The privacy of the TLS 1.3 protocol [pdf]

Oof. This is an important contribution about the handshake and resumption protocols, but the abstract is badly misquotable. I worry this will lead to problems as it’s reported elsewhere.<p>TLS 1.3 doesn’t encrypt the SNI, doesn’t encrypt the destination IP address, and doesn’t mask the size or ordering of packets. In practice, TLS 1.3 protects secrecy of the bits you send—but not privacy of to whom or how much.<p>As I wrote five years ago when TLS 1.3 was getting started, <a href="https:&#x2F;&#x2F;weblog.evenmere.org&#x2F;posts&#x2F;2014-05-16-tls-is-not-for-privacy.html" rel="nofollow">https:&#x2F;&#x2F;weblog.evenmere.org&#x2F;posts&#x2F;2014-05-16-tls-is-not-for-...</a> , the privacy folks have needs misaligned with the prevalent technology.

This paper is misleading IMO. The abstract says - &quot;On the positive side, we prove that TLS 1.3 protects the privacy of its users at least against passive adversaries, contrary to TLS 1.2, and against more powerful ones.&quot;<p>But if you read the summary, it also says &quot;both TLS 1.2 and TLS 1.3 session resumption present serious privacy flaws despite not using concrete authentication elements, such as certificates ... While [PSK-DHE] provides a measure of backward security, it does nothing to improve privacy.&quot;<p>TLS1.3 is awesome, but it&#x27;s still a layer 4 transport scheme, and there are plenty of ways that a passive adversary can derive privacy sensitive information. I mean it&#x27;s &#x2F;trivial&#x2F; for a passive adversary to tell that you&#x27;re visiting an embarrassing website ... to pick just one obvious example.

&gt; Another feature we omit is the Server Name Indication (SNI) extension, which allows a single server to run TLS handshakes on behalf of multiple domains, using multiple public keys.<p>I don&#x27;t understand how you can seriously use TLS and privacy in the same headline whilst actively ignoring the mess that is SNI...

sad