Hello and welcome to the Tuesday, March 10th,

2006 edition of the Sands and then at Storm Centers.

Stormcast, my name is Johannes Ulrich, recording today from Jacksonville, Florida.

And this episode is brought you by the sandsdot edu graduate certificate program

in cyber security leadership. Today I noticed that last week two RFCs were published that

well have been in the work for a while. And actually I thought they already had been published,

but guess they were not. The first one is 9848. That's bootstrapping

TLS encrypted client hello with DNS service bindings. And the second one is 9849 TLS

encrypted client hello. So what this does is really, it establishes a standard for encrypted TLS client

Hello's. This has been sort of an ongoing issue because it was sort of the one information leak

that still existed in TLS as part of the client Hello. The client typically will send, for example,

the host name of the client it's going to connect to,

which of course does remove part of the anonymity, privacy that you expect from TLS.

So with this extension, it's now possible to encrypt a complete client, hello.

This also does prevent some fingerprinting, basically

figuring out what browser or other client you may be using. There has been prior to this

proposal for encrypted server name indication that basically just encrypts the host name being communicated

during the client hello. But with this proposal now, the entire client hello is being encrypted

or most of it. And that, of course, there's also a bigger problem and really also is not any more

complicated than just encrypting the serename.

So that's why serename indication got kind of deprecated, and we now only have the complete

client hello encryption.

...