>Are there any recommended ways to avoid certificates being sent in cleartext? That is, to first establish an anonymous encrypted channel, and then to authenticate within the encrypted channel. Not without breaking the protocol. >I am also aware of some of the work in progress on TLS 1.3. It would be helpful to understand what is reasonable to expect from the changes introduced in (D)TLS 1.3 in this respect. Perhaps the tls at ietf list is a better place to discuss this.