Comment by ComputerGuru
6 days ago
> so if many people share the same endpoints then eavesdropper can't tell which site you were visiting.
Which is why it is so important/useful to Cloudflare but of much lower utility to most nginx users.
6 days ago
> so if many people share the same endpoints then eavesdropper can't tell which site you were visiting.
Which is why it is so important/useful to Cloudflare but of much lower utility to most nginx users.
Cloudflare provides a very large haystack for this, but even for an nginx server with no CDN, it's still useful to prevent the hostname from being sent in the clear before the TLS connection is negotiated. This still hides the hostname from casual eavesdroppers, who now only know what IP you're connecting to, and would need need out-of-band information to map the IP back to a hostname. And they couldn't ever be 100% sure of that, because they wouldn't know for certain whether there are additional vhosts running on a given server.
I think you might be surprised at how heavily SNI is leveraged at places like GoDaddy, Bluehost, and other similar providers to host sites from hundreds of completely unrelated businesses on the same IP address.