New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Proposal: ESNI record Implies TLS support #131

Open
bemasc opened this Issue Feb 6, 2019 · 3 comments

Comments

Projects
None yet
3 participants
@bemasc
Copy link

bemasc commented Feb 6, 2019

Proposal:
The ESNI DNS record specification, wherever it ends up, should have the following requirement:
"If a domain or endpoint publishes an ESNI DNS record, then that domain MUST be accessible over TLS."

This is almost trivial (why would you publish an ESNI record if you don't have TLS support?), but it would be tremendously useful for browsers, as a way to learn that the specified domain supports HTTPS before attempting a connection. If DNS records are fetched over a secure channel, this would enable HSTS-like behavior without an insecure bootstrap or a preload list.

@DavidSchinazi

This comment has been minimized.

Copy link

DavidSchinazi commented Feb 6, 2019

A domain name that has ESNI keys is very likely to support TLS, but you can't assume that is supports HTTPS on port 443 - they could be using TLS for something else.

@bemasc

This comment has been minimized.

Copy link
Author

bemasc commented Feb 6, 2019

That depends on how we define the ESNI record. For example, we could insert a port in the name (like SRV), or include a list of the applicable ports in the record contents. (Or we could just declare that ESNI implicitly blacklists port 80, which I believe is what you are arguing against.)

It's up to us.

@kazuho

This comment has been minimized.

Copy link
Collaborator

kazuho commented Feb 8, 2019

By default, http and https are different origins. HSTS is a opt-in signal that changes the behavior.

Considering that, I think that the discussion needs to happen the HTTPbis WG on if the WG should define an extension to ESNI.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment