Encrypted Client Hello - Online Privacy's Missing Piece
HTML-код
- Опубликовано: 20 дек 2023
- In this video I discuss how Encrypted Client Hello (ECH) works and how some organizations might take extreme measures to do client side blocking to continue filtering traffic in a world where ECH becomes the standard.
support.mozilla.org/en-US/kb/...
My merch is available at
based.win/
Subscribe to me on Odysee.com
odysee.com/@AlphaNerd:8
₿💰💵💲Help Support the Channel by Donating Crypto💲💵💰₿
Monero
45F2bNHVcRzXVBsvZ5giyvKGAgm6LFhMsjUUVPTEtdgJJ5SNyxzSNUmFSBR5qCCWLpjiUjYMkmZoX9b3cChNjvxR7kvh436
Bitcoin
3MMKHXPQrGHEsmdHaAGD59FWhKFGeUsAxV
Ethereum
0xeA4DA3F9BAb091Eb86921CA6E41712438f4E5079
Litecoin
MBfrxLJMuw26hbVi2MjCVDFkkExz8rYvUF 
Наука
Its kinda impressive the length the government will go just to see my bird
Because they heard that your bird is the word!
@@Abdega hell yeah 😂
Because birds aren't real
After seeing some big follower profile on Xitter try to dunk on your channel get completely flamed I thought it's probably right to say thanks for spreading important info and news to people that aren't that informed in the tech space.
That’s the way I got introduced to this channel, and immediately loved it. Cool guy. Subbed 🎉. Really funny how that backfired even though I’m sure they weren’t directly trying to dunk and just reposting a meme hahahahaha
And who was this xitter shithead?
Who was tryna dunk on my boy?
Who?
What happened
The deep fake grows stronger with each day
I know, I even taught it to do farm chores!
Think you could teach it to come do my chores???
@@MentalOutlaw Hey, Vegan Gains! How long did it take you to learn to code, losing bulk and growing a beard in the process, to pivot to a FOSS & Privacy Tech RUclipsr 😂 😂 😂
@@user-wg2vw3mz1v how many times are you going to post this?
@@MentalOutlawcan i tell you a big secret. I think they always knowbwhat people do but have merely made apps and systems appear like they lost the ip and tracking is turned off but all thats really going on is they are watching but not able to tale action because theyv told us its incrypted. They ate spies of course they can see yoyr shit but they cant do anything because theyv promised its "encrypted"...
And when client side snooping is less than they desire, censors put pressure on network hosts to block any protocols which don't identify a destination in the clear.
And the counter to that is relays that don't look like relays to the snoops.
That sounds like Tor without some steps
@@NerdyCatCoffeeee In so far as the relays can be chained, and no step in the chain requires some element which pierces privacy, they could do the same job as TOR.
Bro I just wanna say I love your video thumbnails. Makes me chuckle every time
Nigeria should become a constitutional monarchy. Then the Nigerian prince becomes a reality.
I believe this only adds a (small) layer of difficulty to hiding visited websites. The ISPs can still see the IP addresses in the packets routed to the websites, and from there easily discover which website corresponds to (something similar can also be done in the client level).
yeah unless they use cdn
It is rare for a single website to be on a single ip. Also it doesn’t stop the big DNS providers from snooping. So 🤷🏻♂️.
@@DarkxPunk Not being on a single ip doesn't stop the association of ips to website, at most it makes it slightly harder. But yeah most the DNS providers are owned by FAANG so it's still pointless either ways.
@@kexec. true, probably the best option to pair with ECH is to choose a trusted cdn provider
@@kexec. Single cloudflare ip address can have more than 500 websites
I prefer to force people to find me in order to speak to me, really roots out all the nonsense.
Just found your channel yesterday for the encrypted recursive DNS server. Pertinent content and well explained. Subbed.
I'm so happy that you uploaded this video. Thank you for uploading it.
In this scenario there will still be a third party (meaning it's neither the client nor the destination server) that will know which website you are visiting. In this example it will be CloudFlare, but it could also be Amazon or even Google, if the destination server is deployed within their cloud infrastructure and uses their CDN.
Libre taxi is open source Uber alternative can you talk about it ?
best way to find a schizo that will drive you to a forest
4:57 lmao I wasn't ready for the suchifur reference
Enterprises have been installing trusted root certs for years. Deviced which don't have this are simply banned from the local subnets. It's not a problem for them.
