Pode icon indicating copy to clipboard operation
Pode copied to clipboard

Published 20 hours ago verified publisher icon Badgerati

Support ESNI (Encrypted Server Name Indication)

Open larssb opened this issue 5 years ago • 5 comments

Describe the Feature

It would be great if Pode supported ESNI. For heightened security, privacy and anonymity of end-users of 'x' web-service running on a Pode installation.

Related Issues

None

Additional Context

Docs. on ESNI:

  • https://en.wikipedia.org/wiki/Server_Name_Indication#Security_implications_(ESNI)
  • https://www.eff.org/deeplinks/2018/09/esni-privacy-protecting-upgrade-https
  • Example implementation of ESNI on e.g. Lighttpd

Let me know what you think and thank you.

larssb avatar Jan 23 '20 15:01 larssb

I like the idea, though from what I can tell it's currently still in the experimental/draft phase? 🤔

It also appears to only be supported over TLS1.3, which I believe is in .NET Core 3 (so PS7 only), but it only works on Linux currently.

This could explain why I can't seem to find anything about implementing it 😂

If you have anything about implementing it we could take a look for a Linux/PS7 only feature - though it might change a lot with it still being drafted.

One worth keeping an eye on though!

Badgerati avatar Jan 23 '20 18:01 Badgerati

ESNI is available in the Firefox version that is generally available. ESNI requires DNS-over-HTTPS to work. ESNI of course, also requires that the responding webserver supports it.

See:

  • https://github.com/sftcd/openssl/blob/master/esnistuff/lighttpd.md for info on how the DEfO project implemented ESNI for Lighttpd
  • However, the DoH requirements is rather so so. See http://www.potaroo.net/ispcol/2019-04/angst.html and http://www.potaroo.net/ispcol/2019-04/moredoh.html ... these two posts have some rather good info and makes me a bit worried. But, there might be details I don't fully grasp

Think about it

larssb avatar Jan 24 '20 15:01 larssb

We are know on PS7. And I saw that you upgraded Pode to use that. Have you thought about this?

larssb avatar May 05 '20 10:05 larssb

Hey!

It's on my mind, and when I get some time I'll look into it properly.

At the moment a lot of my time is being taken up by a huge migration project at work, and I'm working on parts of Pode as-and-when I can that don't require too much time. The major bulk of the project is due to finish in a week or two, so hopefully I can start getting some time back!

If it's something you may want to investigate and open a PR, I'll happily review it. Or any pointers to areas of the code we can begin edit to start supporting ESNI would be a great help!

Badgerati avatar May 05 '20 13:05 Badgerati

I've managed to look into this again a little more, and from what I can see ESNI is still in the drafting phase and a lot of people are waiting for it to become properly standardised.

That being said though, .NET Core does now have Tls13 which I will try. However, the TLS handshaking is all dealt with by .NET, so we may have to wait until .NET supports ESNI as I can't see a way to control the Server_Hello for HttpListener or Sockets - outside of just requesting client certs.

Some people have pointed out using an ESNI reverse proxy using tls-tris - but even this only support Draft-01 currently.

I'll do a bit more research, but it is looking like something we need to wait for .NET to support.

Badgerati avatar May 21 '20 15:05 Badgerati