[Animats]

"This means that whenever a user visits a website on Cloudflare that has ECH enabled, no one except for the user, Cloudflare, and the website owner will be able to determine which website was visited. Cloudflare is a big proponent of privacy for everyone and is excited about the prospects of bringing this technology to life.'

This isn't privacy. This is centralized snooping.

It's like Google's approach to third party cookies. Nobody other than Google can have tracking information.

[sedatk]

> This isn't privacy.

It will be when everyone adopts ECH. It's a fantastic start.

[api]

Doesn't Cloudflare decrypt and MITM all traffic? In that case they can snoop on everything.

[lifthrasiir]

Only true when the entire Internet is routed through Cloudflare. (A majority probably will, but the GP surely meant this.)

[Shakahs]

Another HN hot take about the Cloudflare bogeyman.

The CDN can't give you content you're asking for without knowing which content you're asking for.

This improvement prevents your ISP and the government from reading your packets to get that same information.

[hn_throwaway_99]

Especially since, as another top comment put it, ECH only gives privacy benefits if the serving IP is serving multiple domains.

I'm all for being wary of large-scale consolidation, but I feel like these lazy gripes aren't assessing the pros and cons dispassionately.

[apitman]

The internet is moving towards a place where it might not be possible to self-host anything important without getting DDoS'd. Companies like Cloudflare provide a solution to this problem, but that also creates a crutch that means no effort is expended to solve the problem at the root, which means the day may come when you don't have any option left other than Cloudflare.

I think these are important issues and worth talking about.

[Shakahs]

Those issues are absolutely worth discussing, in a reasonable way. Cloudflare isn't the bad actor perpetuating these DDoS attacks, and they aren't forcing website operators to use their services either.

[apitman]

They don't need to be a bad actor. They just need to be big enough and follow their incentives.

Companies aren't binary good or bad. They go through a lifecycle. Today's young and scrappy startup fighting for the people and the CEO making house calls is tomorrow's big tech with AI chat support.

It's worth noting where a company is in its lifecycle, and what the world is likely to look like if it continues to grow.

[Animats]

> Cloudflare isn't the bad actor perpetuating these DDoS attacks

How do we know that? Who else benefits from most of them?

[cebert]

What makes you believe CloudFlare wouldn’t do this? They may have state actor employees or be compelled by a government to surveil users.

[Shakahs]

So now the government needs to compel a corporation to hand over some data, because they are no longer able to read it straight off the wire like they could before. That sounds like a significant improvement to privacy.

[naivety]

People trafficking drugs into Australia were using a secure, encrypted messaging service developed by a private third party provider.

They eventually found out that the third party provider was in fact the Australian Federal Police, reading all their messages in clear and in real time.

The government only needs to compel a corporation if that corporation has an adversarial relationship with them.

We have tried the centralized model pushed by Cloudflare before, it was called the Minitel.

[apitman]

Sounds like an interesting story. Do you have a link to a summary?

[schoen]

> The CDN can't give you content you're asking for without knowing which content you're asking for.

Maybe some PIR protocol can also eventually change this (if the users and Cloudflare don't mind the computational and network overhead!).