Hiya,
On 16/11/2024 02:48, Yaroslav Rosomakho wrote:
I believe the issue that we are currently observing with "blocked ECH" is specific to how public SNI is constructed. A given CDN uses a certain pre-defined public name for all ECH enabled resources - hence an inline filtering party that wants to prevent ECH can match on that specific public name and presence of ECH extension in ClientHello.
I think the above is correct... today. I don't think we'll see how the dynamics of all this plays out until there are many more servers that have ECH enabled for many more web sites. Between now and then, we'll see how all the various entities involved act, but hopefully (from my POV) we'll all stick at it and end up with an overall modest gain for privacy. The "between now and then" bit requires us to work to make ECH available for standard web server installs, so I hope people keep on asking for that feature from those distributing web servers. (Interestingly, I suspect that having ECH enabled for many servers with few web sites, might help services hosting many web sites with their "larger" ECH deployments, but we'll have to see how things develop.) Cheers, S.
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