Came here to say this. Companies will have you sign off on all privacy on your company devices and have literal spyware installed on them (out in the open that is). I think the fact the nature of the spyware being so obvious is sometimes part of the dissuasive strategy as well: keep users on their toes, and keep them paying (some...) attention to what they're doing knowing we *will* know if they endanger the company with reckless behavior.
The IPv4 problem is artificial. There are so many aftermarket blocks available, and tons of unused blocks owned by universities. The solution to IPv4 is to reclaim unused blocks so they can be allocated again
the problem is that more blocks are occuped and more their price will be, if u want you can buy all ipv4 addresses you need but their cost will be pretty expensive, there are an acutal market around it
I work for a small ISP. We bought IPv6 blocks from ARIN and attempted to deploy them to management scopes, customers, etc. Almost every single piece of hardware had some sort of limitation with IPv6, along with other peices not supoprting it whatsoever. Its been a mess and now we are reverting back to IPv4 xD
You can reclaim unused blocs all you want, in the end there are only a few billions IPv4 addresses
@@e995a1addo you think we need more than a few billion public IPs??? Nat exists for a reason
Nah, you're wrong and I'm not gonna tell you why.
Mental Outlaw for president.
I doubt they would allow that
How dare you curse this man! 😅
@@MentalOutlaw They should.
your honeypots are interesting, thank you agent outlaw!
What do you mean honeypots ? I am not that tech savvy , can you explain like i am 12 ?
I know what a honeypot is ( basically a trap ) but i didn't get the idea.
@@ahmadalnzi2694 that's the point
@@ahmadalnzi2694 this is a running joke on the channel, just like Kenny not actually showing himself on camera but rather rendering deepfakes of a random black guy
Dude I'll be real, IPv6 is super fucking based. I don't have to think about ports, or weird configurations for hosting several different websites or servers off the same machine, and use my domain name. Like I can throw 6 different VMs on a box, and they all get their own v6 global address, and I can throw that info into cloudflare and everything resolves correctly. Shit's awesome, it's actually easier work for me. Like I mean the initial setup was a bitch, and it took me a while to figure out how to get the vms IPv6 addresses, but once I did it was just as simple as going into the router, finding the host name and yoinking it's reporting v6 address, and dumping it into my cloudflare. After doing it, I honestly don't see why companies can't be bothered to figure out how this works, since it's really not that hard. Especially if your business is computer networking. Though I will say some weird stuff does require more tinkering, like services/SRV records for VOIP stuff, that can get super freaking jank, but oddly enough that was an easier setup than my linux based cloud server.
I think the main issue nowadays with encryption is that it requires a middle man, called a "Certificate Authority". We now have companies like Microsoft and Google issuing certificates. This is an obvious problem, as this allows those companies to decrypt our data at will. We need to completely re-invent this system.
Actual fact though
For a CA to decrypt my traffic with their private keys they have to capture that encrypted traffic first. To do that they have to set up a proxy or something down the line of my connection. Even if they somehow got my encrypted traffic, their private key won't decrypt it due to "forward secrecy" that's been enforced in TLS 1.3. We also have a big system for certificate revokation. How can Google decrypt my data at will if I may ask?
@@lizard9159 I imagine a ISP or a VPN can log internet traffic and store it, but I have never heard of "forward secrecy", that interesting. Just got around to look it up and isn't a CA's job just to make sure the website is just legitimate? A CA couldn't act like a DNS or see website data, it instead only checks if the connection has secure keys and such.
Yes but not really. They would be detected and immediately distrusted by all browser vendors, also all CAs must meet certain transparency requirements.
The real problem are government mandated CAs. The EU is about to force all browsers to trust EU-members CAs with eIDAS 2.0
I don't think CAs can decrypt private data. The role of CAs is just to certify that someone owns a domain. The only attack a CA can really do is mint a false certificate and then use a fake site with the false certificate to capture user traffic. This would likely be caught and the CA would not be trusted by any browsers. I do agree with the sentiment of not trusting third parties though. The only issue is that there is no known way to easily (and salably) verify identity without third party trust.
The liability cost for a VPN is so high that nobody legitimate can afford to run it ethically.
Agreed. People always get hung up on "well ThEy sAiD--" but the long arm of the law is endless. Apple, proton, whatever would rather take the PR hit of giving over info to the glowies than be penalized into bankrupcy (or worse, accused of harboring criminals)
Really?
