> On 27 May 2015, at 14:11, Kasper Dupont <kasperd@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote: > > On 27/05/15 12.41, Dirk-Willem van Gulik wrote: >> One could argue that putting the host name as plain text in the initial unencrypted exchange is leaking something (ignoring the DNS aspect here). >> >> As this a) reveals whom you are talking to and b) may be a good trigger/selector for something pen-register/trap/trace. >> >> However a bit later in the exchange we get, in the clear, a somewhat finger printable list of possible cyphers supported (Key Exchange Init) is flashed by the server in the clear. Followed a packet later by the Diffie-Hellman Group Exchange Group; which contains the DH modulus in the clear (from the list of some 200 pre calculated safe primes, ?ssh/moduli'; in groups of 40; that are identical but for the last 4 bytes or so). >> >> So I guess that that makes not revealing some identifier as to whom you want to talk a bit of a moot point; as a few packets later it is revealed anyway. > > Got it. And not to forget the host public key of the server > is also being sent in clear during the key exchange. Agreed. In our actual usecase/reason-to-ditch the SNI plan - it was more a worry about moduli being distributed with the OS (like http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/moduli-gen/ <http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/moduli-gen/>) and using that to fingerprint specific releases. Dw. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev