Fix markup oopsie · trnck.dev/blog@f513a13

trnck.dev / blog

fork atom

blog.trnck.dev

fork atom

Fix markup oopsie

Filip Troníček 2 years ago f513a133 072b1bc9

+3 -3

1 changed file

expand all

_posts

2023-10-01-hello-internet.md

+3 -3

_posts/2023-10-01-hello-internet.md

··· 13 13 14 14 Next is up ECH, which is solving an issue of the present. As you may know, technologies like [DoH](https://en.wikipedia.org/wiki/DNS_over_HTTPS) and [TLS](https://en.wikipedia.org/wiki/Transport_Layer_Security) help to keep snoopers away from your network traffic. The last piece of the puzzle is ClientHello, the packet responsible for negotiating a TLS session, which contains information including the <abbr title="Server Name Indication">SNI</abbr>, describing the hostname the client is requesting a certificate for. This meant that, for anyone listening for packets traveling over the network (be that your place of work, school, or the ISP in case of your own home) they could see all the domains you were visiting. With Encrypted Client Hello, the SNI is encrypted (the encrypted part is called _inner ClientHello_) and only the common name (SNI) is requested in plaintext (_outer ClientHello_). 15 15 16 - | Without ECH | With ECH | 17 - | ------------------------------------------ | ----------------------------------------------------- | 18 - | !{% picture /img/ciphertrail/no_ech.webp } | {% picture ![image](/img/ciphertrail/with_ech.webp) } | 16 + | Without ECH | With ECH | 17 + | ------------------------------------------- | ------------------------------------------------------ | 18 + | !{% picture /img/ciphertrail/no_ech.webp %} | {% picture ![image](/img/ciphertrail/with_ech.webp) %} | 19 19 20 20 To summarize, ECH is a great feature for improving online privacy for many, the need to use a VPN (for personal use). It has great support among browsers, with both Chrome and Firefox leading the way[^4]. Client support is awesome to see, but in this case, we have an opposite problem to the one of Kyber PEMs: virtually no service accepts encrypted client hellos. I can only speculate about why I think that is: my opinions range from “c'mon, this was literally [released yesterday](https://blog.cloudflare.com/announcing-encrypted-client-hello/)” to the fact that this has big implications on security policies in enterprise and in places like schools, where some websites tend to be blocked. On the latter, the [Encrypted Client Hello Deployment Considerations](https://datatracker.ietf.org/doc/draft-campling-ech-deployment-considerations/) document explains these caveats in detail. 21 21