fair point, I should have been more precise. the server (Cloudflare in this case) still decrypts the inner ClientHello and can fingerprint it - jannesan and jeroenhd are right about that.

the part that changes is passive fingerprinting from third parties - network middleboxes, ISPs, DPI systems that have historically been able to read ClientHello parameters in transit and build behavioral profiles. that layer goes away. for bot detection specifically that matters less since detection happens at the server, so your correction stands for that use case.

the Cloudflare paradox I was gesturing at is maybe better framed as: for sites NOT on Cloudflare, ECH makes it harder for Cloudflare (as a network observer) to do pre-connection fingerprinting. but for their own CDN customers, they decrypt it anyway so nothing changes for them. the conflict is more theoretical than practical for their current product.

▲

szmarczak 8 hours ago | parent | next [-]

> the part that changes is passive fingerprinting from third parties

That's exactly what I said:

> It only prevents your ISP from knowing what website you're connecting to.

▲

gzread 8 hours ago | parent | prev [-]

Why would Clownflare ever see traffic to sites not on Clownflare?

▲

szmarczak 8 hours ago | parent [-]

They do routing. Even if you're connecting to a non Cloudflare server, the traffic may still be routed through their servers.

Why would they want to peek traffic? Most likely for statistics (most frequently visited websites etc).

▲

gzread 7 hours ago | parent [-]

Can you give an example of a BGP route or traceroute to a site not on Clownflare that was routed through Clownflare?

	▲	szmarczak 6 hours ago \| parent [-]
		It depends on the origin and the destination. Their Magic Transit service explicitly allow this, and I assume they have agreements with other AS in case something goes wrong on either side (it often does). You'd have to directly ask them to know specifically but I don't think they would answer since that's proprietary information.