• End0fLine@startrek.website
    ·
    1 year ago

    I'm going to wait for someone more knowledgeable on this subject to come by and correct me, but this seems pretty cool to me.

  • justinh_tx@lemmy.ml
    ·
    1 year ago

    If a packet is traversing an ISP's network the ISP should have to know where it is coming from and where it is going, right? So even if you "encrypt the first hello" packet, the ISP would still know where it was routed, right?

    I'll freely admit I have only a very basic (and likely outdated) understanding of IP networking, but I don't see how this protects my browsing habits from my ISP. Even if they can't understand my "hello" to lemmy.ml, they still know I'm talking to lemmy.ml's IP address about something.

    What am I missing?

    • Bitrot@lemmy.sdf.org
      ·
      edit-2
      1 year ago

      They would know you’re talking to that IP, not necessarily lemmy.ml. It is very common for multiple sites to be hosted on the same ip. The reason SNI exists is so the browser can tell the server which site it was looking for in an encrypted session. If it is 1:1 then it would be true.

    • achsonaja@lemm.ee
      ·
      1 year ago

      Yeah I think it has the same limitations that pretty much anything not through a vpn has because you still have to tell your isp where to send the data. Your isp will still see some things, even if it’s encrypted (metadata, DPI, habits, and things beyond my knowledge). This sounds like a step in the right direction for the majority of people though, even if it’s minor.

      I kind of see it like differentiating between them seeing lemmy.ml via this vs lemmy.ml/thing-i-want-private/peronal.html without it, but I could be wrong about that.

      • Bitrot@lemmy.sdf.org
        ·
        edit-2
        1 year ago

        HTTPS already prevents them from knowing exactly what content you’re looking at. Hiding SNI prevents them from knowing exactly what site you are connecting to via HTTPS.

        They can still figure that out if you’re using unencrypted DNS or if there is a 1:1 IP to rDNS mapping though.

    • venusenvy47@reddthat.com
      ·
      1 year ago

      If I understand correctly, someone other than your ISP could see the name of the website, since it isn't encrypted. I think it would bounce through several servers that could possibly read the data.

  • achsonaja@lemm.ee
    ·
    1 year ago

    Does this rely on DOH? Seems like if I’m running my own recursive DNS that this won’t apply to me.

      • Bitrot@lemmy.sdf.org
        ·
        edit-2
        1 year ago

        It does not. ECH will work without DOH, but anybody listening can just see what site you’re querying from DNS instead of listening to SNI. Combining them is the most private.

        Edit: This is wrong, in the sense that Mozilla has chosen to link the ECH setting with your DNS setting, even though they are separate. If you are using a local resolver, even if it is in turn using DoH or DNSCrypt upstream, Firefox won't use ECH and will instead leak SNI information to your ISP. This is disappointing behavior that from another company would seem designed to coax you into a certain direction.