[HN Gopher] New standards for a faster and more private Internet
___________________________________________________________________
New standards for a faster and more private Internet
Author : terrelln
Score : 111 points
Date : 2024-09-26 17:07 UTC (5 hours ago)
(HTM) web link (blog.cloudflare.com)
(TXT) w3m dump (blog.cloudflare.com)
| barbazoo wrote:
| > New standards for a faster and more private Internet
|
| > Zstandard
|
| I get "faster" but how does it make the internet "more private".
| The word "private" only shows up exactly once on that page, in
| the title.
| java-man wrote:
| They also talk about Encrypted Client Hello (ECH).
| terrelln wrote:
| I believe that the "more private" part is referencing the
| "Encrypted Client Hello (ECH)" section in the later part of the
| post.
| gwbas1c wrote:
| The title of something should reflect the content. This is an
| article about a new compression format, and thus the title
| should say that.
| akdor1154 wrote:
| The first third of the article is indeed, maybe read the
| rest?
| nicce wrote:
| It is about moving the trust.
|
| > This means that whenever a user visits a website on
| Cloudflare that has ECH enabled, no one except for the user,
| Cloudflare, and the website owner will be able to determine
| which website was visited.
|
| So you must use entity which controls the DNS and this entity
| makes the request further for actual website. Feels like just
| worse VPN.
| ziddoap wrote:
| > _The word "private" only shows up exactly once on that page,
| in the title._
|
| However, the word "privacy" shows up 10 times in the article.
| java-man wrote:
| Does it mean ECH works only with the Cloudflare since their
| example ECH contains unencrypted outer layer client hello?
| jgrahamc wrote:
| No, it's am emerging standard. We are just pushing its adoption
| as fast as we can. Hence, we've rolled this out to all free
| customers.
| Rushsick wrote:
| And for non free customers, you can opt-in to ECH via the
| dashboard
| ameliaquining wrote:
| Right now, basically yes. No other major public clouds seem to
| support ECH yet, and ECH basically only works in public clouds;
| it can't hide your IP address, so it only provides privacy if
| you share your IP address with lots of other tenants.
| rkagerer wrote:
| ECH - if I understand correctly it's effective for sites hosted
| on big providers like Cloudflare, AWS, etc, but doesn't add much
| value when it comes to self-hosted domains or those on a
| dedicated server, as you'd still see traffic going to whatever IP
| and be able to infer from that which domain the user's browswer
| is talking to. I'm hoping someone can explain that I missed
| something.
|
| And while we're explaining things... ODoH (indirectly mentioned
| in the article via the Encrypted DNS link) comes with a big bold
| warning it's based on the fundamental premise that the _proxy and
| the target servers do not collude_. When both are operated by the
| same company, how can you know they aren 't colluding? Is there
| some mechanic in the protocol to help protect users from
| colluding servers?
| jeroenhd wrote:
| > When both are operated by the same company, how can you know
| they aren't colluding?
|
| You don't. At best the client can check domain names and IP
| addresses, but that's hardly a guarantee.
|
| To solve that problem, you can combine multiple parties. For
| example, you can use https://odoh1.surfdomeinen.nl/proxy as a
| proxy (operated by SURF [1]) to use the Cloudflare servers for
| lookup.
|
| I think for ODoH to work well, we need a variety of companies
| hosting forwarding services. That could be ISPs,
| Google/Microsoft/etc. or some kind of non-profit.
|
| [1]: https://www.surf.nl/en
| ekr____ wrote:
| Yes, that's correct about ECH. In general, there's no real way
| to conceal your browsing behavior if you are connecting to an
| IP address that isn't shared. So either you use ECH to
| something like Cloudflare or you connect to some proxy/VPN/etc.
| so that the local network can't see the final IP address.
| daveau wrote:
| re: ECH
|
| let the cat and mice game between deep packet inspection (DPI)
| vendors and the rest of the encrypted internet continue. it'll be
| amusing to see what they come up with (inaccurate guessing game
| ai/ml "statistical analysis" is about all they've got left,
| especially against the large umbrella that is cloudflare).
|
| game on, grab your popcorn, it will be fun to watch.
| jeroenhd wrote:
| There's a relatively simple and pain-free solution to
| legitimate DPI: blocking all requests that don't go through a
| proxy. Browsers will ignore some certificate restrictions if
| they detect manually installed TLS root certificates to make
| corporate networks work.
|
| This approach won't work on apps like Facebook or Instagram,
| but I don't think there's a legitimate reason to permit-but-
| snoop on that sort of traffic anyway.
| candiddevmike wrote:
| Passive DPI/web filtering is pretty much done at this point.
| There's no way to tell what domain you're connecting to with
| ECH without doing a MITM and breaking the PKI chain or adding
| private CAs everywhere.
| 9cb14c1ec0 wrote:
| Not hard to bypass it at all: https://support.mozilla.org/en-
| US/kb/faq-encrypted-client-he...
| aaomidi wrote:
| ECH is going to be huge for people in regressive countries. For
| example Iran.
| drdaeman wrote:
| Nah, they're just going to block the whole ECH handshake.
|
| Idk about Iran, but Russia and China just block eSNI, QUIC and
| whatever their DPI firewalls can't really handle on the fly.
