@@MentalOutlaw Hey, Vegan Gains! How long did it take you to learn to code, losing bulk and growing a beard in the process, to pivot to a FOSS & Privacy Tech UA-camr 😂 😂 😂
@@MentalOutlawcan i tell you a big secret. I think they always knowbwhat people do but have merely made apps and systems appear like they lost the ip and tracking is turned off but all thats really going on is they are watching but not able to tale action because theyv told us its incrypted. They ate spies of course they can see yoyr shit but they cant do anything because theyv promised its "encrypted"...
And when client side snooping is less than they desire, censors put pressure on network hosts to block any protocols which don't identify a destination in the clear. And the counter to that is relays that don't look like relays to the snoops.
@@NerdyCatCoffeeee In so far as the relays can be chained, and no step in the chain requires some element which pierces privacy, they could do the same job as TOR.
In this scenario there will still be a third party (meaning it's neither the client nor the destination server) that will know which website you are visiting. In this example it will be CloudFlare, but it could also be Amazon or even Google, if the destination server is deployed within their cloud infrastructure and uses their CDN.
I think the main issue nowadays with encryption is that it requires a middle man, called a "Certificate Authority". We now have companies like Microsoft and Google issuing certificates. This is an obvious problem, as this allows those companies to decrypt our data at will. We need to completely re-invent this system.
For a CA to decrypt my traffic with their private keys they have to capture that encrypted traffic first. To do that they have to set up a proxy or something down the line of my connection. Even if they somehow got my encrypted traffic, their private key won't decrypt it due to "forward secrecy" that's been enforced in TLS 1.3. We also have a big system for certificate revokation. How can Google decrypt my data at will if I may ask?
@@lizard9159 I imagine a ISP or a VPN can log internet traffic and store it, but I have never heard of "forward secrecy", that interesting. Just got around to look it up and isn't a CA's job just to make sure the website is just legitimate? A CA couldn't act like a DNS or see website data, it instead only checks if the connection has secure keys and such.
Yes but not really. They would be detected and immediately distrusted by all browser vendors, also all CAs must meet certain transparency requirements. The real problem are government mandated CAs. The EU is about to force all browsers to trust EU-members CAs with eIDAS 2.0
I don't think CAs can decrypt private data. The role of CAs is just to certify that someone owns a domain. The only attack a CA can really do is mint a false certificate and then use a fake site with the false certificate to capture user traffic. This would likely be caught and the CA would not be trusted by any browsers. I do agree with the sentiment of not trusting third parties though. The only issue is that there is no known way to easily (and salably) verify identity without third party trust.
I believe this only adds a (small) layer of difficulty to hiding visited websites. The ISPs can still see the IP addresses in the packets routed to the websites, and from there easily discover which website corresponds to (something similar can also be done in the client level).
@@DarkxPunk Not being on a single ip doesn't stop the association of ips to website, at most it makes it slightly harder. But yeah most the DNS providers are owned by FAANG so it's still pointless either ways.
What do you mean honeypots ? I am not that tech savvy , can you explain like i am 12 ? I know what a honeypot is ( basically a trap ) but i didn't get the idea.
@@ahmadalnzi2694 this is a running joke on the channel, just like Kenny not actually showing himself on camera but rather rendering deepfakes of a random black guy
Enterprises have been installing trusted root certs for years. Deviced which don't have this are simply banned from the local subnets. It's not a problem for them.
Came here to say this. Companies will have you sign off on all privacy on your company devices and have literal spyware installed on them (out in the open that is). I think the fact the nature of the spyware being so obvious is sometimes part of the dissuasive strategy as well: keep users on their toes, and keep them paying (some...) attention to what they're doing knowing we *will* know if they endanger the company with reckless behavior.
Kazakh here, they launched this government certificate thingie, but no one wanted to install the certificate, so they cancelled the initiative (thank god)
@CrisCheese_ that’s not entirely true, they just opened a government CA that’s not recognised by the rest of the world, so they can get certificates when other CAs stop issuing certs to russian companies. but certainly it could be a launchpad for what you’re describing.
