New on LowEndTalk? Please Register and read our Community Rules.
Cloudflare enabled ECH for all free zones
Based on here, Cloudflare has enabled ECH for all free zones.
Since countries such as China and Iran actively block servers and use SNI recognition as a means of determining VPN servers, I wonder:
- How effective using ECH can be for circumventing restrictions?
- What is the cost of blocking ECH (if governments decide to do so)?
Comments
https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/
It looks like China will block ECH as well
What is the cost of blocking ECH (if governments decide to do so)?
Almost nothing.
I wonder how long until Nginx supports it.
ESNI has been deployed on cloudflare for ages, ECH is just the formally standardized version of that.
I dislike your ignorance and arrogance, but the cost is heavy: the world is de-coupling from China, and you'll see more in the coming months.
China is no longer the world factory nor the large trading market.
Same as blackholing Cloudflare if there is no fallback.
I doubt that Cloudflare's presence in China would be possible without applying censorship by CF themselves
First of all, it must be clear that the reviewer cannot give up reviewing Cilent Hello.
Therefore, it is very possible to prevent clients from using ECH through various measures. For example, although Cloudflare has enabled ECH on their network, current mainstream browsers need to enable secure DNS (Dns Over HTTPS) before enabling ECH (except for manual enablement). Then for reviewers, they can first intercept those large doh servers that the browser can only choose. In this way, the browser will not use ECH because the preconditions are not met.
Even if you manually force ECH to be turned on, or use a non-browser client, the censors may not be able to know you are visiting which website. Although I am not a professional in this area, due to the very strong characteristics of the ECH extension, censors can completely block ECH traffic or actively degrade the quality of these traffic (high latency, high packet loss rate)
Nice, can confirm my free sites on Cloudflare has their
/cdn-cgi/tracemarked SNI as encrypted. Oddly, nhentai is still marked as plaintext. Can't really test whether it pass the SNI filtering because right now my mobile ISP decide it's Porn day and allow porn goes unchecked (normally my mobile ISP use SNI filtering, while my home ISP always use DNS filtering only).Thanks for the through explanation. another thing that I think may help restrictive governments is the concept of fallback. It seems really far-fetched that servers suddenly decide to only allow ECH and drop plaintext client hellos as there's the need for gradual migrations. So, servers will preferer ECH but if it's not available, they will fallback to traditional mechanism.
What browsers support ECH though? Using numerous Chrome/Edge to visit https://tls-ech.dev/ shows that my browser isn't supported
Firefox Nightly
That is a very funny thing to believe in
Check here
Yep, we're all adult here and likely work where we need unrestricted access, but schools and corporate will not accept "LOL, porn sites are no longer blocked due to standards". ECH will only be mandatory once filtering is also possible, maybe with some privacy extension, like a local check against hash prefixes of blocked domains.
Chromium doesn't seem to like tls-ech.dev, only Firefox works with it, while both Chromium and Firefox works with https://defo.ie/ech-check.php