| ▲ | CloakHQ 2 days ago |
| [flagged] |
|
| ▲ | jannesan 2 days ago | parent | next [-] |
| Cloudflare can and must decrypt the ClientHello for the sites it serves in order to actually serve the traffic. Using ECH with CF means you use their ECH domain and their keys. |
|
| ▲ | jeroenhd 2 days ago | parent | prev | next [-] |
| If you control the domain you're fingerprinting clients on, you can decrypt the inner ClientHello and fingerprint on that. If you're not in control of the domain you're fingerprinting, then ECH is working as intended. I don't expect naive bots to implement ECH any time soon, though. If a bot can't be bothered to download curl-impersonate, they won't pass any ECH flags either. |
| |
|
| ▲ | szmarczak 2 days ago | parent | prev | next [-] |
| It doesn't prevent fingerprinting, stop spreading misinformation. It only prevents your ISP from knowing what website you're connecting to. |
| |
| ▲ | maxloh 2 days ago | parent | next [-] | | Since most ISPs also maintain their own DNS resolver, they could always reverse lookup the IP address AFAIK. | | |
| ▲ | progbits 2 days ago | parent | next [-] | | The whole idea behind ECH is one IP hosts tons of sites (eg. CDN) so you have no idea which one it is. Also reverse lookup has nothing to do with hosting own DNS resolver. | | |
| ▲ | szmarczak 2 days ago | parent [-] | | What you're describing is a SNI, not ECH. Those two serve very different purposes. > Also reverse lookup has nothing to do with hosting own DNS resolver. It has everything to do with that. Had you used two brain cells, you would've known that they can memorize the IP address and the domain name, and if you connect to that IP in a short period of time, most likely you visited that domain name. | | |
| ▲ | gzread 2 days ago | parent [-] | | SNI is unencrypted, so your ISP can see it. ECH encrypts it. | | |
|
| |
| ▲ | szmarczak 2 days ago | parent | prev [-] | | True. ECH is useless if you're using plain DNS. DNS over TLS or HTTPS is the way to go. |
| |
| ▲ | hzwanip 2 days ago | parent | prev | next [-] | | What OP wrote seems correct: > ECH basically kills TLS fingerprinting as a bot detection signal They are not talking about fingerprinting in general. Please elaborate how else TLS fingerprinting can be done. | | |
| ▲ | szmarczak 2 days ago | parent [-] | | I am talking about TLS fingerprinting, not JS fingerprinting. > Please elaborate how else TLS fingerprinting can be done. By doing everything as it is right now? | | |
| ▲ | hzwanip 2 days ago | parent [-] | | How would you (an arbitrary web server) fingerprint a TLS connection if the Client Hello is encrypted? | | |
| ▲ | conradludgate 2 days ago | parent | next [-] | | The website owner (or cloudflare in this case) has the keys to decrypt the client hello. That's necessary for routing information. | | | |
| ▲ | szmarczak 2 days ago | parent | prev [-] | | By decrypting it? I don't think you know how TLS, or E2E works in general. ISP doesn't perform the fingerprinting, the server does. | | |
|
|
| |
| ▲ | CloakHQ 2 days ago | parent | prev [-] | | [flagged] | | |
| ▲ | szmarczak 2 days ago | parent | next [-] | | > the part that changes is passive fingerprinting from third parties That's exactly what I said: > It only prevents your ISP from knowing what website you're connecting to. | |
| ▲ | Hizonner a day ago | parent | prev | next [-] | | > the part that changes is passive fingerprinting from third parties - network middleboxes, ISPs, DPI systems Right. Things that should never have been allowed to exist to begin with. Working as designed. | |
| ▲ | gzread 2 days ago | parent | prev [-] | | Why would Clownflare ever see traffic to sites not on Clownflare? | | |
| ▲ | szmarczak 2 days ago | parent [-] | | They do routing. Even if you're connecting to a non Cloudflare server, the traffic may still be routed through their servers. Why would they want to peek traffic? Most likely for statistics (most frequently visited websites etc). | | |
| ▲ | gzread 2 days ago | parent [-] | | Can you give an example of a BGP route or traceroute to a site not on Clownflare that was routed through Clownflare? | | |
| ▲ | szmarczak 2 days ago | parent [-] | | It depends on the origin and the destination. Their Magic Transit service explicitly allow this, and I assume they have agreements with other AS in case something goes wrong on either side (it often does). You'd have to directly ask them to know specifically but I don't think they would answer since that's proprietary information. |
|
|
|
|
|
|
| ▲ | andrewmcwatters 2 days ago | parent | prev [-] |
| [dead] |
