Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

Does using SNI have any benefit whatsoever (whether security, scalability, or ot

ID: 658288 • Letter: D

Question

Does using SNI have any benefit whatsoever (whether security, scalability, or otherwise) if the TLS certificate validation is performed exclusively using the certificate fingerprint and without regard to the common name? (Examples of systems where this might plausibly be the case include DANE and Convergence.) Even weird benefits that only affect small niche use cases qualify as benefits.

I'm assuming that 100% of visitors will be using fingerprint validation of certificates, so backward-compatibility with common name validation is not a factor.

My motivation for eliminating SNI is that it leaks metadata to a passive eavesdropper. While this is not necessarily a big deal in most cases, it bothers me enough that if it has no benefit in the system I'm describing, I would remove it.

Explanation / Answer

With SNI the client sends the expected hostname within the ClientHello. This is necessary if you have multiple certificates behind the same IP address. It does not matter if you validate the certificates the usual way or if you verify it by fingerprint - the only question is if you have a single certificate on the IP (no SNI needed) or multiple certificates (SNI needed).

If the server is under your control and your application should only connect to your server, then a single certificate is enough, so no SNI is needed. But, if you use a CDN then you often have multiple certificates behind the same IP and the relation between the actual server/IP and the hosted certificates might change over time. In this case it is not enough to identify the server as owned by the CDN, but you have to make sure that your certificate is located on the server and you have to tell the server to use the configuration behind the certificate. In this case you need SNI.

And, while the Host header inside an HTTP request also specifies the requested hostname, this is only a property of HTTP (and it is not even required with HTTP/1.0). With protocols like SMTP you don't have such information but SNI is still used with these protocols on the client side (postfix, exim) and also the server side (exim).

Related Questions

Does the series below converge absolutely, converge conditionally, or diverge? G
Question #2902404
Does the set of ordered pairs below define a function? {(-6,2), (-2, 3), (4, -3)
Question #2902077
Does the skewness index in the Descriptives table suggest a skew? If so, in whic
Question #3176827
Does the source voltage lead or lag the current? Calculate the voltage amplitude
Question #2305326
Does the spacing between fringes in a two-slit interference pattern increase, de
Question #1567279
Does the spacing between fringes in a two-slit interference pattern increase, de
Question #1615855
Does the statement refer to lipid soluble hormone, water soluble hormone, or bot
Question #146436
Does the step response from the Multisim measurement match the theoretical curve
Question #2989307
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
Does turnitin check chef answers? I turned in an assignment that I asked on cheg
Next
Does using a heavier mass increase, decrease, or maintain the same coefficient o

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.