Firstly, I'm sorry for my bad English. I'm still learning it. Here it goes:

When I host a single website per IP address, I can use "pure" SSL (without SNI), and the key exchange occurs before the user even tells me the hostname and path that he wants to retrieve. After the key exchange, all data can be securely exchanged. That said, if anybody happens to be sniffing the network, no confidential information is leaked* (see footnote).

On the other hand, if I host multiple websites per IP address, I will probably use SNI, and therefore my website visitor needs to tell me the target hostname before I can provide him with the right certificate. In this case, someone sniffing his network can track all the website domains he is accessing.

Are there any errors in my assumptions? If not, doesn't this represent a privacy concern, assuming the user is also using encrypted DNS?

Footnote: I also realize that a sniffer could do a reverse lookup on the IP address and find out which websites were visited, but the hostname travelling in plaintext through the network cables seems to make keyword based domain blocking easier for censorship authorities.

  • 243
  • 2
  • 10

3 Answers3


Your analysis is incorrect. You are more secure with SNI than without.

Without SNI, the IP address uniquely identifies the host. Thus anyone who can determine the IP address can determine the host.

With SNI, the IP address does not uniquely identify the host. Someone would have to actually intercept and view some of the traffic to determine the exact host. This is more difficult than just obtaining the IP address.

So you are (slightly) more secure with SNI than without it.

Anyone who is going to block based on an intrusive analysis of packet data is going to also block based on IP address. They will block the "bad ones" based on IP address with or without SNI.

However, the answer to your question is "yes". SNI does represent a privacy concern. With SNI, someone who can intercept the traffic does get the host name in addition to the IP address.

David Schwartz
  • 31,215
  • 2
  • 53
  • 82
  • Thanks for the answer. So SNI would be safer only in the cases the attacker starts sniffing only after the keys were already exchanged, am I correct? – pagliuca Oct 19 '12 at 20:03
  • 2
    @pagliuca SSL really isn't designed to hide who you're talking to, it's designed to hide what you're saying to them. You're not going to defeat a web filter by avoiding sending SNI; they keep extensive IP-to-domain databases. Moot point anyway, as a client browser that supports SNI will always send SNI regardless of whether your server needs it. – Shane Madden Oct 19 '12 at 22:57
  • @ShaneMadden Interesting. Knowing that, now I have no reason to not use SNI :), as it's likely that the majority of users already have browsers that expose the remote hostname in every HTTPS request. – pagliuca Oct 20 '12 at 18:35
  • 1
    This answer is wrong. It is far easier to passively sniff the SNI (and know for sure what website the visitor requested), than it is to actively go out to an IP address to guess what a user was browsing (which with wildcards might have many websites on it, and IPs change over time as well, while collected SNI data remains perpetually privacy-destroyingly accurate.). – cnd Oct 24 '17 at 15:05
  • @cnd You don't have to "actively go out to an IP address" at all. If you can passively sniff SNI, you can passively sniff the IP address. Either it's on your list of sites that your watching or it's not. And without SNI, an IP address uniquely identifies a site. With SNI, it does not. – David Schwartz Oct 24 '17 at 17:23

You're right that this represents a potential privacy concern: using SNI, the domain name is sent unencrypted.

That's why ESNI (Encrypted SNI) was proposed since by Cloudflare, who already implemented it in their CDN. At the time of this writing, browser support is close to zero, but this seems to be the future!

  • 4,215
  • 10
  • 53
  • 81

You are RIGHT. SNI is a major privacy concern for your visitors - it exposes the exact websites that your visitors connect with to their ISP and other passive listening parties. But then, so does DNS... well... used to: google is fixing this:-


Knowing an IP address does NOT tell the ISP what web site is on that IP address, unless they actively go out and look themselves, which is a very different thing than them passively sniffing customer packets.

  • 220
  • 2
  • 5