The IPv4 problem is artificial. There are so many aftermarket blocks available, and tons of unused blocks owned by universities. The solution to IPv4 is to reclaim unused blocks so they can be allocated again
the problem is that more blocks are occuped and more their price will be, if u want you can buy all ipv4 addresses you need but their cost will be pretty expensive, there are an acutal market around it
I work for a small ISP. We bought IPv6 blocks from ARIN and attempted to deploy them to management scopes, customers, etc. Almost every single piece of hardware had some sort of limitation with IPv6, along with other peices not supoprting it whatsoever. Its been a mess and now we are reverting back to IPv4 xD
There are still plenty of IPv4 addresses hosting a single website, so encrypted SNI/Encrypted Client Hello do not solve those problems. These websites are also very interesting to eavesdroppers like your ISP, because they are usually small/ less popular websites and can tell a lot about your personality. Love your video's! :)
Fun story: when I was in high school, I worked in the school as a volunteer tech aid. The year I started was after two consecutive years of previous tech aids hacking the school network and causing huge incidents for which they had to document and present their findings to the school district opsec people -- a lot of the security measures in place back then were there because of these hacks, and I and the other new tech aid were tasked with finding and reporting more holes in the security. We found and reported a lot of exploits and vulnerabilities, but one of my favorite red-team escapades was writing my own proxy service that used rot13 to bypass network filters, which hilariously worked. (I eventually made my own shitty little stream cipher as an upgrade.)
Dude I'll be real, IPv6 is super fucking based. I don't have to think about ports, or weird configurations for hosting several different websites or servers off the same machine, and use my domain name. Like I can throw 6 different VMs on a box, and they all get their own v6 global address, and I can throw that info into cloudflare and everything resolves correctly. Shit's awesome, it's actually easier work for me. Like I mean the initial setup was a bitch, and it took me a while to figure out how to get the vms IPv6 addresses, but once I did it was just as simple as going into the router, finding the host name and yoinking it's reporting v6 address, and dumping it into my cloudflare. After doing it, I honestly don't see why companies can't be bothered to figure out how this works, since it's really not that hard. Especially if your business is computer networking. Though I will say some weird stuff does require more tinkering, like services/SRV records for VOIP stuff, that can get super freaking jank, but oddly enough that was an easier setup than my linux based cloud server.
Agreed. People always get hung up on "well ThEy sAiD--" but the long arm of the law is endless. Apple, proton, whatever would rather take the PR hit of giving over info to the glowies than be penalized into bankrupcy (or worse, accused of harboring criminals)
@@AutomaticFlax4470 think about it this way: imagine content, far worse than the content discussed in this video, content that you and I would both agree absolutely must not be tolerated. How do you deal with that as a VPN? Any decision you make is problematic. Some you might be able to justify ethically, some you might be able to justify legally, but none can you justify both ethically and legally in all jurisdictions for all content.
Unfortunately for ECH to work, more and more people have to be behind centralized services like Cloudflare. Else encrypting single domain name served by an IP becomes meaningless. Internet needs more decentralization, but ECH seems like the first step at better online privacy.
I remember getting really excited when DNSSEC came out (what is it now, 15-18 years ago) I started reading extensively on unbound (I had know clue how to set an unbound server up!) but that technology was desperately needed and I got excited about it... I'm thinking it's gonna take at least that long for ECH...
If your system is using their DNS to resolve hostnames and you use a hostname to connect to something then yes, they will see the request and be able to know what you requested. If it's only a DNS request they can not know what you are doing with the information. If you just use an IP address to connect then no DNS request goes out and no one other than you shold know where you connected to. Edit: also, once requested the information is usually cached. That means even if you use a FQDN all the time to connect to something it is very likely that not every time will a request be sent out to the DNS server.
How are trusted root certificates installed? Does it come preinstalled on whatever theoretical device that’s being owned or would it be injected in real time through some other protocol?
They came pre installed in OS but you can add more on your own, that cad lead for example a virus to install a fake one. besides that it cant be inject when your surf on internet
Most network admins I've known in person rely mostly on a DNS sinkhole and good device privilage configuration. Can't get to naughty sites if your only DNS server turns you down.
@@ShadowManceri I mean, if users have the rights to change their DNS settings while you're using a DNS sinkhole, I'm not sure you're very good at your job 🤔 If that's not an option for some reason, you could always try blocking known DNS IPs but that'd get hard to manage quick (though someone probably maintains a list somewhere). IT security policies are rarely a "you can't break out"; they're usually a "it'd take you so much effort to break out it's not worth it". I could always spin up a VS Code Tunnel to my personal machine, CURL my naughty site, download the assets, and paste the code into the browser (or just use a browser inside of VS Code). But that's a lot of effort.
