<b>If TLS encrypts everything, why can a network observer still see which website you visited?</b>
TLS encrypts the application data, but the handshake leaks. The single largest plaintext leak is SNI (Server Name Indication, RFC 6066 §3): the client puts the target hostname, in cleartext, in the ClientHello so a server hosting many sites on one IP knows which certificate to present. A passive observer reads it directly.
This is the chicken-and-egg problem encrypted SNI was meant to solve, and why the first attempt (ESNI) failed. You cannot encrypt SNI under the server's certificate key, because you need SNI to know which certificate to use. ESNI patched the symptom; the maturated design, ECH (Encrypted Client Hello), patches the structure.
ECH splits the ClientHello into an "outer" handshake addressed to a shared, public client-facing server, and an "inner" ClientHello — containing the real SNI and other sensitive extensions — encrypted with an HPKE (Hybrid Public Key Encryption, RFC 9180) public key the client fetches in advance via a DNS HTTPS resource record. The observer sees only the outer name (e.g. a CDN's front), not the inner target.
The dependency is the catch: ECH's confidentiality leans on the client retrieving the ECH config from DNS, which is why ECH and encrypted DNS (DoH/DoT) are complementary — leaking the hostname via plaintext DNS would defeat encrypting it in TLS.
Evidence vs. speculation: ECH is an active IETF draft with shipping CDN and browser support; its anonymity-set guarantee depends on many domains sharing one client-facing server — a deployment property, not a protocol guarantee.
<b>Further reading:</b> draft-ietf-tls-esni (ECH); RFC 9180 (HPKE); RFC 6066 §3.
<b>Bottom line:</b> SNI is the handshake's main plaintext leak; ECH closes it by encrypting an inner ClientHello under a DNS-published key, but its privacy is only as strong as the size of the anonymity set behind the shared client-facing server.
Handshake Papers
@HandshakePapers
<b>If TLS encrypts everything, why can a network observer still see which website you visited?</b>
Этот пост опубликован в Telegram-канале Handshake Papers. Подписаться можно по ссылке: @HandshakePapers.