this post was submitted on 03 Oct 2023
657 points (99.0% liked)

Firefox

18050 readers
46 users here now

A place to discuss the news and latest developments on the open-source browser Firefox

founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 79 points 1 year ago (3 children)

Sort of. They can still see which IP address you're connecting to, which by itself or in combination with some minor traffic analysis is quite often enough to identify which website you've visited. Perhaps it isn't if the website puts absolutely everything through a giant CDN like Cloudflare, but in that case it's Cloudflare which gets to see all the sites you visit which isn't a whole lot better than the status quo.

Still, it's a little less information given away at least some of the time. Better to do it than not do it.

[–] [email protected] 22 points 1 year ago (1 children)

in that case it’s Cloudflare which gets to see all the sites you visit

That's the status quo. CF holds the private keys to all reverse proxy'd sites hosted on it.

[–] [email protected] 4 points 1 year ago* (last edited 1 year ago)

To be more precise, my belief is that the main thing ECH does is make it more difficult some of the time (depending on the details of how the site works) for observers of network traffic to directly see which website you've visited if it's one of those that have chosen to give all that data to Cloudflare or some similar system instead.

There also do still exist some simple web hosting setups that share many independent domain names on the same IP, but I think it's not as common as it probably was when they first came up with the idea of encrypting the tls server name many years ago. Maybe it'll make a comeback for sites whose users need to avoid censorship in this way if it's true that domain fronting has generally become more difficult.

[–] kautau 11 points 1 year ago (1 children)
[–] patatahooligan 4 points 1 year ago (1 children)

Using a VPN just hands all of this information to them instead. That could be an improvement, but how do you know?

[–] kautau 3 points 1 year ago* (last edited 1 year ago) (1 children)

Well they can see your browsing history, sure. But HTTPS will stop them from seeing the content you actually see on the web. At this point we are just getting into discussions of layers of trust, which are generally impossible to solve if you don’t trust anyone. If you don’t trust anyone don’t use the internet, ever. I do trust mullvad. They’re explicit about who is involved, I have the name of every team member, and through peer review I consider them trustworthy.

https://mullvad.net/en/about

For more info about how they are transparent, you can read their article about how they responded to a search warrant earlier this year:

https://mullvad.net/en/blog/2023/4/20/mullvad-vpn-was-subject-to-a-search-warrant-customer-data-not-compromised/

In line with our policies such customer data did not exist. We argued they had no reason to expect to find what they were looking for and any seizures would therefore be illegal under Swedish law. After demonstrating that this is indeed how our service works and them consulting the prosecutor they left without taking anything and without any customer information.

[–] patatahooligan 1 points 1 year ago

But HTTPS will stop them from seeing the content you actually see on the web.

Sure, but that was true for your ISP as well. I'm not questioning what data you're leaking. I'm saying that it's the same data and you only change who you leak it to if you choose to use a VPN.

It seems like you've thought about it and you have made an informed choice. That's great and I don't have anything to argue against here. The only reason I commented is that there seems to be a trend of "just use VPN and your data is protected" mentality, especially with all the ads in gaming/tech related content. There was no way for me to know if you or the other users who would read your initial comment were aware that using a VPN doesn't magically protect your data if you don't know who your provider is, so I though I'd point it out.

[–] [email protected] 9 points 1 year ago

Well, for half of the internet they are going to see AWS ELBs addresses.