| Rushsick wrote:
| The idea is to make ECH too large of a target to make
| blocking it practical. If you block ECH you end up blocking
| access to a large portion of the internet in that region.
| It's why some major browsers have chosen to not gracefully
| fallback to non-ECH handshakes upon connection failure.
| sroussey wrote:
| I think the other poster was implying that the governments
| don't care.
| Rushsick wrote:
| Yeah we shall see - we're monitoring closely
| aaomidi wrote:
| Disagree on this take. Blocking services does have an
| economic impact.
|
| This alongside people smuggling in starlink is making
| censorship useless.
| sroussey wrote:
| China blocks services all the time. I was one of the
| original 10 blocked by the great firewall of china.
|
| And starlink can be traced. It's only time before some
| people start getting arrested.
| aaomidi wrote:
| I'm not talking about China. China has well made internal
| alternatives to most western services.
|
| Iran does not.
| orthoxerox wrote:
| Greetings, residents of Arstotzka! To access Arstotzkan
| government websites, please install this Ministry of Digits
| TLS root certificate on all your devices. Also, all new
| phones sold in Arstotzka must have the certificate
| preinstalled, starting from 2025.
| 9cb14c1ec0 wrote:
| https://security.stackexchange.com/questions/213796/state
| -fo...
| nialse wrote:
| Let me just stress that the effect of Zstandard on individual
| end-user latency is a rounding error. No user will ever go: "That
| was a quick loading web site. Must be Zstandard!". The effect is
| solely Cloudflare having to spend x% less bandwidth to deliver
| the content, saving on their network and server resources.
| hammyhavoc wrote:
| If it saves them money, great. That also means resources saved,
| and that also means it's better for the planet, thus better for
| humanity. I'm failing to see the disadvantage.
| irq-1 wrote:
| What will ECH mean for places like China or South Korea? Do
| governments have access to Cloudflare logs? Only with court
| orders?
|
| ECH seems directly opposed to Chinese governments control of the
| web.
| vetinari wrote:
| I think you meant North Korea, not South.
|
| It means nothing. Countries always ask nicely first for a
| domain to be blocked for IPs from their countries. Companies
| like Cloudflare or Akamai can either honor the request, or find
| their IP range blocked (yes, including all the other serviced
| domains). They usually take the first option.
| jiripospisil wrote:
| > I think you meant North Korea, not South.
|
| South Korea is infamous for their internet censorship.
|
| https://en.wikipedia.org/wiki/Internet_censorship_in_South_K.
| ..
| terrelln wrote:
| The latest Zstandard exposes several parameters which are useful
| for reducing time to first byte latency in web compression. They
| make Zstandard cut the compressed data into smaller blocks, e.g.
| 4 KB, with the goal to fit a compressed block within a small
| number of packets, so the browswer can start to decompress
| without waiting for a full 128 KB block to be sent.
|
| These parameters are described in the v1.5.6 release notes [0].
| ZSTD_c_targetCBlockSize is the most notable, but
| ZSTD_c_maxBlockSize can also be used for a lower CPU cost but
| larger compressed size.
|
| Are you using these features at Cloudflare? If you need any help
| using these, or have any questions, please open an issue on
| Zstandard's GitHub!
|
| [0] https://github.com/facebook/zstd/releases/tag/v1.5.6
| autoexec wrote:
| Cloudflare is happy to make it harder for anyone other than
| Cloudflare to see everything that you're doing on the internet.
| jiggawatts wrote:
| After examining how scammers and phishers host their sites, I've
| realised that "private" for Cloudflare means protecting the
| privacy of criminals.
|
| ECH makes it hard to block known scam sites at the network layer,
| for example.
| idle_zealot wrote:
| Either it's easy to block sites or it isn't. There's no world
| in which it's easier for you to block scam sites than it is for
| others to block vital resources and information.
| sltkr wrote:
| Network layer blocking is almost never in the interest of the
| end user. It's typically used to block users from accessing
| sites they _want_ to visit, like The Pirate Bay, or recently
| Russian Times and Sputnik News.
|
| End users who want to protect themselves can easily install
| blacklists on their end. All major browsers support something
| like Google Safe Browsing out of the box, and these blacklists
| are more likely to be kept up-to-date than those of the average
| ISP.
| Animats wrote:
| _" This means that whenever a user visits a website on Cloudflare
| that has ECH enabled, no one except for the user, Cloudflare, and
| the website owner will be able to determine which website was
| visited. Cloudflare is a big proponent of privacy for everyone
| and is excited about the prospects of bringing this technology to
| life.'_
|
| This isn't privacy. This is centralized snooping.
|
| It's like Google's approach to third party cookies. Nobody _other
| than Google_ can have tracking information.
| Shakahs wrote:
| Another HN hot take about the Cloudflare bogeyman.
|
| The CDN can't give you content you're asking for without
| knowing which content you're asking for.
|
| This _improvement_ prevents your ISP and the government from
| reading your packets to get that same information.
| cebert wrote:
| What makes you believe CloudFlare wouldn't do this? They may
| have state actor employees or be compelled by a government to
| surveil users.
| casenmgreen wrote:
| I use Tor for privacy.
|
| CF blocks Tor; you can't get past the captcha.
___________________________________________________________________
(page generated 2024-09-26 23:01 UTC)