SNI requires the hostname to be sent over the wire as plaintext. The reason why SNI is useful is because it allows one server to host many HTTPS domains. Perhaps some innovation to SNI would fix this problem.
This. The current advent of the encrypted web would not have been possible without SNI - the costs for exclusive IPv4 addresses (especially when using a CDN) would have been prohibitive.
SNI isn't as much as a security risk if you consider that before resolving, you usually need a DNS request too - which would expose the endpoint to your ISP anyway.
This only works because the same company is hosting the content (appspot) as the fronting domain (google.com). Google terminates the TLS then looks at the host header to see where to send it.
I couldn't hide my website behind facebook, because my website and facebook are not behind the same TLS terminator.