@@BellCube DoH doesn't require user to have permissions to change DNS settings, because it's a app layer thing. There is no practical way to stop users for using DoH or to force them to use company DoH servers. User can always use portable version of the browser with their own settings and there really is nothing you can do against that. What you can do is to block known DoH servers but if user has a will, they are ways to go around that and they are not very complicated. And it doesn't even need to be any naughty sites, but things like facebook or steam or whatever the company wants to block. While most users are not even trying to go past the first obstacle or even simply follow the guideline saying that you are not allowed, there will be rebels. Not to mention that there often are people with higher permissions. It's really a lost battle if user truly wants to do something.
I'm currently studying network security and it's kinda shocking how little IPv6 has been in all of my courses so far. My networking class didn't even have a graded assignment for it.
ECH has it's country cousin, "Encrypted Client Howdy".... Ah yes, DNS encryption - a service whose time has come...cheers! Addendum: whoops! Had no idea that it would create anti-malware efforts difficult.
I Appreciate your information!!! They are using AI to connect and targeted all cellular connections perhaps directly through carriers or maybe fusion centers !!! I always have multiple and duplicated mobile operators on my phone. Getting rid of iPhone as soon as possibly can.
What's the point of this if your ISP can see what ip adresses you are connecting to anyway. You can easily figure out what sites one visits by their ip adresses
With proxy (that vpn basically is too) you have to trust third party to manage your data safely. ECH doesn't require trust from third party, well other than what HTTPS does with certs.
I love all of your videos. you are so funny and your videos are very informative and entertaining i learn something new every time i watch your videos!! please keep up the great work.
So, we are going to see firefox plugins to firewalls? Which can communicate to the browser to see if the site you plan to visit is forbidden or not? :)
This is cool but also a pain in the ass for network mantainers... business level firewalls are basically useless with this, hope they find a way to route encrypted traffic without destroying clients privacy
I checked with Wireshark the other day, (used quad9) thinking it was my dns settings so I switched to Cloudflare and checked on there website if it worked or not and it was broken for me as well... everything else worked perfectly except SNI... for those that might not know, Cloudflare has a test site where you can check if dns over tls, dnssec tls and SNI are all working as they should... the only downside to it is you'd have to use there services to see if they work... I switched back to my preferred dns settings after I checked... there's definitely something wrong in Firefox 'couse I toggled everything as it should...
Can you make a Video, where you put these puzzle tiles together , so someone can surf normally? Like watching UA-cam, write comments on X and deliver Pizza like Maybe you can also make videos, how about to avoid new known viruses and so on
my isp blocks certain websites ordered by government. Obviously we can proxy or VPN to these sites. Some sites are protected behind Cloudflare and i used to be able to still navigate to these sites with https, not using my ISPs DNS and using encrypted DNS, etc. but eventually my ISP was still able to block the conenction. I guess they use the unencrypted hello to determine the site. So, i guess this will be something that will help circumvent this type of blocking/censorship. The whole idea of government issued root certificates is nuts (I hate it passionately) and it will just make the internet more and more insecure than it already is. I'm against government levels of censorship but the governments will just roll out the "protecting children" mantra, when it is nothing of the sort. For me, it's fine for a company or a parent to have the ability to certain block websites/content to protect a company's network or a child from being exposed to adult material but my government as the gatekeeper for my kids and ultimately me and other adults, no thanks!
I would like to implement DOH with ECH and SNI on a router level. But i think that would require disabling it on every client browser and then using NAT to force it through my router. is this correct?
So little websites support ech or esni. Implementing this on a router level is probably not worth it, you will need to make your own certificate which will break some apps already
8:48 - well they're not lying, they can't see anything on their end! the wacky little black NAS that's first in the network chain though, yeah - that thing can! but fortuantely that little blakc NAS thingy is just a figment of your tortured mind as you learn that skateboarding and waterboarding have much in common
So I was wondering: is there any way to manually sanitize the certificates? I know we can't just distrust or delete them, without bricking Windows(did that once, had to restart in safe mode and put them back lol). But what about limiting their scope? Almost all the MS certs "Intended Purposes" are set to (in mmc>certs), and I'm assuming all the service account certs are inherited from the main computer account category. If anyone knows of such work already being done in a forgotten corner of github, highly appreciated if you shared it.