@@AutomaticFlax4470 think about it this way: imagine content, far worse than the content discussed in this video, content that you and I would both agree absolutely must not be tolerated. How do you deal with that as a VPN? Any decision you make is problematic. Some you might be able to justify ethically, some you might be able to justify legally, but none can you justify both ethically and legally in all jurisdictions for all content.
@@edwardallenthree
(He's talking about child porn)
mullvad?
4:56 that dragon is making me act... unwise.
do NOT pet the dragon...
@@MentalOutlaw I already did...
@@MentalOutlawwould.
Dragons aren't fuzzy what are they teaching the kids in school these days.
you must not be aware of the furred dragon species, the best of both worlds. @@mqb3gofjzkko7nzx38
I have no idea what you're talking about most of the time. But I like the premise and want to support your channel.
There are still plenty of IPv4 addresses hosting a single website, so encrypted SNI/Encrypted Client Hello do not solve those problems.
These websites are also very interesting to eavesdroppers like your ISP, because they are usually small/ less popular websites and can tell a lot about your personality.
Love your video's! :)
Thanks for looking out bro
Kazakh here, they launched this government certificate thingie, but no one wanted to install the certificate, so they cancelled the initiative (thank god)
I believe russia also has such a thing now
@@CrisCheese_ that’s not entirely true, they just opened a government CA that’s not recognised by the rest of the world, so they can get certificates when other CAs stop issuing certs to russian companies.
but certainly it could be a launchpad for what you’re describing.
Unfortunately for ECH to work, more and more people have to be behind centralized services like Cloudflare. Else encrypting single domain name served by an IP becomes meaningless.
Internet needs more decentralization, but ECH seems like the first step at better online privacy.
but also a big step towards more censorship
I remember getting really excited when DNSSEC came out (what is it now, 15-18 years ago) I started reading extensively on unbound (I had know clue how to set an unbound server up!) but that technology was desperately needed and I got excited about it... I'm thinking it's gonna take at least that long for ECH...
I wonder what this means for government blocking of websites.
I imagine it would mean they won’t be able to see you accessing blocked websites with a VPN.
they can just block by ip
@@vnc.t then they will continue using different IP addresses, simple.
@@vnc.t this did not work, look at pirate bay, they were able to keep on hopping to different IPs
i love you man thank you for your service
Dunno why, but you're my own Personal CIA chief🙇♂️🙇♂️
That’s Johnny Harris. Our cia king
heavy stuff, very well explained 🎉
you are really good at explaining shit. so glad I found your channel
I think I might switch to Firefox because of ECH.
Most network admins I've known in person rely mostly on a DNS sinkhole and good device privilage configuration. Can't get to naughty sites if your only DNS server turns you down.
ECH doesn't even work without DoH (DNS over HTTPS). That's not really something network admins can manage.
@@ShadowManceri I mean, if users have the rights to change their DNS settings while you're using a DNS sinkhole, I'm not sure you're very good at your job 🤔
If that's not an option for some reason, you could always try blocking known DNS IPs but that'd get hard to manage quick (though someone probably maintains a list somewhere).
IT security policies are rarely a "you can't break out"; they're usually a "it'd take you so much effort to break out it's not worth it".
I could always spin up a VS Code Tunnel to my personal machine, CURL my naughty site, download the assets, and paste the code into the browser (or just use a browser inside of VS Code). But that's a lot of effort.
@@BellCube DoH doesn't require user to have permissions to change DNS settings, because it's a app layer thing. There is no practical way to stop users for using DoH or to force them to use company DoH servers. User can always use portable version of the browser with their own settings and there really is nothing you can do against that. What you can do is to block known DoH servers but if user has a will, they are ways to go around that and they are not very complicated. And it doesn't even need to be any naughty sites, but things like facebook or steam or whatever the company wants to block. While most users are not even trying to go past the first obstacle or even simply follow the guideline saying that you are not allowed, there will be rebels. Not to mention that there often are people with higher permissions. It's really a lost battle if user truly wants to do something.
Fun story: when I was in high school, I worked in the school as a volunteer tech aid. The year I started was after two consecutive years of previous tech aids hacking the school network and causing huge incidents for which they had to document and present their findings to the school district opsec people -- a lot of the security measures in place back then were there because of these hacks, and I and the other new tech aid were tasked with finding and reporting more holes in the security. We found and reported a lot of exploits and vulnerabilities, but one of my favorite red-team escapades was writing my own proxy service that used rot13 to bypass network filters, which hilariously worked. (I eventually made my own shitty little stream cipher as an upgrade.)
