mastodon.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
The original server operated by the Mastodon gGmbH non-profit

Administered by:

Server stats:

336K
active users

#EncryptedClientHello

0 posts0 participants0 posts today

Роскомнадзор начал блокировку сайтов с шифрованием ECH (Encrypted Client Hello) от Cloudflare.

Недавно Cloudflare внедрила технологию ECH для всех сайтов на своих серверах — это 24 млн страниц.

-Активное шифрование ECH нарушает российское законодательство, так как имеет возможности обхода ограничений доступа к запрещенной информации в России.

Пользователи в РФ уже начали жаловаться на недоступность тысяч сайтов, использующих ECH.

Роскомнадзор советует владельцам ресурсов отказаться от использования CDN-сервиса CloudFlare и переходить на отечественные CDN-сервисы.

src:
portal.noc.gov.ru/ru/news/2024
habr.com/ru/news/856722/

portal.noc.gov.ruРекомендуем отказаться от CDN-сервиса CloudFlare | Новости

Given my work on #privacy, #censorship circumvention, #ech, etc. this #Brazil #Musk case is giving me pause. I have lots of questions, but no clear answers yet. Are there parallels to the DoH case here? Is making the internet more private contributing to centralization of power? e.g. billionaires like Musk can broadcast over the whole internet whatever they want, and governments have no power to stop it. The 99% do have to follow our govs.

For people asking why Encrypted Client Hello is so important:

techcrunch.com/2024/01/26/nati

Even if you are using DOH (or ODoH), your ISP can see what websites your visiting (and then sell to NSA) by inspecting the certificate SNI field. Even with Encrypted SNI (ESNI), there are artifacts of the TLS session establishment leaked that can be used for TLS Fingerprinting - things like ALPN, and cipher suite.

TechCrunch · NSA is buying Americans' internet browsing records without a warrant | TechCrunch"Web browsing records can reveal sensitive, private information about a person based on where they go on the internet," said Sen. Ron Wyden.

One thing about #EncryptedClientHello (#ECH) that I'm a little worried about is that it will make #MITM inspection of #TLS traffic harder to the point where it might restrict lots of important kinds of inspection. When the software we use is not #FreeSoftware, then we cannot see what it is doing by reading the source code. We need to inspect the network traffic. So it is very important that it is possible to inspect traffic that uses ECH as well, despite that middleware companies will abuse this

#EncryptedClientHello (#ECH) plus private DNS will enable a nice privacy improvement in combination with a VPN: set the DNS nameserver to something other than the VPN provider's nameserver. For ECH-enabled sites, the VPN provider sees your IP and connections to the CDN. The CDN and the DNS nameserver sees the VPN's IP.

* VPN sees who (account, personal IP, etc.) and what (CDN)
* CDN sees where (domain name)
* DNS sees where (domain name)

Before ECH, the VPN could see who, what, and where

We have started the second round of our partnership defo.ie to ensure that the new #TLS standard called #EncryptedClientHello (#ECH) works for public interest use cases. We also are working to reduce the pressure towards #centralization inherent to the #privacy improvements of hiding the domain name. You can find more details in our project announcement: guardianproject.info/2023/11/0

defo.ieDeveloping ECH for OpenSSL (DEfO) - welcome to defo.ie

The first fully merged, audited and shipped bit of code from our defo.ie project is Hybrid Public Key Encryption (#HKPE RFC9180), it has been shipped by #OpenSSL openssl.org/blog/blog/2023/10/ It is a building block for #EncryptedClientHello #ECH and #MessagingLayerSecurity #MLS, providing standard methods for using public key cryptography to encrypt arbitrary blocks of data.

defo.ieDeveloping ECH for OpenSSL (DEfO) - welcome to defo.ie

You've got to be kidding me #Mozilla

Why does
#Firefox need #HTTP2 for #EncryptedClientHello? Where in the goddamn spec does it say that #ECH needs HTTP/2?! First #DNSoverHTTPS or #DoH is required, and now HTTP/2? Really?

Why can't you just let me disable HTTP/2 in peace and use HTTP/1.1 as all web servers should be using. Why does it have to be a choice on whether I can get additional
#privacy based on whether I'm using an arbitrary and useless update to the #HTTP protocol. It's just fucking full of politics. First you require TLS if one wants to use HTTP/2, and now HTTP/2 is required if one wants to encrypt their #SNI and the whole #ClientHello. No technical fucking reason at all other than to force people in their crusade against plain text and their obsession with chopping down latency (which didn't work btw which is why they're now pushing #HTTP3 which is just not HTTP anymore with its #UDP bullshit)

This is what happens when you let politician-wannabes dictate your development