Nowdays i barely check my favorite anime because they got blocked by ISP's deep packet inspection. DoH is useless , would like to use vpn but dont want to bother :(
the way vpns are used nowadays was always pointless and did nothing, paying for vpn is paying for someone other than ISP to log your network traffic and nothing more, the only real usecase of vpn is to allow access to sensitive company or university data to workers and students from home, government data is of course too sensitive even for vpn so I'm not aware of anyone doing this in that area.
@@shinobuoshino5066 They're useful as a way to shift surveillance away from your ISP and as a way to spoof location. I'd rather Mullvad know my visited sites than Comcast. But yes, I know about the intended use of VPNs. I actually run OpenVPN on my home router so that I can access my home network remotely.
The deep fake grows stronger with each day
I know, I even taught it to do farm chores!
Think you could teach it to come do my chores???
@@MentalOutlaw Hey, Vegan Gains! How long did it take you to learn to code, losing bulk and growing a beard in the process, to pivot to a FOSS & Privacy Tech UA-camr 😂 😂 😂
@@JPs-q1o how many times are you going to post this?
@@MentalOutlawcan i tell you a big secret. I think they always knowbwhat people do but have merely made apps and systems appear like they lost the ip and tracking is turned off but all thats really going on is they are watching but not able to tale action because theyv told us its incrypted. They ate spies of course they can see yoyr shit but they cant do anything because theyv promised its "encrypted"...
Bro I just wanna say I love your video thumbnails. Makes me chuckle every time
And when client side snooping is less than they desire, censors put pressure on network hosts to block any protocols which don't identify a destination in the clear.
And the counter to that is relays that don't look like relays to the snoops.
That sounds like Tor without some steps
@@NerdyCatCoffeeee In so far as the relays can be chained, and no step in the chain requires some element which pierces privacy, they could do the same job as TOR.
Nigeria should become a constitutional monarchy. Then the Nigerian prince becomes a reality.
In this scenario there will still be a third party (meaning it's neither the client nor the destination server) that will know which website you are visiting. In this example it will be CloudFlare, but it could also be Amazon or even Google, if the destination server is deployed within their cloud infrastructure and uses their CDN.
I'm so happy that you uploaded this video. Thank you for uploading it.
I think the main issue nowadays with encryption is that it requires a middle man, called a "Certificate Authority". We now have companies like Microsoft and Google issuing certificates. This is an obvious problem, as this allows those companies to decrypt our data at will. We need to completely re-invent this system.
Actual fact though
For a CA to decrypt my traffic with their private keys they have to capture that encrypted traffic first. To do that they have to set up a proxy or something down the line of my connection. Even if they somehow got my encrypted traffic, their private key won't decrypt it due to "forward secrecy" that's been enforced in TLS 1.3. We also have a big system for certificate revokation. How can Google decrypt my data at will if I may ask?
@@lizard9159 I imagine a ISP or a VPN can log internet traffic and store it, but I have never heard of "forward secrecy", that interesting. Just got around to look it up and isn't a CA's job just to make sure the website is just legitimate? A CA couldn't act like a DNS or see website data, it instead only checks if the connection has secure keys and such.
Yes but not really. They would be detected and immediately distrusted by all browser vendors, also all CAs must meet certain transparency requirements.
The real problem are government mandated CAs. The EU is about to force all browsers to trust EU-members CAs with eIDAS 2.0
I don't think CAs can decrypt private data. The role of CAs is just to certify that someone owns a domain. The only attack a CA can really do is mint a false certificate and then use a fake site with the false certificate to capture user traffic. This would likely be caught and the CA would not be trusted by any browsers. I do agree with the sentiment of not trusting third parties though. The only issue is that there is no known way to easily (and salably) verify identity without third party trust.
I prefer to force people to find me in order to speak to me, really roots out all the nonsense.
