Do you not find it funny that the orgs that can effectively use it are the ones that disabled domain fronting? Cause for a small party one can guess which of the few services might be behind the cert offering ECH, with a big shared service it indeed becomes a larger guess (wolf hiding amongst sheep); the big service though does get to see what is the real target. And if one can observe the client's DNS lookups, one already has the information....
@jeroen true, but domain fronting was a hit and miss hack, this is an established protocol. We also have encrypted DNS solutions these days that should prevent easy snooping there.
From what I hear quite a few networks/orgs already block ECH which could perhaps be seen as a sign that it actually might work...
@jeroen ECH does not only hide the domain name. It hides lots of metadata like the ALPN or the initial parameters of QUIC, etc. It is useful even when domain fronting is not.
Paul_IPv6
in reply to daniel:// stenberg:// • • •uh, congrats? :)
this does bring to mind the internal Sun april fools memo detailing the formation of a new Sun division to support options to "ls"...
daniel:// stenberg://
in reply to Paul_IPv6 • • •Alexey Skobkin
in reply to daniel:// stenberg:// • • •Finally!
Now I have my closure ❤️
Thomas Thyberg
in reply to daniel:// stenberg:// • • •Mike Stemle
in reply to daniel:// stenberg:// • • •Grouchig. Der Grummler.
in reply to daniel:// stenberg:// • • •JP Mens
in reply to daniel:// stenberg:// • • •Tom
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to Tom • • •matan-h 🔍
in reply to daniel:// stenberg:// • • •I just checked and "curl -abcdefghijklmnopqrstuvwxyz example.com" looks like the same as simple "curl example.com" :)
EDIT: some of them takes the other arguments as arguments, e.g. "curl -zyxwvutsrqponmlkjihgfedcba" print some argument warnings.
Jeroen Massar
in reply to daniel:// stenberg:// • • •and what is your opinion on ECH?
Do you not find it funny that the orgs that can effectively use it are the ones that disabled domain fronting? Cause for a small party one can guess which of the few services might be behind the cert offering ECH, with a big shared service it indeed becomes a larger guess (wolf hiding amongst sheep); the big service though does get to see what is the real target. And if one can observe the client's DNS lookups, one already has the information....
daniel:// stenberg://
in reply to Jeroen Massar • • •@jeroen true, but domain fronting was a hit and miss hack, this is an established protocol. We also have encrypted DNS solutions these days that should prevent easy snooping there.
From what I hear quite a few networks/orgs already block ECH which could perhaps be seen as a sign that it actually might work...
Christian Huitema
in reply to daniel:// stenberg:// • • •daniel:// stenberg:// reshared this.
Rich Felker
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to Rich Felker • • •Cendyne
in reply to daniel:// stenberg:// • • •Oh! Encrypted Client Hello
Fantastic, and thank you for what you do