Cloudflare ECH
source
Trending
- Часть 2: Авиация США направляется в Сирию. Пентагон производит подсчет стоимости жизни американцев
- Инцест и родственные браки . Почему в Азербайджане женятся на сёстрах и кузинах?
- Փաշինյանը կկալանավորի Կաթողիկոսին. կհաղթի, եթե իր հերթական պատարագը անցկացնի Մայր Աթոռում
- Post: Lesson 8 – Talking about the past
- BASIC ARMENIAN VERB CONJUGATION🇦🇲
- THE COMEX JUST SHOWED US SILVER’S NEXT MOVE BY DOING THIS RECORD BREAKING MARGIN SHIFT SILVER FUTURE
- Карма Анны Герман
- Don’t get wiped out by these market risks; 2022 bear market survival guide – Andrew O’Donnell
It’s Time to Shine!
Stay Connected,
Stay Informed!
Stay Connected,
Stay Informed!
21 Comments
Meanwhile, "great" firewall of CN had spread to Russia, and gov folks are already versed at shutting down any home connection using most of available VPN protocols, now blanket dropping all connections using ECH, and preparing to roll out whitelist "Internet" access at any time, which they beta test everywhere on cell networks for years now.
It's a national facepalm. And a foundation for all other countries.
QUIC enters the chat
Why is ECH (prev. ESNI) still rarely used? It's been more than five years now. I wonder if there is some government pressure involved.
Or you run suricata, feed it to graylog … and bob is your uncle 😉
Fantastic walkthrough, thanks! Off to check it out now. Maybe you can do a followup video with more details about ECH from the standpoint of an organisation wanting to stand up multiple web sites behind one IP address and how this would work with say load balancing?
Would the certificate's CN or DNS alt names be visible too? I'm guessing that even with an obfuscated client hello, the public cert would still need to be available as that's required for the receiver to decrypt the traffic. Unless cloudflare does something tricky like proxying all the traffic through one of their services/domains/certs perhaps..
Thanks. Love these videos that use wireshark – they quite often show things I've wanted to do but hadn't had time to look into yet 🙂 Never even thought of remote tcpdump over ssh to local wireshark but that makes things so much more useful
I love that wire shark shows the packets as Client hello, Server hello. Just 2 computers greeting each other and having a good conversation.
I've always wanted a tls firewall that blocks based on certificate information.. so I could whitelist the 5 ca's I trust and a handful of server certificates.. so that I didn't have to whittle down the ca list on all the devices on my network to achieve the same goal
great work!
Man I wish I got to work with network engineers like you.
Here I am as the ms365 guy trying to explain to senior network guys how NTP doesnt set device timezones, nor does a switch clock time affect the clients on the network.
Fire. Love the content. Gets me excited to just start hacking things together. Be lean and scrappy. Make things happen.
Loved it. Thanks
Great show. A sequel with ECH and ODNS to showcase the benefits would be sweet too.
Quality mate
I just created a program using similar, it monitors sites for outages using this similar method avoiding Ping
I put it on GITHUB
Idk why it never clicked that this is possible, but it's so obvious in retrospect
Great video
Thanks for the informative videos you produce. I still have difficulty working with wireshark. Could you look at internet radio streaming with tshark and see what we can extract from these? How do we find the url stream, that we can use in vlc, etc.
Couldn't you instruct tcpdump to do some prefiltering on the router and just capture port 443 and just the first 1k, our would the tmp-file still be huge?
Am I correct in thinking if your demo servers were served using quic this wouldn't be visible?