I believe this only adds a (small) layer of difficulty to hiding visited websites. The ISPs can still see the IP addresses in the packets routed to the websites, and from there easily discover which website corresponds to (something similar can also be done in the client level).
yeah unless they use cdn
It is rare for a single website to be on a single ip. Also it doesn’t stop the big DNS providers from snooping. So 🤷🏻♂️.
@@DarkxPunk Not being on a single ip doesn't stop the association of ips to website, at most it makes it slightly harder. But yeah most the DNS providers are owned by FAANG so it's still pointless either ways.
@@kexec. true, probably the best option to pair with ECH is to choose a trusted cdn provider
@@kexec. Single cloudflare ip address can have more than 500 websites
Just found your channel yesterday for the encrypted recursive DNS server. Pertinent content and well explained. Subbed.
I have no idea what you're talking about most of the time. But I like the premise and want to support your channel.
4:57 lmao I wasn't ready for the suchifur reference
your honeypots are interesting, thank you agent outlaw!
What do you mean honeypots ? I am not that tech savvy , can you explain like i am 12 ?
I know what a honeypot is ( basically a trap ) but i didn't get the idea.
@@ahmadalnzi2694 that's the point
@@ahmadalnzi2694 this is a running joke on the channel, just like Kenny not actually showing himself on camera but rather rendering deepfakes of a random black guy
Libre taxi is open source Uber alternative can you talk about it ?
best way to find a schizo that will drive you to a forest
Enterprises have been installing trusted root certs for years. Deviced which don't have this are simply banned from the local subnets. It's not a problem for them.
Came here to say this. Companies will have you sign off on all privacy on your company devices and have literal spyware installed on them (out in the open that is). I think the fact the nature of the spyware being so obvious is sometimes part of the dissuasive strategy as well: keep users on their toes, and keep them paying (some...) attention to what they're doing knowing we *will* know if they endanger the company with reckless behavior.
I wonder what this means for government blocking of websites.
I imagine it would mean they won’t be able to see you accessing blocked websites with a VPN.
they can just block by ip
@@vnc.t then they will continue using different IP addresses, simple.
@@vnc.t this did not work, look at pirate bay, they were able to keep on hopping to different IPs
Kazakh here, they launched this government certificate thingie, but no one wanted to install the certificate, so they cancelled the initiative (thank god)
@CrisCheese_ that’s not entirely true, they just opened a government CA that’s not recognised by the rest of the world, so they can get certificates when other CAs stop issuing certs to russian companies.
but certainly it could be a launchpad for what you’re describing.
The IPv4 problem is artificial. There are so many aftermarket blocks available, and tons of unused blocks owned by universities. The solution to IPv4 is to reclaim unused blocks so they can be allocated again
the problem is that more blocks are occuped and more their price will be, if u want you can buy all ipv4 addresses you need but their cost will be pretty expensive, there are an acutal market around it
I work for a small ISP. We bought IPv6 blocks from ARIN and attempted to deploy them to management scopes, customers, etc. Almost every single piece of hardware had some sort of limitation with IPv6, along with other peices not supoprting it whatsoever. Its been a mess and now we are reverting back to IPv4 xD
You can reclaim unused blocs all you want, in the end there are only a few billions IPv4 addresses
@@e995a1addo you think we need more than a few billion public IPs??? Nat exists for a reason
Nah, you're wrong and I'm not gonna tell you why.
There are still plenty of IPv4 addresses hosting a single website, so encrypted SNI/Encrypted Client Hello do not solve those problems.
These websites are also very interesting to eavesdroppers like your ISP, because they are usually small/ less popular websites and can tell a lot about your personality.
Love your video's! :)
Fun story: when I was in high school, I worked in the school as a volunteer tech aid. The year I started was after two consecutive years of previous tech aids hacking the school network and causing huge incidents for which they had to document and present their findings to the school district opsec people -- a lot of the security measures in place back then were there because of these hacks, and I and the other new tech aid were tasked with finding and reporting more holes in the security. We found and reported a lot of exploits and vulnerabilities, but one of my favorite red-team escapades was writing my own proxy service that used rot13 to bypass network filters, which hilariously worked. (I eventually made my own shitty little stream cipher as an upgrade.)
