RFC 9849. TLS Encrypted Client Hello
56 points
2 hours ago
| 4 comments
| rfc-editor.org
| HN
arch-choot
20 minutes ago
[-]
Glad that it's published, I'd been following it since ESNI draft days. Was pretty useful back when I was in India since Jio randomly blocked websites, and cloudflare adopted the ESNI draft on its servers as did Firefox client side which made their SNI based blocking easy to bypass.

There was a period where I think both disabled ESNI support as work was made on ECH, which now is pretty far along. I was even able to setup a forked nginx w/ ECH support to build a client(browser) tester[0].

Hopefully now ECH can get more mainstream in HTTPS servers allowing for some fun configs.

A pretty interesting feature of ECH is that the server does not need to validate the public name (it MAY) , so clients can use public_name's that middleboxes (read: censors) approve to connect to other websites. I'm trying to get this added to the RustTLS client[1], now might be a good time to pick that back up.

[0] https://rfc9849.mywaifu.best:3443/ [1] https://github.com/rustls/rustls/issues/2741

reply
ivanr
1 hour ago
[-]
I wrote about ECH a couple of months ago, when the specs were still in draft but already approved for publication. It's a short read, if you're not already familiar with ECH and its history: https://www.feistyduck.com/newsletter/issue_127_encrypted_cl...

In addition to the main RFC 9849, there is also RFC 9848 - "Bootstrapping TLS Encrypted ClientHello with DNS Service Bindings": https://datatracker.ietf.org/doc/rfc9848/

There's an example of how it's used in the article.

reply
fmajid
45 minutes ago
[-]
Thanks for the writeup, Ivan, I am a great fan of your work!

Now we need to get Qualys to cap SSL Labs ratings at B for servers that don't support ECH. Also those that don't have HSTS and HSTS Preload while we're at it.

reply
ivanr
34 minutes ago
[-]
Thanks! Sadly, SSL Labs doesn't appear to be actively maintained. I've noticed increasing gaps in its coverage and inspection quality. I left quite a while ago (2016) and can't influence its grading any more, sadly.
reply
weitzj
1 hour ago
[-]
Will this have an impact on Loadbalancers? Like does one have to do client side load balancing like in gRPC?
reply
grenran
54 minutes ago
[-]
My understanding is that you can use split mode to only have the load balancer decrypt the server name section, and forward the actual session and key exchange down to the backend without doing double layer encryption.
reply
j16sdiz
1 hour ago
[-]
The loadbalancer can force a downgrade .
reply
micw
40 minutes ago
[-]
If the load balancer can force a downgrade, an attacker can do it as well.
reply
ferdzo
24 minutes ago
[-]
It's an interesting feature, but it's pushing my buttons lately. Specifically on Cloudflare it is on by default, and on the free tier you can't disable it and you need a business plan for it. Which I think is stupid, but never the less it's causing us problems. We are trying some split-dns setup for a company "intranet", and if the site's have be accessed before, the ECH is remembered. So the browser tries and it eventually fails with ECH Error or on Firefox it just hangs like it's loading all the time. And it's so frustrating, because sometimes it works, sometimes it doesn't, you can clear cache and stuff and it still won't work, sometimes it works in Incognito sometimes it doesn't. This is not a real problem, but since we haven't fully switched to the "intranet" and we use some of the WAF features of Cloudflare sometimes it is so frustrating.
reply
capitol_
18 minutes ago
[-]
Split dns is such an ugly hack, it causes no end of hard to debug problems.
reply
ferdzo
7 minutes ago
[-]
It is yeah, but it is a temporary solution while we are working out the setup.
reply