3

Encrypted Client Hello hides Server Name Indication (SNI). However, looking at the TLS Handshake (https://tls12.ulfheim.net/). Wouldn't it be possible for a middle-man to inspect the TLS Handshake and sniff ServerHello to see the x509 certificate (before the Handshake completes)? It should contain the subject alt names and expose the server correct?

My Understanding is that with ECH, a middleman will only be able to determine the IP address of the client and server but not what service the client was visting exactly. But if they can see the x509 certificate chain, that doesn't seem to be the case.

TLDR: Can a man in the middle inspect certificates in TLS handshakes to determine what clients were visiting even with ECH?

Hmmm
  • 131
  • 2
  • 4
    (1) in 1.2 and lower yes Eve can see SubjectAltName in the cert, although that name can be (or list can include) wildcard that doesn't disclose the _full_ servername, which SNI does; also shared-hosting or CDN machines often have a cert whose SAN contains hundreds of unrelated names (2) ECH only works in 1.3 and in 1.3 the Certificate message is encrypted, so Eve can't see anything in the cert (always) _or_ SNI (if ECH is used) – dave_thompson_085 May 20 '22 at 00:45
  • @dave_thompson_085 Yup, that's a better version of the answer I was typing up :P – Mike Ounsworth May 20 '22 at 00:50
  • Thanks @dave_thompson_085 now it’s more clear u can submit this as an answer – Hmmm May 20 '22 at 05:44

1 Answers1

0

ECH is only used with TLS v1.3 or above. In TLS v1.3, the certificate chains (both client and server) are protected. The client certificate is therefore not exposed when using ECH.

ysdx
  • 851
  • 6
  • 14