> you can proxy SNI without every touching the real connection. HAProxy handles this well. I guess you're thinking of the paragraph "SSL/TLS passthrough" described in the webpage above. Unfortunately, that doesn't work…
Agreed. And if you trust a company enough to be your DNS, but not enough to be your CDN, your scale of trust is upside down.
> you can proxy SNI without every touching the real connection. HAProxy handles this well. I guess you're thinking of the paragraph "SSL/TLS passthrough" described in the webpage above. Unfortunately, that doesn't work…
Agreed. And if you trust a company enough to be your DNS, but not enough to be your CDN, your scale of trust is upside down.