new | ask | show | jobs
gruez 4 months ago  [ - ]

>If you’re requesting certificates from our tlsserver or shortlived profiles, you’ll begin to see certificates which come from the Generation Y hierarchy this week. This switch will also mark the opt-in general availability of short-lived certificates from Let’s Encrypt, including support for IP Addresses on certificates.

Does that mean IP certificates will be generally available some time this week?

infogulch 4 months ago  [ - ]

Now all servers can participate in Encrypted Client Hello for enhanced user privacy: if clients open TLS connections with ECH where the server IP is used in the ClientHelloOuter and the target SNI domain is in the encrypted ClientHelloInner, then eavesdroppers won't be able to read which domain the user is connecting to.

This vision still needs a several more developments to land before it actually results in an increment in user privacy, but they are possible:

    1. User agents can somehow know they can connect to a host with IP SNI and ECH (a DNS record?)
    2. User agents are modified to actually do this
    3. User agents use encrypted DNS to look up the domain
    4. Server does not combine its IP cert with it's other domain certs (SAN)