This is the neo feudal internet. It is the end of any ability to lock your own front door to the internet using a firewall.
in the olden days, one ipv4 could host one domain securely. when a client connected to that ip, the connection was encrypted with the cert for that domain it was hosting.
the finite ipv4 space was gobbled up like crazy between this and every fucking thing on the planet wanting to be online.
an update to conserve ipv4 space allows one to host multiple domains (i.e. different sites on different domains, all using https) on one ip. to do this, the client needs tells the server which domain it’s looking for on the ip it’s connecting to–in the clear. once the server knows what cert to use, an encrypted connection can be set up.
‘encrypted client hello’ (ech) allows that initial request to be encrypted.
that’s pretty much all it does.
… It’s a protocol, not a service. And your browser has it enabled. You can disable it on your browser and default back to esni, and be less private and less anonimized, if you want. No one’s making you use it.
I think, OP is pointing to the fact that ECH makes it harder to block connections to mothership from proprietary apps, TVs etc. These apps could now use ECH, DoH to hide it’s traffic from being observed.
But OP could always buy a better router that can proxy layer 7 traffic and block the traffic if desired.
Anonymity from whom? The browser is the least trusted software and all websites have stalkerware from google and others embedded. These are what I want to block.
No, I don’t want google fonts, or a Facebook logo. I’m not pinging their servers to let them know I’m on your website, etc., etc. Eliminating my ability to stop these useless connections by aggregating all of my connections through ECH is not private or anonymous. Enabling this connection through ECH now makes it available to all websites as a gaping hole in a firewall. I don’t see any reason this should exist.
effectiveness of ublockorigin, noscript, or other privacy/security related addons in your browser are unaffected by ech.
a pihole on your network is likewise unaffected, as it alters the dns requests so clients like your browser or tv can’t even resolve a ‘bad’ domain to an ip.
deleted by creator
If you don’t trust the server you’re connecting to, why are you connecting to it in the first place? The only difference between ECH and no ECH is that encryption starts earlier.
The initial post is a somewhat incomprehensible rant but I think the objection is that any number of skeezy websites all have domains pointing to the same Cloudflare IP. So when a malware app opens a TLS connection to one of those domains, the shared IP doesn’t tel you anything, and the ECH prevents you from seeing with Wireshark just whose home the malware is phoning. You have to resort to more drastic methods like intercepting DNS. Better yet, don’t run malware.
deleted by creator