search

ungoogled-software / ungoogled-chromium

Google Chromium, sans integration with Google
BSD 3-Clause "New" or "Revised" License
20.82k stars 846 forks source link

encrypted SNI support? #2973

Closed KweezyCode closed 3 months ago

KweezyCode commented 3 months ago

Description

https://www.cloudflare.com/ru-ru/learning/ssl/what-is-encrypted-sni/

Who's implementing?

The problem

In Russia, some sites are blocked by SNI. Encrypted SNI helps bypass blocking

Possible solutions

add support to chromium as in firefox

Alternatives

firefox

Additional context

No response

networkException commented 3 months ago

This is fully dependent on upstream. A feature that complex and with real security and privacy implications is not well suited to be maintained here.

KweezyCode commented 3 months ago

This is fully dependent on upstream. A feature that complex and with real security and privacy implications is not well suited to be maintained here.

but it is implemented in brave browser (which is chromium fork). Why not to get patches from it?

PF4Public commented 3 months ago

Wow wow wow, easy guys!

It is implemented in Chromium since like eternity: https://chromestatus.com/feature/6196703843581952. And is enabled by default. Just try it.

In Russia, some sites are blocked by SNI. Encrypted SNI helps bypass blocking

Please note that it is very ISP-dependent, and mostly does not work. If you're trying to solve this particular issue, you might get better luck with other solutions.

networkException commented 3 months ago

that wasn't on my radar, I assume not many servers support this yet

rany2 commented 3 months ago

I think China blocks ESNI by downgrading the connection to TLS 1.2 somehow. Maybe they exported the technology to Russia :(

dakusan commented 2 months ago

I'm confused as to why this was closed. https://www.cloudflare.com/ssl/encrypted-sni/ still reports that encrypted SNI is not being used, but it's something that both Chrome and Brave have.

PF4Public commented 2 months ago

I'm confused as to why this was closed. https://www.cloudflare.com/ssl/encrypted-sni/ still reports that encrypted SNI is not being used, but it's something that both Chrome and Brave have.

ungoogled-chromium on Linux: image

dakusan commented 2 months ago

Oh... huh... I'll see if I can't figure out why mine is showing as not secure sni. Thanks.

KweezyCode commented 2 months ago

Wow wow wow, easy guys!

It is implemented in Chromium since like eternity: https://chromestatus.com/feature/6196703843581952. And is enabled by default. Just try it.

In Russia, some sites are blocked by SNI. Encrypted SNI helps bypass blocking

Please note that it is very ISP-dependent, and mostly does not work. If you're trying to solve this particular issue, you might get better luck with other solutions.

it is not enabled by default image

same for firefox: image

PF4Public commented 2 months ago

Have you enabled DoH?

KweezyCode commented 2 months ago

Have you enabled DoH?

i can't "enable" it in chromium, there is no such option

PF4Public commented 2 months ago

i can't "enable" it in chromium, there is no such option

You must be kidding me, right? https://support.google.com/chrome/answer/10468685?hl=en&co=GENIE.Platform%3DDesktop#zippy=%2Cuse-a-secure-connection-to-look-up-a-sites-ip-address:~:text=Use%20a%20secure,custom%20service%20provider.

KweezyCode commented 2 months ago

i can't "enable" it in chromium, there is no such option

You must be kidding me, right? https://support.google.com/chrome/answer/10468685?hl=en&co=GENIE.Platform%3DDesktop#zippy=%2Cuse-a-secure-connection-to-look-up-a-sites-ip-address:~:text=Use%20a%20secure,custom%20service%20provider.

topic is about encrypted client hello, not about DNS over HTTPS/TLS

PF4Public commented 2 months ago

topic is about encrypted client hello, not about DNS over HTTPS/TLS

Indeed! And I already showed that it works by default as you can see here: https://github.com/ungoogled-software/ungoogled-chromium/issues/2973#issuecomment-2338782303

Have you tried to also check there?

I was trying to help you debug the website you linked, as it also shows "Using ECH" for me, but if that's not something you're willing to investigate, that's fine by me.

KweezyCode commented 2 months ago

topic is about encrypted client hello, not about DNS over HTTPS/TLS

Indeed! And I already showed that it works by default as you can see here: #2973 (comment)

Have you tried to also check there?

I was trying to help you debug the website you linked, as it also shows "Using ECH" for me, but if that's not something you're willing to investigate, that's fine by me.

DNS over HTTPS is already enabled, but looks like it is chromium build issue. Just tried on mobile chromium and this site says ECH enabled for me, PC does not work. I will try to debug issue later