I love all of your videos. you are so funny and your videos are very informative and entertaining i learn something new every time i watch your videos!! please keep up the great work.
why didnt they just make ipv5 with 6 sets of 256
Just wait until you find out about IPv8
Edit: I mean the Chinese IPv9
probably because they dont want to have to switch it EVER again
ECH has it's country cousin, "Encrypted Client Howdy"....
Ah yes, DNS encryption - a service whose time has come...cheers!
Addendum: whoops! Had no idea that it would create anti-malware efforts difficult.
I want a full soyjack and glowie meme image pack from the images used on this channel
Me too! Make it a telegram sticker would be also a good idea
I Appreciate your information!!! They are using AI to connect and targeted all cellular connections perhaps directly through carriers or maybe fusion centers !!! I always have multiple and duplicated mobile operators on my phone. Getting rid of iPhone as soon as possibly can.
Im glad these privacy technologies are becoming more distributed
Finally someone pointed it out
What do you have to do to get google to show ads of hot single dragons in my area?😂
Obvious joke, but it cracked me up.
I have no idea what you're talking about but I still agree anyways!
thank you for the great video jayson tatum
if thats TP Link N600 on the table -- thats an awesome choice for OpenWRT :3
I'm currently studying network security and it's kinda shocking how little IPv6 has been in all of my courses so far. My networking class didn't even have a graded assignment for it.
Real talk
Thanks for spreading information. As always good job bro !
So how to defend against these root certificates (if you're a beginner)
The trusted root certificate part is hilarious.
good stuff
indeed
Let’s go. Finally my school won’t be able to block stuff know :)
What options are there to use ECH currently?
What about dns sniffing? Couldn’t whomever is operating the dns also know the destination address of your remote sesh?
If your system is using their DNS to resolve hostnames and you use a hostname to connect to something then yes, they will see the request and be able to know what you requested. If it's only a DNS request they can not know what you are doing with the information.
If you just use an IP address to connect then no DNS request goes out and no one other than you shold know where you connected to.
Edit: also, once requested the information is usually cached. That means even if you use a FQDN all the time to connect to something it is very likely that not every time will a request be sent out to the DNS server.
How are trusted root certificates installed? Does it come preinstalled on whatever theoretical device that’s being owned or would it be injected in real time through some other protocol?
Preinstalled with os
They came pre installed in OS but you can add more on your own, that cad lead for example a virus to install a fake one. besides that it cant be inject when your surf on internet
@@Fakyp Unless it is open-source like GNU/Linux is, right?
@@Hardcore_Remixer yes, but the trick is: what if it's the law that you have to have it installed ???
@@autohmae Then the only thing you can do then is to go to another country which respects your privacy more.
It would be nice to see some kind of PQC incorporated
Almost 30 years since 1998? Bro is living 5 years in the future!
This is cool. Is this getting around chinas Great Wall?
Pre-sale for Staxums STX is a once-in-a-lifetime chance. Reserve your place!
11:37 the correct way was always: use a proxy and explicitly config it, so the user knows it's configured.
Sounds like a useful feature.
on GRC podcast I read that only 6 root CAs are enough to cover 99.7% of the web! And we can delete the remaining 100 small ones.
Provided that these CAs are not associated or affiliated with Microsoft, Google or any massive tech company proven to be shady/data greedy.
@@MasterBroNetwork
"Nobody breaks SSL without my say-so. Even the FBI comes to me. I am the man in the middle your professor lectured you about. Now say my name."
"S- Symantec?"
"Your god-damned right."
For admin cant they have a system that just dose ip checking and updating block list
Nope, because as he mentioned in the video, one IP can host a large number of different sites, both good and malicious.
There is a simple solution to filtering ECH for governments and companies - just block all ECH traffic. Russia already does this with eSNI.
How to check if ech is working or not?
I'm concerned about how you know about the fluffy dragon meme....
So, we are going to see firefox plugins to firewalls? Which can communicate to the browser to see if the site you plan to visit is forbidden or not? :)
I agree
Can you make a Video, where you put these puzzle tiles together , so someone can surf normally? Like watching RUclips, write comments on X and deliver Pizza like
Maybe you can also make videos, how about to avoid new known viruses and so on
Staxum and Ebay signed a partnership. It will blow up once it hits mainstream..
Can’t the ISP see the IP address and do a reverse lookup to see what web pages we’re visiting?
Can't "they" still see where I'm going by checking the outer sni?
