If a match is not found, the user may be warned of the discrepancy and the connection may abort as the mismatch may indicate an attempted man-in-the-middle attack.
SNI addresses this issue by having the client send the name of the virtual domain as part of the TLS negotiation's ClientHello message.
SNI was added to the IETF's Internet RFCs in June 2003 through RFC 3546, Transport Layer Security (TLS) Extensions.
This protocol weakness was exploited by security software for network filtering and monitoring[4][5][6] and governments to implement censorship.
While domain fronting was used in the past to avoid government censorship,[8] its popularity dwindled because major cloud providers (Google, Amazon's AWS and CloudFront) explicitly prohibit it in their TOS and have technical restrictions against it.
The initial 2018 version of this extension was called Encrypted SNI (ESNI)[11] and its implementations were rolled out in an "experimental" fashion to address this risk of domain eavesdropping.
[16] Opt-in support for this version was incorporated into Firefox in October 2018[17] and required enabling DNS over HTTPS (DoH).
For example, specifications permit the Pre-Shared Key extension to contain any data to facilitate session resumption, even transmission of a cleartext copy of exactly the same server name that is encrypted by ESNI.
[23] Another Internet Draft, incorporates a parameter for transmitting the ECH public keys via HTTPS and SVCB DNS record types, shortening the handshake process.
[28][29][30] In July 2023, in the IETF117 meeting, members working on ECH informed Chrome and Firefox were doing a 1% sample trial, and the team expects the final draft to be submitted to the IESG evaluation by January 2024.
[34] In September 2023, Chromium version 117 (used in Google Chrome, Microsoft Edge, Samsung Internet, and Opera) enabled it by default, also requiring keys to be deployed in HTTPS resource records in DNS.
Further complicating matters, the TLS library may either be included in the application program or be a component of the underlying operating system.