buh@lemmy.world to Firefox@lemmy.ml · 1 year agoSay (an encrypted) hello to a more private internet.blog.mozilla.orgexternal-linkmessage-square64fedilinkarrow-up1643cross-posted to: technology@lemmit.onlinenews@lemmy.linuxuserspace.showprivacy@lemmy.catechnology@lemmy.world
arrow-up1643external-linkSay (an encrypted) hello to a more private internet.blog.mozilla.orgbuh@lemmy.world to Firefox@lemmy.ml · 1 year agomessage-square64fedilinkcross-posted to: technology@lemmit.onlinenews@lemmy.linuxuserspace.showprivacy@lemmy.catechnology@lemmy.world
minus-squarepazukaza@lemmy.mllinkfedilinkarrow-up1·1 year agoWouldn’t it be better if reverse proxies simply had a “default key” meant to encrypt the SNI after an unencrypted “hello” is received? Including DNS in this seems weird.
minus-squarep1mrx@sh.itjust.workslinkfedilinkarrow-up1·1 year agoWhat would stop a MITM attacker from replacing the key? The server can’t sign the key if it doesn’t know which domain the client is trusting.
Wouldn’t it be better if reverse proxies simply had a “default key” meant to encrypt the SNI after an unencrypted “hello” is received?
Including DNS in this seems weird.
What would stop a MITM attacker from replacing the key? The server can’t sign the key if it doesn’t know which domain the client is trusting.