ESNI: A Privacy-Protecting Upgrade to HTTPS
Today, the content-delivery network Cloudflare is announcing an experimental deployment of a new web privacy technology called ESNI. We’re excited to see this development, and we look forward to a future where ESNI makes the web more private for all its users.
Over the past several years, we at EFF have been working to encrypt the web. We and our partners have made huge strides to make web browsing safer and more privacy through tools like HTTPS Everywhere and the Let’s Encrypt Certificate Authority. But users still face many kinds of online privacy problems even when using HTTPS.
An important example: a 15-year-old technology called Server Name Indication (SNI), which allows a single server to host multiple HTTPS web sites. Unfortunately, SNI itself is unencrypted and transmits the name of the site you’re visiting. That lets ISPs, people with access to tap Internet backbones, or even someone monitoring a wifi network collect a list of the sites you visit. (HTTPS will still prevent them from seeing exactly what you did on those sites.)
We were disappointed last year that regulations limiting collection of data by ISPs in the U.S. were rolled back. This leaves a legal climate in which ISPs might feel empowered to create profiles of their users’ online activity, even though they don’t need those profiles in order to provide Internet access services. SNI is one significant source of information that ISPs could use to feed these profiles. What’s more, the U.S. government continues to argue that the SNI information your browser sends over the Internet, as “metadata,” enjoys minimal legal protections against government spying.
Today, Cloudflare is announcing a major step toward closing this privacy hole and enhancing the privacy protections that HTTPS offers. Cloudflare has proposed a technical standard for encrypted SNI, or “ESNI,” which can hide the identities of the sites you visit—particularly when a large number of sites are hosted on a single set of IP addresses, as is common with CDN hosting.
Working at the Internet Engineering Task Force (IETF), Cloudflare and representatives of other Internet companies, including Fastly and Apple, broke a years-long deadlock in the deployment of privacy enhancements in this area.
Hosting providers and CDNs (like Cloudflare) still know which sites users access when ESNI is in use, because they have to serve the corresponding content to the users. But significantly, ESNI doesn’t give these organizations any information about browsing activity that they would not otherwise possess—they still see parts of your Internet activity in the same way either with or without ESNI. So, the technology strictly decreases what other people know about what you do online. And ESNI can also potentially work over VPNs or Tor, adding another layer of privacy protections.
ESNI is currently in an experimental phase. Only users of test versions of Firefox will be able to use it, and initially only when accessing services hosted by Cloudflare. However, every aspect of the design and implementation of ESNI is being published openly, so when it’s been shown to work properly, we hope to see it supported by other browsers and CDNs, as well as web server software, and eventually used automatically for the majority of web traffic. We may be able to help by providing options in Certbot for web sites to enable ESNI.
We’re thrilled about Cloudflare’s leadership in this area and all the work that they and the IETF community have done to make ESNI a reality. As it gets rolled out, we think ESNI will give a huge boost to the goal of reducing what other people know about what you do online.