS. Otherwise, she cares a lot about decentralizing state and corporate power, censorship resistance, puzzles, painting, and noodles.