Comment by szmarczak
14 hours ago
It doesn't prevent fingerprinting, stop spreading misinformation. It only prevents your ISP from knowing what website you're connecting to.
14 hours ago
It doesn't prevent fingerprinting, stop spreading misinformation. It only prevents your ISP from knowing what website you're connecting to.
fair point, I should have been more precise. the server (Cloudflare in this case) still decrypts the inner ClientHello and can fingerprint it - jannesan and jeroenhd are right about that.
the part that changes is passive fingerprinting from third parties - network middleboxes, ISPs, DPI systems that have historically been able to read ClientHello parameters in transit and build behavioral profiles. that layer goes away. for bot detection specifically that matters less since detection happens at the server, so your correction stands for that use case.
the Cloudflare paradox I was gesturing at is maybe better framed as: for sites NOT on Cloudflare, ECH makes it harder for Cloudflare (as a network observer) to do pre-connection fingerprinting. but for their own CDN customers, they decrypt it anyway so nothing changes for them. the conflict is more theoretical than practical for their current product.
> the part that changes is passive fingerprinting from third parties - network middleboxes, ISPs, DPI systems
Right. Things that should never have been allowed to exist to begin with. Working as designed.
> the part that changes is passive fingerprinting from third parties
That's exactly what I said:
> It only prevents your ISP from knowing what website you're connecting to.
Why would Clownflare ever see traffic to sites not on Clownflare?
They do routing. Even if you're connecting to a non Cloudflare server, the traffic may still be routed through their servers.
Why would they want to peek traffic? Most likely for statistics (most frequently visited websites etc).
2 replies →
Since most ISPs also maintain their own DNS resolver, they could always reverse lookup the IP address AFAIK.
The whole idea behind ECH is one IP hosts tons of sites (eg. CDN) so you have no idea which one it is.
Also reverse lookup has nothing to do with hosting own DNS resolver.
What you're describing is a SNI, not ECH. Those two serve very different purposes.
> Also reverse lookup has nothing to do with hosting own DNS resolver.
It has everything to do with that. Had you used two brain cells, you would've known that they can memorize the IP address and the domain name, and if you connect to that IP in a short period of time, most likely you visited that domain name.
2 replies →
True. ECH is useless if you're using plain DNS. DNS over TLS or HTTPS is the way to go.
What OP wrote seems correct:
> ECH basically kills TLS fingerprinting as a bot detection signal
They are not talking about fingerprinting in general. Please elaborate how else TLS fingerprinting can be done.
I am talking about TLS fingerprinting, not JS fingerprinting.
> Please elaborate how else TLS fingerprinting can be done.
By doing everything as it is right now?
How would you (an arbitrary web server) fingerprint a TLS connection if the Client Hello is encrypted?
4 replies →