Encrypted Client Hello (ECH)

grapheneosfan2

Would it be possible for GrapheneOS to use Encrypted Client Hello for the HTTPS requests the OS makes, such as synchronising time? This would probably benefit privacy somewhat.

GrapheneOS

grapheneosfan2 It won't help for our services because we have a small set of known IP addresses which can be blocked much more easily than filtering TLS traffic with the domains in SNI.

[deleted] It will still be clearly known which servers are being connected to because they ONLY host GrapheneOS services. Our servers are not used to host both GrapheneOS services and services for other things.

ECH will not actually accomplish anything in this case. ECH can be very useful more generally and it's worth doing. It's implemented for Chromium and therefore Vanadium.

de0u There are 4 separate servers for our network services and 8 separate servers for our update servers. They're publicly known, easily identified IP addresses. ECH cannot hide that they're GrapheneOS services. It's easier to identify them by their IP addresses than the SNI server name in the TLS ClientHello. There's no actual value in trying to hide this in this case. ECH is useful in general because this traffic might as well be encrypted and it ever so slightly reduces the metadata that's exposed. In some cases, it masks which service is being used in a useful way when there are multiple uses for an IP address in a way that matters. This is really not the case here, where knowing which name is being used doesn't have more value than the IP address. Every name that's provided by these services is used by each GrapheneOS device. The ones for PSDS and SUPL are only used when using location detection and so on, which doesn't leak any useful information in this case.

ECH will eventually be available beyond Vanadium, but it does not make sense for us to accelerate that. Current server software also doesn't support it. It's currently mostly only implemented by a few large providers like Cloudflare in proprietary software. OpenSSL doesn't support it and neither does nginx. It would require using BoringSSL with a fork of nginx, along with making substantial changes on the client side which would add attack surface, complexity and take significant effort away from useful privacy work instead of doing something that's not truly useful in practice.

treequell

What benefit would it provide over the current method used?
https://grapheneos.org/faq#:~:text=An%20HTTPS%20connection%20is%20made%20to%20https%3A//time.grapheneos.org/generate_204%20to%20update%20the%20time%20with%20a%20millisecond%20precision%20X%2DTime%20header.%20As%20part%20of%20future%20support%20for%20using%20other%20services%2C%20it%20falls%20back%20to%20the%20standard%20Date%20header%20with%20second%20precision.

willie_non

treequell as far my understanding of ECH is, it should prevent governments snooping on SNI requests and apply censorships on those domain requests (for eg. grapheneos.org domains could be blocked so potentially no updates, NTP servers etc.) without relaying on VPN servers. It needs TLS 1.3 support both server and client to use ECH.

Titan_M2

willie_non Note that for ECH to be effective, you also need to be using DNS over HTTPS/TLS.

de0u

willie_non as far my understanding of ECH is, it should prevent governments snooping on SNI requests and apply censorships on those domain requests (for eg. grapheneos.org domains could be blocked so potentially no updates, NTP servers etc.) without relaying on VPN servers.

If my phone calls up WordPress.com and uses unencrypted SNI to say which SSL certificate I want, my ISP and/or the government can find out which subversive WordPress blog I read. I might not want that.

If my phone calls up the GrapheneOS time server and uses unencrypted SNI to say which SSL certificate I want, my ISP and/or the government can find out that I have a GrapheneOS device that wants to know the time. Right now it appears that time.GrapheneOS.org and connectivitycheck.GrapheneOS.network and GrapheneOS.online have one IP address. So snoopers can tell whether my device is getting the time versus doing a connectivity check. To me personally that doesn't seem like a big leak.

Overall it's not clear to me that ECH would provide a substantial benefit for GrapheneOS devices contacting GrapheneOS special servers. But I am open to learning if there is something I've overlooked...

GrapheneOS

willie_non It only hides which name is being requested at an IP address. Monitoring and filtering would normally be done based on fetching the IP addresses for domains rather than solely filtering via DNS and SNI names in TLS. If someone wants to check for connections to GrapheneOS servers, it would make no sense not to simply list out all the IP addresses for those.

treequell

You could consider opening a feature request on the OS issue tracker on GitHub https://github.com/GrapheneOS/os-issue-tracker, where the development team will consider the request.

raccoondad

de0u "Overall it's not clear to me that ECH would provide a substantial benefit for GrapheneOS devices contacting GrapheneOS special servers. But I am open to learning if there is something I've overlooked..."

It probably wouldn't, I thought the same thing, the IP is going to resolve to a very speific IP thats related to GrapheneOS so what exactly is protected?

de0u

de0u Overall it's not clear to me that ECH would provide a substantial benefit for GrapheneOS devices contacting GrapheneOS special servers.

GrapheneOS [...] ECH cannot hide that they're GrapheneOS services. It's easier to identify them by their IP addresses than the SNI server name in the TLS ClientHello. There's no actual value in trying to hide this in this case.

Thanks for confirming my hunch!

[deleted]

ECH helps against real world DPI.

https://ntc.party/t/firefox-encrypted-client-hello-dns-over-https/5885/17