> When both are operated by the same company, how can you know they aren't colluding?

You don't. At best the client can check domain names and IP addresses, but that's hardly a guarantee.

To solve that problem, you can combine multiple parties. For example, you can use https://odoh1.surfdomeinen.nl/proxy as a proxy (operated by SURF [1]) to use the Cloudflare servers for lookup.

I think for ODoH to work well, we need a variety of companies hosting forwarding services. That could be ISPs, Google/Microsoft/etc. or some kind of non-profit.

[1]: https://www.surf.nl/en

I don't know the implementation details, but it should be doable in a way that degrades back into encrypted DNS where at least you get rid of a MitM. Someone else already mentioned that making sure that the 2 servers have different owners may help, but if people are after you it's probably not enough.

I'm thinking that maybe I'd like to be able to avoid mentioning the server I'm interested on, and simply send a hash of it (you can cut a prefix such that a bunch of matches are found, but not too many)

Yes, that's correct about ECH. In general, there's no real way to conceal your browsing behavior if you are connecting to an IP address that isn't shared. So either you use ECH to something like Cloudflare or you connect to some proxy/VPN/etc. so that the local network can't see the final IP address.

> ECH - if I understand correctly it's effective for sites hosted on big providers like Cloudflare, AWS, etc, but doesn't add much value when it comes to self-hosted domains or those on a dedicated server

Yeah, and unfortunately it increases the moat such companies have. They can offer a privacy screen that smaller orgs just can't match.

> This isn't privacy.

It will be when everyone adopts ECH. It's a fantastic start.

Another HN hot take about the Cloudflare bogeyman.

The CDN can't give you content you're asking for without knowing which content you're asking for.

This improvement prevents your ISP and the government from reading your packets to get that same information.

what’s DS stand for? discrete structures?

They usually won't bother with blocking if the site owner just hosts the site under a different domain name. It could be like news.ycombinator1923.com or something. wink

Meta drove the Zstandard content encoding, but Google drove the adoption of Zstandard in Chrome.

The faster Brotli levels could probably be made to match Zstandard’s compression speed. But we’ve invested a lot in optimizing these levels, so it would likely take significant investment to match. Google is also contributing to improving the speed of Zstandard compression.

A cheaper conversion from Zstandard to Brotli is possible, but I wouldn’t really expect an improvement to compressed size. The encoding scheme impacts how efficient a LZ coding is, so for Brotli to beat Zstandard, it would likely want a different LZ than Zstandard uses. The same applies for a conversion from Brotli to Zstandard.

I think you meant North Korea, not South.

It means nothing. Countries always ask nicely first for a domain to be blocked for IPs from their countries. Companies like Cloudflare or Akamai can either honor the request, or find their IP range blocked (yes, including all the other serviced domains). They usually take the first option.

There are many more countries enforcing some limitations on the internet, and ECH will just turn passive DPI into active court orders, I believe. At least explictness is better.

Pffff you think you're edgy and hardcore.

I use the elite hacking tool know as FIRE FOX and I get CF gatekept all the time.

I don't think so? It's only seekable with an additional index [1], just like most other compression schemes. Having an explicit standard for indices is definitely a plus though.

[1] https://github.com/facebook/zstd/blob/dev/contrib/seekable_f...

No, it's am emerging standard. We are just pushing its adoption as fast as we can. Hence, we've rolled this out to all free customers.

Right now, basically yes. No other major public clouds seem to support ECH yet, and ECH basically only works in public clouds; it can't hide your IP address, so it only provides privacy if you share your IP address with lots of other tenants.

Network layer blocking is almost never in the interest of the end user. It's typically used to block users from accessing sites they want to visit, like The Pirate Bay, or recently Russian Times and Sputnik News.

End users who want to protect themselves can easily install blacklists on their end. All major browsers support something like Google Safe Browsing out of the box, and these blacklists are more likely to be kept up-to-date than those of the average ISP.

Either it's easy to block sites or it isn't. There's no world in which it's easier for you to block scam sites than it is for others to block vital resources and information.

Nah, they're just going to block the whole ECH handshake.

Idk about Iran, but Russia and China just block eSNI, QUIC and whatever their DPI firewalls can't really handle on the fly.

Many such countries already block traffic with ECH entirely. There's no technical solutions to a polical problem.

I remember when you can just change your DNS provider to bypass censorship. Nowadays, browsers and OS provide safe DNS by default, and thus censors had mostly switched to DPI based method. As this cat and mouse game continue, inevitably these governments will mandate spyware on every machine.

These privacy enhancements invented by westerner only work for western citizens threat model.

There's a relatively simple and pain-free solution to legitimate DPI: blocking all requests that don't go through a proxy. Browsers will ignore some certificate restrictions if they detect manually installed TLS root certificates to make corporate networks work.

This approach won't work on apps like Facebook or Instagram, but I don't think there's a legitimate reason to permit-but-snoop on that sort of traffic anyway.

Passive DPI/web filtering is pretty much done at this point. There's no way to tell what domain you're connecting to with ECH without doing a MITM and breaking the PKI chain or adding private CAs everywhere.

Not hard to bypass it at all: https://support.mozilla.org/en-US/kb/faq-encrypted-client-he...

I believe that the "more private" part is referencing the "Encrypted Client Hello (ECH)" section in the later part of the post.

>The word "private" only shows up exactly once on that page, in the title.

However, the word "privacy" shows up 10 times in the article.

They also talk about Encrypted Client Hello (ECH).

If it saves them money, great. That also means resources saved, and that also means it's better for the planet, thus better for humanity. I'm failing to see the disadvantage.