| ▲ | bscphil 3 days ago | |
The promise is especially dangerous when a huge fraction of traffic doesn't use Encrypted Client Hello, [1] so the domain name is sent in the clear with the initial request to the server. A while back I wrote a quick proof-of-concept that parses packet data from sniffglue [2] and ran it on my very low powered router to log all source IP address + hostname headers. It didn't even use a measurable amount of CPU, and I didn't bother to implement it efficiently, either. I think it's safe to assume that anyone in a position to MITM you, including your ISP, could easily be logging this traffic if they want to. [1] https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypt... | ||