| ▲ | szmarczak 7 hours ago |
| It doesn't prevent fingerprinting, stop spreading misinformation. It only prevents your ISP from knowing what website you're connecting to. |
|
| ▲ | CloakHQ 7 hours ago | parent | next [-] |
| fair point, I should have been more precise. the server (Cloudflare in this case) still decrypts the inner ClientHello and can fingerprint it - jannesan and jeroenhd are right about that. the part that changes is passive fingerprinting from third parties - network middleboxes, ISPs, DPI systems that have historically been able to read ClientHello parameters in transit and build behavioral profiles. that layer goes away. for bot detection specifically that matters less since detection happens at the server, so your correction stands for that use case. the Cloudflare paradox I was gesturing at is maybe better framed as: for sites NOT on Cloudflare, ECH makes it harder for Cloudflare (as a network observer) to do pre-connection fingerprinting. but for their own CDN customers, they decrypt it anyway so nothing changes for them. the conflict is more theoretical than practical for their current product. |
| |
| ▲ | szmarczak 6 hours ago | parent | next [-] | | > the part that changes is passive fingerprinting from third parties That's exactly what I said: > It only prevents your ISP from knowing what website you're connecting to. | |
| ▲ | gzread 6 hours ago | parent | prev [-] | | Why would Clownflare ever see traffic to sites not on Clownflare? | | |
| ▲ | szmarczak 6 hours ago | parent [-] | | They do routing. Even if you're connecting to a non Cloudflare server, the traffic may still be routed through their servers. Why would they want to peek traffic? Most likely for statistics (most frequently visited websites etc). | | |
| ▲ | gzread 6 hours ago | parent [-] | | Can you give an example of a BGP route or traceroute to a site not on Clownflare that was routed through Clownflare? | | |
| ▲ | szmarczak 4 hours ago | parent [-] | | It depends on the origin and the destination. Their Magic Transit service explicitly allow this, and I assume they have agreements with other AS in case something goes wrong on either side (it often does). You'd have to directly ask them to know specifically but I don't think they would answer since that's proprietary information. |
|
|
|
|
|
| ▲ | maxloh 7 hours ago | parent | prev | next [-] |
| Since most ISPs also maintain their own DNS resolver, they could always reverse lookup the IP address AFAIK. |
| |
| ▲ | progbits 7 hours ago | parent | next [-] | | The whole idea behind ECH is one IP hosts tons of sites (eg. CDN) so you have no idea which one it is. Also reverse lookup has nothing to do with hosting own DNS resolver. | | |
| ▲ | szmarczak 6 hours ago | parent [-] | | What you're describing is a SNI, not ECH. Those two serve very different purposes. > Also reverse lookup has nothing to do with hosting own DNS resolver. It has everything to do with that. Had you used two brain cells, you would've known that they can memorize the IP address and the domain name, and if you connect to that IP in a short period of time, most likely you visited that domain name. | | |
| ▲ | gzread 6 hours ago | parent [-] | | SNI is unencrypted, so your ISP can see it. ECH encrypts it. | | |
|
| |
| ▲ | szmarczak 7 hours ago | parent | prev [-] | | True. ECH is useless if you're using plain DNS. DNS over TLS or HTTPS is the way to go. |
|
|
| ▲ | hzwanip 7 hours ago | parent | prev [-] |
| What OP wrote seems correct: > ECH basically kills TLS fingerprinting as a bot detection signal They are not talking about fingerprinting in general. Please elaborate how else TLS fingerprinting can be done. |
| |
| ▲ | szmarczak 7 hours ago | parent [-] | | I am talking about TLS fingerprinting, not JS fingerprinting. > Please elaborate how else TLS fingerprinting can be done. By doing everything as it is right now? | | |
| ▲ | hzwanip 7 hours ago | parent [-] | | How would you (an arbitrary web server) fingerprint a TLS connection if the Client Hello is encrypted? | | |
| ▲ | conradludgate 7 hours ago | parent | next [-] | | The website owner (or cloudflare in this case) has the keys to decrypt the client hello. That's necessary for routing information. | | | |
| ▲ | szmarczak 7 hours ago | parent | prev [-] | | By decrypting it? I don't think you know how TLS, or E2E works in general. ISP doesn't perform the fingerprinting, the server does. | | |
|
|
|
