This is the neo feudal internet. It is the end of any ability to lock your own front door to the internet. I saw it in my block logs for Lemmy and finally went to look it up. I don’t know if that is just dot world or otherwise, but there is absolutely no chance in hell that I will ever allow or use ECH or anything like it. That is some authoritarian insanity to expect me to trust a middleman connection for everything in the land of ‘please allow our 10k stalkerware partners into your intimate life via our app’. You have no way of knowing who or what you are connected to with ECH. You’re being forced to inherently trust a connection. Is software X/Y/Z connecting to malware, stalkerware, ANYTHING, you have no clue. What halfwit thought this was okay or some kind of reasonable solution? What am I missing here? I default do not trust anyone. Hope for the best; plan for the worst. If you want to let random people into your digital home, or are not worried about your scripts and code doing stupid stuff, hey, you do you. That is not for me. I want to know exactly what is connecting where and why at all times. Where is the libre internet heading now?
You must log in or # to comment.
in the olden days, one ipv4 could host one domain securely. when a client connected to that ip, the connection was encrypted with the cert for that domain it was hosting.
the finite ipv4 space was gobbled up like crazy between this and every fucking thing on the planet wanting to be online.
an update to conserve ipv4 space allows one to host multiple domains (i.e. different sites on different domains, all using https) on one ip. to do this, the client needs tells the server which domain it’s looking for on the ip it’s connecting to–in the clear. once the server knows what cert to use, an encrypted connection can be set up.
‘encrypted client hello’ (ech) allows that initial request to be encrypted.
that’s pretty much all it does.
If you don’t trust the server you’re connecting to, why are you connecting to it in the first place? The only difference between ECH and no ECH is that encryption starts earlier.
The initial post is a somewhat incomprehensible rant but I think the objection is that any number of skeezy websites all have domains pointing to the same Cloudflare IP. So when a malware app opens a TLS connection to one of those domains, the shared IP doesn’t tel you anything, and the ECH prevents you from seeing with Wireshark just whose home the malware is phoning. You have to resort to more drastic methods. Better yet, don’t run malware.
I don’t care for every website’s embedded nonsense pinging Facebook Google, and Amazon on every page.
… It’s a protocol, not a service. And your browser has it enabled. You can disable it on your browser and default back to esni, and be less private and less anonimized, if you want. No one’s making you use it.
Anonymity from whom? The browser is the least trusted software and all websites have stalkerware from google and others embedded. These are what I want to block.
No, I don’t want google fonts, or a Facebook logo. I’m not pinging their servers to let them know I’m on your website, etc., etc. Eliminating my ability to stop these useless connections by aggregating all of my connections through ECH is not private or anonymous. Enabling this connection through ECH now makes it available to all websites as a gaping hole in a firewall. I don’t see any reason this should exist.
effectiveness of ublockorigin, noscript, or other privacy/security related addons in your browser are unaffected by ech.
a pihole on your network is likewise unaffected, as it alters the dns requests so clients like your browser or tv can’t even resolve a ‘bad’ domain to an ip.
It was the logs from my OpenWRT firewall that lead me to look up why cloudflare-ech is popping up for Lemmy. I had to research it because I don’t allow any such 3rd party connections. It comes up as cloudflare-ech.com on 443. It is not some port for Lemmy or whatnot. I’m not allowing such a connection that any website can visit, and am rather dumbfounded why anyone would think this is reasonable. I don’t know what enabling this effectively does. It appears to create a way to obfuscate a firewall filter.
I think, OP is pointing to the fact that ECH makes it harder to block connections to mothership from proprietary apps, TVs etc. These apps could now use ECH, DoH to hide it’s traffic from being observed.
But OP could always buy a better router that can proxy layer 7 traffic and block the traffic if desired.
