(Author here.) Guilty, I guess. What do you find poorly written exactly? Thanks for your feedback and my apologies if I crossed a line with the headline.
Wow, very clickbaity. Yes, certificates and SNI are indeed in the clear in the TLS 1.2 ClientHello.
We're hoping to encrypt them for TLS 1.3. That's not easy if SNI is needed for the server to know which certificate to use, and nearly intractable if different vhosts have different cipher prefs.
