As web users, what we say and do online is subject to pervasive surveillance. Although we typically associate online tracking with ad networks and other th
Bind9 had branches for both and I was able merge the two to satisfy that requirement.
When connecting to such a server, you MUST NOT use a DNS resolver hosted by any origination along the path from client to server as they can correlate the host from the DNS request with your encrypted client hello. You can actually man-in-the-middle ECH to decrypt the client hello by overriding the hosts record when controlling the DNS resolver. My project was testing this for parental controls.
Keep in mind, ECH really only benefits users connecting to a CDN. That is, when multiple services are behind the same IP. It masks which host the user is going to for any hop between the client and server.
Any data mining company worth their evils will have an IP to DNS index to figure out the host when only one is behind an IP.
This marginally gives some privacy to users. It hides the host from your ISP. It REALLY benefits browser companies and CDN hosts. What hosts a user is visiting now becomes exclusive data for those companies thereby driving up the value of the data. Assuming you aren’t being stupid with your addons.
It’s been a couple years since I was involved with ECH, but the implementations at the time were:
The one by the draft’s authors in golang (Cloudflare). This is the actual test server. It uses Cloudflare’s fork of golang with an enhanced crypto library. https://gist.github.com/cjpatton/da8814704b8daa48cb6c16eafdb8e402
BoringSSL used for chrome. There are nginx builds with BoringSSL, but I don’t know if the setting are exposed.
https://boringssl.googlesource.com/boringssl/+/refs/heads/master/ssl/encrypted_client_hello.cc
WolfSSL which I never got around to playing with.
https://www.wolfssl.com/encrypted-client-hello-ech-now-supported-wolfssl/
NSS which is Mozilla’s TLS library. There is a test server buried in there some place for unit testing.
https://firefox-source-docs.mozilla.org/security/nss/index.html
With that, you ALSO need a DNS server that supports DNS over HTTP (DoH) and HTTPS service binding records (https://datatracker.ietf.org/doc/draft-ietf-dnsop-svcb-https/).
Bind9 had branches for both and I was able merge the two to satisfy that requirement.
When connecting to such a server, you MUST NOT use a DNS resolver hosted by any origination along the path from client to server as they can correlate the host from the DNS request with your encrypted client hello. You can actually man-in-the-middle ECH to decrypt the client hello by overriding the hosts record when controlling the DNS resolver. My project was testing this for parental controls.
Keep in mind, ECH really only benefits users connecting to a CDN. That is, when multiple services are behind the same IP. It masks which host the user is going to for any hop between the client and server.
Any data mining company worth their evils will have an IP to DNS index to figure out the host when only one is behind an IP.
This marginally gives some privacy to users. It hides the host from your ISP. It REALLY benefits browser companies and CDN hosts. What hosts a user is visiting now becomes exclusive data for those companies thereby driving up the value of the data. Assuming you aren’t being stupid with your addons.