Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
ivanr 9 hours ago

I wrote about ECH a couple of months ago, when the specs were still in draft but already approved for publication. It's a short read, if you're not already familiar with ECH and its history: https://www.feistyduck.com/newsletter/issue_127_encrypted_cl...

In addition to the main RFC 9849, there is also RFC 9848 - "Bootstrapping TLS Encrypted ClientHello with DNS Service Bindings": https://datatracker.ietf.org/doc/rfc9848/

There's an example of how it's used in the article.

fmajid 9 hours ago | parent | next [-]

Thanks for the writeup, Ivan, I am a great fan of your work!

Now we need to get Qualys to cap SSL Labs ratings at B for servers that don't support ECH. Also those that don't have HSTS and HSTS Preload while we're at it.

ivanr 9 hours ago | parent [-]

Thanks! Sadly, SSL Labs doesn't appear to be actively maintained. I've noticed increasing gaps in its coverage and inspection quality. I left quite a while ago (2016) and can't influence its grading any more, sadly.

crote 6 hours ago | parent | next [-]

Is there a well-maintained alternative to SSL Labs you can recommend?

ivanr 6 hours ago | parent | next [-]

Yes, there is! After I left SSL Labs, I built Hardenize, which was an attempt to go wider and handle more of network configuration, not just TLS and PKI. It covers a range of standards, from DNS, over email, TLS and PKI, and application security.

Although Hardenize was a commercial product (it was acquired in 2022 by another company, Red Sift), it has a public report that's always been free. For example:

https://www.hardenize.com/report/feistyduck.com

The CSP inspection in Hardenize could use a refresh, but the TLS and PKI aspects are well maintained [at the time of writing].

Bender 5 hours ago | parent | prev [-]

I use testssl.sh [1] mostly because I can test things not publicly accessible.

[1] - https://github.com/testssl/testssl.sh

5 hours ago | parent | prev [-]
[deleted]
ignoramous 8 hours ago | parent | prev [-]

> There's an example of how it's used in the article

A bit tricky in Go, but nothing too complicated. We implemented ECH in Aug 2024 for our DNS Android app and it has worked nicely since: https://github.com/celzero/firestack/blob/09b26631a2eac2cf9c...