[galadran]

I believe CF and others buckled under pressure from major websites which didn't want to be used as fronts for other website's traffic. ECH fixes this because individual sites get to opt-in to using it.

[dilyevsky]

You could just as easily make df opt-in. Another way is to use “fake” cloudflare-df.com sni just like they are doing with cloudflare-ech.com outer sni

[josephcsible]

A designated domain for domain fronting is useless because it would immediately get added to every middlebox's list of blocked domains.

[KirillPanov]

... and this is exactly what will happen to cloudflare-ech.com.

I'm really disappointed with how the ECH spec panned out. It's almost like "make sure middleboxes and GFW can block this" was a hard requirement. They should've made the handshake look like a session resumption (i.e. pre-shared key), since those aren't required to send a server name.