Comment by 1vuio0pswjnm7
4 hours ago
One topic I have not seen discussed is why CDNs, one by one, stopped allowing "domain fronting" yet ECH, developed by people working at CDNs, essentially uses a similar tactic, i.e., two hostnames, only one of them actually needed for a successful HTTP request
In truth ECH sends three: Host header + real SNI + dummy SNI
It is unlikely that any browser will ever require ECH without a fallback to non-encrypted ClientHello.
If the CDNs come under pressure, they can stop allowing ECH, just like they stopped allowing domain fronting. Unlike fronting, they can do this selectively -- like, only if the client is in $COUNTRY and the hostname is one of XYZ.