The Pros and Cons of Encrypted Client Hello
Vložit
- čas přidán 7. 06. 2024
- Discovering Backend Bottlenecks: Unlocking Peak Performance
performance.husseinnasser.com
The Encrypted Client Hello or ECH is a new RFC that encrypts the TLS client hello to hide sensitive information like the SNI. In this video I go through pros and cons of this new rfc.
0:00 Intro
2:00 SNI
4:00 Client Hello
8:40 Encrypted Client Hello
11:30 Inner Client Hello Encryption
18:00 Client-Facing Outer SNI
21:20 Decrypting Inner Client Hello
23:30 Disadvantages
26:00 Censorship vs Privacy ECH
blog.cloudflare.com/announcin...
chromestatus.com/feature/6196...
-Hussein
Fundamentals of Backend Engineering Design patterns udemy course (link redirects to udemy with coupon)
backend.husseinnasser.com
Fundamentals of Networking for Effective Backends udemy course (link redirects to udemy with coupon)
network.husseinnasser.com
Fundamentals of Database Engineering udemy course (link redirects to udemy with coupon)
database.husseinnasser.com
Follow me on Medium
/ membership
Introduction to NGINX (link redirects to udemy with coupon)
nginx.husseinnasser.com
Python on the Backend (link redirects to udemy with coupon)
python.husseinnasser.com
Become a Member on CZcams
/ @hnasr
Buy me a coffee if you liked this
www.buymeacoffee.com/hnasr
Arabic Software Engineering Channel
/ @husseinnasser
🔥 Members Only Content
• Members-only videos
🏭 Backend Engineering Videos in Order
backend.husseinnasser.com
💾 Database Engineering Videos
• Database Engineering
🎙️Listen to the Backend Engineering Podcast
husseinnasser.com/podcast
Gears and tools used on the Channel (affiliates)
🖼️ Slides and Thumbnail Design
Canva
partner.canva.com/c/2766475/6...
Stay Awesome,
Hussein - Věda a technologie
apologies about the echo especially if your listening with air piece, replaced carpet in my home with vinyl and i think I need to sound treat the room.
haha, its okay. it was good all along while using laptop.
Good choice, carpet is much harder to clean and looks worse
"I've got nothing to hide" is a pretty naive way of looking at these things.
Exactly
Agreed. Didn't expect this take on this video. Makes me want to skip it entirely since the reasoning behind the RFC isn't even being considered.
Did you actually listen to his entire take there? His take was not "I've got nothing to hide", his take was that when you do happen to be visiting normie websites (regardless of wherever else you may or may not visit) the added complexity becomes pointless and wasteful
Irans GFW(DPI) Iis using SNI filtering on cloudflare to stop proxys on CF CDN.
Asked my packet sniffer about the latest SNI. Got a shrug and "it's complicated". Thanks ECH
Great we enjoy it
Can you do a video on how to design databases (relational db) on a microservice contest?
Awaome explanation. I agree. Seems too complicated.
Question, why wouldn't the ISP upon seeing the packet with the double client hello just automatically return a server hello with their own crypto info so as to create a fully proxy. At that point wouldn't they be able to see the eSNI that the sender is trying protect?
From my understanding when the request gets to the server the server tries to decrypt the inner hello with its private key. The server public key would be served to the client in the initial dns over http. And if the server can’t decrypt the inner hello it is left with the outter hello and it won’t send the certificate. Or if the certificate is served by a different party other then the actual server the client will close the connection. He is talking about it at minute 22:00
You may not know, but some IPs are using dns:53 requests to offer ADs or selling such information about particular user. Yes it seems complicated, but it has sense ;) you just decrease your footprint and overall sniffing over you. Privacy is a very important thing today, and even look for some countries where privacy is an exotic thing to achieve :)
This should be part of http protocol
But I don't think governments will let it be a reality
Absolutely love your videos! But for the love of God make yourself louder somehow. I cannot hear you properly, unless I'm in a quiet place or using anc headphones.
DoH or DoT are easy to do, it's just turn on a switch in unbound or dnsdist
I disagree it is overkill. This is a quantum leap for privacy is adopted on par with TOR
How to make a 5-minute read turn into a 30-minute youtube video. Your content is dull and monotonous, you don't add anything to the original article
That is very wrong to say.
He explains a lot of stuff and adds on a lot of things... please be respectful.
@@ZeeshanAli-nk3xk I am being respectful, especially to the people who might decide to purchase this guy's fake courses where he just blabbers on about content
How to make a worthless comment. Your comment is impractical & unnecessary, Absolutely ridiculous !! I am a beginner & his explainer videos are a gem to catch up with the industry trends along with my studies. So, Hussein bhai, please keep up with the videos. Love it.
Again... really no truth in your reply.
I took his course on Network Engineering. And I am glad I bought it, he not only taught about the concepts you would learn in a particular course but his way of thinking, his methodology has inspired me to work, think and act differently in my career. You might not like a thing or two, it's okay to disagree on some aspects but cancelling out and making these comments doesn't do anything good.
Dude I agree 100% with you, this guy is not going to the point, just tell stories to newbies without respecting out time. He is not teacher, he is preaching for clicks.