• adarza@lemmy.ca
    link
    fedilink
    English
    arrow-up
    10
    ·
    edit-2
    3 days ago

    in the olden days, one ipv4 could host one domain securely. when a client connected to that ip, the connection was encrypted with the cert for that domain it was hosting.

    the finite ipv4 space was gobbled up like crazy between this and every fucking thing on the planet wanting to be online.

    an update to conserve ipv4 space allows one to host multiple domains (i.e. different sites on different domains, all using https) on one ip. to do this, the client needs tells the server which domain it’s looking for on the ip it’s connecting to–in the clear. once the server knows what cert to use, an encrypted connection can be set up.

    ‘encrypted client hello’ (ech) allows that initial request to be encrypted.

    that’s pretty much all it does.