As web users, what we say and do online is subject to pervasive surveillance. Although we typically associate online tracking with ad networks and other th
All well and good, but sadly this relies on the hosts managing DNS to include specific entries in their DNS configuration for keys to use during the encryption process. Unfortunately the vast majority of hosts probably won’t be bothered to do this, similar to DNSSEC.
They created ECH. It makes what hosts you are visiting exclusive to them and browser companies when in use. You get marginal privacy through less companies being able to harvest your data.
Its marginal because that data is probably sold anyways.
That said, less competitors with the same data drives up the value when it does get sold which benefits, you guessed it, the author which is Cloudflare.
All well and good, but sadly this relies on the hosts managing DNS to include specific entries in their DNS configuration for keys to use during the encryption process. Unfortunately the vast majority of hosts probably won’t be bothered to do this, similar to DNSSEC.
Apparently, Cloudflare already supports ECH, and a not-insignificant number of websites use them.
Unfortunately though, is that it’s cloudflare
Can you give me more insight as to why you don’t like cloudflare? I’m barely informed about this.
They created ECH. It makes what hosts you are visiting exclusive to them and browser companies when in use. You get marginal privacy through less companies being able to harvest your data.
Its marginal because that data is probably sold anyways.
That said, less competitors with the same data drives up the value when it does get sold which benefits, you guessed it, the author which is Cloudflare.
I encourage everyone to read this
https://0xacab.org/dCF/deCloudflare/-/blob/master/readme/en.md
https://stallman.org/cloudflare.html
Wouldn’t it be better if reverse proxies simply had a “default key” meant to encrypt the SNI after an unencrypted “hello” is received?
Including DNS in this seems weird.
What would stop a MITM attacker from replacing the key? The server can’t sign the key if it doesn’t know which domain the client is trusting.