Actually the SNI extension is sent in the clear. That's one of the things TLS 1.3 is supposed to fix. (See e.g. http://www.ietf.org/mail-archive/web/tls/current/msg10484.ht... for a discussion about how to handle SNI there). You have a point, though, in that the TLS extensions sent by the client might give you some indication with what client you are talking with. I would not hope for it though, and even if, such heuristics are hell of an ugly hack inside the TLS stack.

Actually, in the case of SNI, the hostname IS sent in plain text. It's sent with the initial ClientHello message so that the server can use it to select the proper server certificate for the session.