[tech] [spec] TLS statistics

[nervuri]

December 30, 2020 11:53 PM, Sean Conner wrote:
  > I currently log client certificates (gasp!).

That's different from what I was referring to. You're not a third party, you're supposed to receive that information. The problem with client certs + TLS 1.2 is that any third party on the network route can also see that information.

When I log into a web forum over https using cookies, my ISP doesn't see what user I log in as. But when I log into a gemini forum using a client cert, my ISP does - and, as you point out, may even see the email address I used. However, that problem goes away with TLS 1.3.

  > Given the current state of Gemini, *even if* the domain name were encrypted, there's still a near 80% chance of knowing which domain is being accessed, just because most servers only serve one domain.

I went from 394 to 258 hosts after eliminating subdomains (like all those *.flounder.online vhosts). So it's about 65%, rather than 80%. A 45% improvement is nothing to scoff at.

But even if in 100% of cases there was a 1-to-1 mapping from domain to IP address, encrypted SNI still raises the bar, as the watchers on the network route need to do more work to find the domain - they don't simply get it when inspecting network traffic. Especially since, with SNI, you can't always find a domain if all you have is its IP address. For example, let's take 107.5.198.24 - tell me what Gemini domain is hosted there without looking at the data I gathered. If you find out, tell us how.