Does SNI represent a privacy concern for my website visitors?

Solution 1:

Your analysis is incorrect. You are more secure with SNI than without.

Without SNI, the IP address uniquely identifies the host. Thus anyone who can determine the IP address can determine the host.

With SNI, the IP address does not uniquely identify the host. Someone would have to actually intercept and view some of the traffic to determine the exact host. This is more difficult than just obtaining the IP address.

So you are (slightly) more secure with SNI than without it.

Anyone who is going to block based on an intrusive analysis of packet data is going to also block based on IP address. They will block the "bad ones" based on IP address with or without SNI.

However, the answer to your question is "yes". SNI does represent a privacy concern. With SNI, someone who can intercept the traffic does get the host name in addition to the IP address.

Solution 2:

You are RIGHT. SNI is a major privacy concern for your visitors - it exposes the exact websites that your visitors connect with to their ISP and other passive listening parties. But then, so does DNS... well... used to: google is fixing this:-

https://thehackernews.com/2017/10/android-dns-over-tls.html

Knowing an IP address does NOT tell the ISP what web site is on that IP address, unless they actively go out and look themselves, which is a very different thing than them passively sniffing customer packets.

Solution 3:

You're right that this represents a potential privacy concern: using SNI, the domain name is sent unencrypted.

That's why ESNI (Encrypted SNI) was proposed since by Cloudflare, who already implemented it in their CDN. At the time of this writing, browser support is close to zero, but this seems to be the future!