Pretty good explanation of it:
Regarding ECH, I am still trying to understand the concept of ECH.
I get it that by enabling ECH in my browser, the other end (the website I visit) has to be ECH enabled too. Otherwise, itās useless.
But if I want to hide the domain name from my VPN using ECH, does the ECH have to be supported from my VPN provider, or does it still have to be supported from each website?
Thanks in advance.
To hide it from your VPN provider each website would have to support it.
each website owner has to enable it, but iirc cloudflare has disabled it for now because of some issue.
Do note that even with ECH enabled, your VPN provider will be able to see the IP addresses of all the websites/remote servers you connect to (with the exception of those behind cloudflare, a cdn, or some other middle man). So it would offer some protection for some % of websites, but it is not a reliable way to hide the websites you visit from your VPN (even if 100% of websites were to support ECH).
Could you elaborate on your threat model? What your primary motivation for trying to hide your browsing from the VPN itself? I have some thoughts but I want to make sure Iām thinking about the same threats/risks you are before responding.
Yes, they disabled it becase of some issues. I donāt know whether it will be enabled by default in the future (soon?). And on the client side, if the users use Warp, ECH wonāt be usable even if the browser enabled it.
I donāt know whether we can expect ECH to change anything. The websites and especially VPN providers that voluntarily enable ECH would probably not want to joke with us in the first place. IMO, the requirement is far too high to make this actually work.
Thanks!
I donāt want to put my trust very much on the VPN providers because I donāt want to choose between them and my ISP. Both of them are centralized services and we know very little about how they actually work behind the door. Sure, with offerings like an open-source client, no logging policy, diskless servers, etc., including ECH support, would make the service more appealing. But itās still based on assumption and trust model, not by design.
ECH is unreliable at best as websites have to enable it voluntarily. And I donāt know whether I can expect browsers to reject a fallback to non-ECH connection in the near future.
Therefore, my threat model is a reasonable (not necessarily maximum/absolute) secure + privacy system by design that isnāt based on trust.
I found Tor is a good model, but it has some limitations to be used system-wide and is rejected on some sites. Portmasterās SPN is definitely better than VPN as they mixed community nodes with their managed servers (but their client doesnāt seem to work on my openSUSE at all). Mysteriumās dVPN seems to be the best, but I havenāt tested it yet.
Now, I use Warp whenever I feel like it. But mostly on just Quad9. Rarely on Tor since it doesnāt work on everything.
Based on your goals/priorities. I think one potential solution that would be better than relying on ECH, or suffering through full-time system wide TOR experience, might be using two VPNās in combination. At least one of which you pay for anonymously.
This could to some degree emulate some of the benefits of a TOR like system, for less severe threat models. It would essentially be creating your own double hop VPN, but unlike a double hop VPN, you would not be placing your trust in just one entity.
- The first āhopā would know your IP as well as the IP of the second āhopā VPN server, but would have no ability to see any of your web or dns traffic, and could not see the IP addresses you connect to beyond the second hop.
- The second āhopā could see the IP addresses you connect to, and could see all web traffic leaving their servers (most or all of which would be encrypted with HTTPS (and possibly ECH) and DoH/DoT, but they could not see your true IP address, they would see the IP of the first hop server.
TL;DR
This arrangement would partition trust so that no single service could know both (1) who you are / IP (2) the sites you visit.
Of course the downside of this is the cost of paying for two separate VPNs, and the complexity of using them in combination.
Thanks!
However, instead of buying from / trusting 2 centralized VPNs, would it be better to use a decentralized VPN?
The latter would run on fully decentralized nodes, of which the provider has no control or whatsoever, providing it runs open-source on both the nodes and the clients sides.
I think we are getting further and further off topic (its my fault, you asked about ECH, I proposed something else) which should probably be its own topic. Is the Decentralized VPN you are thinking about an actual thing that exists? Or a hypothetical?
To my unexpert ear, it sounds roughly similar to Appleās private relay (in concept)
Thereās Safing, which is sort of in between iCloud+ Private Relay and Tor, and thereās INVISV Relay which is just Appleās solution but for Android.
These multi-party relays are a concept that I think will (or at least should) probably start becoming more popular, because itās a clear fit for a lot of companies. In fact, I wish all these companies who have been partnering with Mullvad lately would do this instead. Like instead of Mozilla VPN or Tailscale connecting you directly to Mullvadās endpoint, if your traffic was first routed to servers owned by Mozilla or Tailscale or whoever, and then relayed to Mullvadās endpoints, that would be very cool. That way the end user only has to pay one party, and that party handles paying Mullvad.
Is the Decentralized VPN you are thinking about an actual thing that exists? Or a hypothetical?
Thereās Mysterium. All the source codes are available on their GitHub. It runs on real people internet/nodes. Those people get paid from running their nodes. Itās Web 3.0 for VPN, similar to Storj for cloud storage. It has 7 days trial, which I havenāt try it yet.
Sure, it seems off-topic now
Safingās Portmaster SPN is still running on some of Safing managed servers. And I believe those servers are the majority of the network power, since community nodes donāt get paid. See more about this here.
Itās still better than a centralized VPN, though.