|
|
|
|
|
|
by infogulch
1772 days ago
|
|
|
Yes there is still a 1-1 mapping from IPv6 to domain, but that mapping is pushed back into the DNS layer where it belongs instead of being smuggled (poorly) through TLS. DNS isn't perfect for privacy either, but at least there's a chance that it can be solved with DoH / private dns servers / etc, instead of the only solution (eSNI) requiring everyone voluntarily signing up to a giant mitm called "cloudflare". |
|
|
One of the things we see with the Great Firewall is that you can reach some brand new service, and then a few minutes later (after presumably some automation span up, examined it and didn't like what it found) it's blocked.
In contrast under ECH Winnie can choose to have 10.20.30.40 blocked, and if the only things on it are winnie-the-pooh.china.example and kick-putin-out.russia.example then why not. But if it also features popular-website.example then that's a difficulty.
If it helps while I expect Cloudflare will continue as before, ECH is actually carefully designed so that intermediates can be set up to be able to discern that you want winnie-the-pooh.example and make that work without in fact knowing how to answer for that name. In effect you can sign up to have some popular host (e.g. Google, Amazon, or indeed Cloudflare) provide their servers for your names, but not provide your services and not have any ability to MITM you, they're acting as a sort of IP proxy instead. And some of the big names are clearly enthusiastic about enabling this capability, albeit for a price.