What's chuck's website? Can someone tell me a example, I'm not aware of this new phenomenon (obviously I wanna learn).
4:56 .... tempting
Nice
What's the point of this if your ISP can see what ip adresses you are connecting to anyway. You can easily figure out what sites one visits by their ip adresses
How does this differ from a vpn or proxy? It sounds like it’s basically just a cloudflare hosted vpn at the core
I mean, I trust cloudflare a lot more than expressnordsharkvpn but still
With proxy (that vpn basically is too) you have to trust third party to manage your data safely. ECH doesn't require trust from third party, well other than what HTTPS does with certs.
Cool channel
How do you enable ech on firefox?
this is some cool shit but couldnt they just force DNS for network admins on there own DNS and they could still monitor and block traffic that way?
Would you recommend hosting an onion?
4:56 Damit how did he know? You be spying on me Mental outlaw?
I would like to implement DOH with ECH and SNI on a router level. But i think that would require disabling it on every client browser and then using NAT to force it through my router. is this correct?
So little websites support ech or esni. Implementing this on a router level is probably not worth it, you will need to make your own certificate which will break some apps already
@0ka354 I was afraid of that. Just getting DoH working is going to be a chore.
8:48 - well they're not lying, they can't see anything on their end!
the wacky little black NAS that's first in the network chain though, yeah - that thing can!
but fortuantely that little blakc NAS thingy is just a figment of your tortured mind as you learn that skateboarding and waterboarding have much in common
Not visiting Chuck but can I visit Sneed's website?
Everyone talking about the Staxum launch best news this year.
Staxum presale began, and wealth for future generations is already being created.
What is a good DNS provider to use with this?
Unbound local recursive server
Or quad9
Quad9
mullvad has a dns server but not entirely sure if they implemented ECH for it yet
Ive had the feeling BTC would be going to 40k as well. Clearing out all my Alts going into BTC and Staxum only, maybe a little BNB.
This is cool but also a pain in the ass for network mantainers... business level firewalls are basically useless with this, hope they find a way to route encrypted traffic without destroying clients privacy
11:30 i work in a hospital in IT, and damm we will not let people view websites without blockers and filters....
Jokes on you I've been using it for years already in Brave and Firefox 😎
✌️
Last call for you guys to ape into Staxum. Nothing better this year..
my isp blocks certain websites ordered by government. Obviously we can proxy or VPN to these sites. Some sites are protected behind Cloudflare and i used to be able to still navigate to these sites with https, not using my ISPs DNS and using encrypted DNS, etc. but eventually my ISP was still able to block the conenction. I guess they use the unencrypted hello to determine the site. So, i guess this will be something that will help circumvent this type of blocking/censorship. The whole idea of government issued root certificates is nuts (I hate it passionately) and it will just make the internet more and more insecure than it already is. I'm against government levels of censorship but the governments will just roll out the "protecting children" mantra, when it is nothing of the sort. For me, it's fine for a company or a parent to have the ability to certain block websites/content to protect a company's network or a child from being exposed to adult material but my government as the gatekeeper for my kids and ultimately me and other adults, no thanks!
1:30 There is actually a scarcity of sand for silicon chips
I don't think you got the point lol. Maybe you just wanted to add a fun fact?
@@w花b I did get the point. I just wanted to add a fun fact
Can I get the image at 4:52 as a wallpaper?
So I was wondering: is there any way to manually sanitize the certificates? I know we can't just distrust or delete them, without bricking Windows(did that once, had to restart in safe mode and put them back lol). But what about limiting their scope? Almost all the MS certs "Intended Purposes" are set to (in mmc>certs), and I'm assuming all the service account certs are inherited from the main computer account category.
If anyone knows of such work already being done in a forgotten corner of github, highly appreciated if you shared it.
Linux
@@marto624 how is using linux solving my windows related curiosity, smartass?
Ask endermanch, he'll probably know
How does it work with DPI?
DPI just blocks all ech or esni connections
I can still see the SNI website name even with ECNH in chrome and Mozilla. Can you explain
I checked with Wireshark the other day, (used quad9) thinking it was my dns settings so I switched to Cloudflare and checked on there website if it worked or not and it was broken for me as well... everything else worked perfectly except SNI... for those that might not know, Cloudflare has a test site where you can check if dns over tls, dnssec tls and SNI are all working as they should... the only downside to it is you'd have to use there services to see if they work... I switched back to my preferred dns settings after I checked... there's definitely something wrong in Firefox 'couse I toggled everything as it should...