Is TLS SNI susceptible to MitM attacks?

Question

By default the SNI is sent in plaintext before a shared key is agreed upon. Is it possible for an attacker to modify SNI value without endpoints finding it out?

If I understand RFC 8446 (TLS 1.3) correctly, the Transcript Hash contains all the messages exchanged during the handshake and is signed before finishing the handshake. So latest at this point the peer would detect that the handshake has been manipulated.

Am I understanding it correctly? Is the situation different for TLS 1.2.

score 3 · Accepted Answer · answered May 12 '23 at 11:14

3

Is it possible for an attacker to modify SNI value without endpoints finding it out?

This is not possible.

Integrity protection of the TLS handshake, i.e. protection against manipulating any parts of the handshake (including SNI), is part of all TLS versions and not specific to TLS 1.3.

answered May 12 '23 at 11:14

Steffen Ullrich

201,479
30
402
465

Thanks! I took TLS 1.3 as an example. Could you further elaborate on the details? Anything hash is not signed can be manipulated without detection. So If SNI is manipulated it would be detected after a session key is established, right? – Yan Foto May 12 '23 at 11:29
2

@YanFoto: The integrity of the handshake is validated using the Finished message before any application data gets exchanged. See How well is the SSL/TLS handshake protected against modifications? for more on this. – Steffen Ullrich May 12 '23 at 12:02

Is TLS SNI susceptible to MitM attacks?

1 Answers1