Quick set up guide for Encrypted Client Hello (ECH)

 Posted on November 10, 2023  |  jochensp

The Encrypted Client Hello (ECH) mechanism draft-spec is a way to plug a few privacy-holes that remain in the Transport Layer Security (TLS) protocol that’s used as the security layer for the web. OpenSSL is a widely used library that provides an implementation of the TLS protocol. The DEfO project has developed an implementation of ECH for OpenSSL, and proof-of-concept implementations of various clients and servers that use OpenSSL, and other TLS libraries, as a demonstration and for interoperability testing. [Read More]
curl  DEfO  ECH  free software  nginx  open source  OpenSSL  privacy  resilience  TLS 

DEfO - Developing ECH for OpenSSL (round two)

 Posted on November 9, 2023  |  Stephen Farrell

Encrypted ClientHello (ECH) plugs a privacy-hole in TLS, hiding previously visible details from network observers. The most important being the name of the web-site the client wishes to visit (the Server Name Indication or SNI). This can be a major privacy leak, like when accessing a dissident news source hosted on a Content Delivery Network (CDN). A visible domain name also provides a straightforward method for censors to block websites and internet services. [Read More]
Apache  Conscrypt  curl  DEfO  ECH  F-Droid  free software  HAProxy  IETF  metadata  nginx  open source  OpenSSL  privacy  resilience  TLS 

Implementing TLS Encrypted Client Hello

 Posted on November 30, 2021  |  Hans-Christoph Steiner

As part of the DEfO project, we have been working on accelerating the development Encrypted Client Hello (ECH) as standardized by the IETF. ECH is the next step in improving Transport Layer Security (TLS). TLS is one of the basic building blocks of the internet, it is what puts the S in HTTPS. The ECH standard is nearing completion. That is exciting because ECH can encrypt the last plaintext TLS metadata that it is possible to encrypt. [Read More]
Android  Apache  BoringSSL  Conscrypt  DEfO  ECH  ESNI  IETF  metadata  nginx  OpenSSL  privacy  TLS