Popular VPN provider TunnelBear has announced the implementation of encrypted SNI to its Android app. With ESNI, TunnelBear aims to fight censorship regimes that snoop on unencrypted portions of metadata passing through the internet along with encrypted traffic. SNI is one such unencrypted extension used by censors to put restrictions in place.
Thanks to SNI or Server Name Indication, multiple websites hosted on the same server can have their own SSL certificate. Without SNI — an extension added to SSL/TLS protocol in 2003 — each website would need a dedicated server for it to have an HTTPS certificate. The trouble is, SNI data is plaintext and a third party snooping on the traffic would be able to tell which website a user is connecting to and blocking the request to a restricted website.
Encrypting SNI would mean it would not be possible for a third party to read SNI field and in theory, it would make it harder for censors to implement restrictions. TunnelBear ran an experiment on the effectiveness of encrypted SNI and found that for a ‘significant portion of users’ ESNI would offer a more reliable way to access its API. For users having trouble connecting to TunnelBear servers in their country because of censorship, ESNI would be useful.
Although encrypted SNI is one step forward in achieving online privacy without restrictions, it’s still a fairly new extension to TLS 1.3. The Internet Engineering Task Force (IETF) has yet to finalize ESNI specifications and its adoption is not as wide-scale as it should be. Without its adoption on a larger scale, ESNI traffic would be unable to mix with the regular internet traffic. While a censor would not be able to see the requested URL, it can still manage to identify ESNI requests and block the flow of the traffic. China’s Great Firewall is already effectively blocking ESNI traffic by dropping packets from clients to sever.
ESNI adoption is slowly getting momentum, though. Cloudflare has been supporting encrypted SNI since 2018. Firefox also added support for ESNI in its Nighly branch the same year and became the first web browser in doing so. Once it becomes a standard, encrypted SNI could see a wider adoption. Until then, it would be hard to tell how much it will help users in circumvent censorship.