Hacker News new | ask | show | jobs
by dilyevsky 992 days ago
You could just as easily make df opt-in. Another way is to use “fake” cloudflare-df.com sni just like they are doing with cloudflare-ech.com outer sni
1 comments
josephcsible 992 days ago
A designated domain for domain fronting is useless because it would immediately get added to every middlebox's list of blocked domains.
link
KirillPanov 992 days ago
... and this is exactly what will happen to cloudflare-ech.com.

I'm really disappointed with how the ECH spec panned out. It's almost like "make sure middleboxes and GFW can block this" was a hard requirement. They should've made the handshake look like a session resumption (i.e. pre-shared key), since those aren't required to send a server name.

link