Dude I'll be real, IPv6 is super fucking based. I don't have to think about ports, or weird configurations for hosting several different websites or servers off the same machine, and use my domain name. Like I can throw 6 different VMs on a box, and they all get their own v6 global address, and I can throw that info into cloudflare and everything resolves correctly. Shit's awesome, it's actually easier work for me. Like I mean the initial setup was a bitch, and it took me a while to figure out how to get the vms IPv6 addresses, but once I did it was just as simple as going into the router, finding the host name and yoinking it's reporting v6 address, and dumping it into my cloudflare. After doing it, I honestly don't see why companies can't be bothered to figure out how this works, since it's really not that hard. Especially if your business is computer networking. Though I will say some weird stuff does require more tinkering, like services/SRV records for VOIP stuff, that can get super freaking jank, but oddly enough that was an easier setup than my linux based cloud server.
Thanks for looking out bro
Mental Outlaw for president.
I doubt they would allow that
How dare you curse this man! 😅
@@MentalOutlaw They should.
The liability cost for a VPN is so high that nobody legitimate can afford to run it ethically.
Agreed. People always get hung up on "well ThEy sAiD--" but the long arm of the law is endless. Apple, proton, whatever would rather take the PR hit of giving over info to the glowies than be penalized into bankrupcy (or worse, accused of harboring criminals)
Really?
@@AutomaticFlax4470 think about it this way: imagine content, far worse than the content discussed in this video, content that you and I would both agree absolutely must not be tolerated. How do you deal with that as a VPN? Any decision you make is problematic. Some you might be able to justify ethically, some you might be able to justify legally, but none can you justify both ethically and legally in all jurisdictions for all content.
@@edwardallenthree
(He's talking about child porn)
mullvad?
4:56 that dragon is making me act... unwise.
do NOT pet the dragon...
@@MentalOutlaw I already did...
@@MentalOutlawwould.
Dragons aren't fuzzy what are they teaching the kids in school these days.
you must not be aware of the furred dragon species, the best of both worlds. @@mqb3gofjzkko7nzx38
Unfortunately for ECH to work, more and more people have to be behind centralized services like Cloudflare. Else encrypting single domain name served by an IP becomes meaningless.
Internet needs more decentralization, but ECH seems like the first step at better online privacy.
but also a big step towards more censorship
I remember getting really excited when DNSSEC came out (what is it now, 15-18 years ago) I started reading extensively on unbound (I had know clue how to set an unbound server up!) but that technology was desperately needed and I got excited about it... I'm thinking it's gonna take at least that long for ECH...
What about dns sniffing? Couldn’t whomever is operating the dns also know the destination address of your remote sesh?
If your system is using their DNS to resolve hostnames and you use a hostname to connect to something then yes, they will see the request and be able to know what you requested. If it's only a DNS request they can not know what you are doing with the information.
If you just use an IP address to connect then no DNS request goes out and no one other than you shold know where you connected to.
Edit: also, once requested the information is usually cached. That means even if you use a FQDN all the time to connect to something it is very likely that not every time will a request be sent out to the DNS server.
Dunno why, but you're my own Personal CIA chief🙇♂️🙇♂️
That’s Johnny Harris. Our cia king
How are trusted root certificates installed? Does it come preinstalled on whatever theoretical device that’s being owned or would it be injected in real time through some other protocol?
Preinstalled with os
They came pre installed in OS but you can add more on your own, that cad lead for example a virus to install a fake one. besides that it cant be inject when your surf on internet
@@Fakyp Unless it is open-source like GNU/Linux is, right?
@@Hardcore_Remixer yes, but the trick is: what if it's the law that you have to have it installed ???
@@autohmae Then the only thing you can do then is to go to another country which respects your privacy more.
heavy stuff, very well explained 🎉
Im glad these privacy technologies are becoming more distributed
Most network admins I've known in person rely mostly on a DNS sinkhole and good device privilage configuration. Can't get to naughty sites if your only DNS server turns you down.
ECH doesn't even work without DoH (DNS over HTTPS). That's not really something network admins can manage.
@@ShadowManceri I mean, if users have the rights to change their DNS settings while you're using a DNS sinkhole, I'm not sure you're very good at your job 🤔
If that's not an option for some reason, you could always try blocking known DNS IPs but that'd get hard to manage quick (though someone probably maintains a list somewhere).
IT security policies are rarely a "you can't break out"; they're usually a "it'd take you so much effort to break out it's not worth it".
I could always spin up a VS Code Tunnel to my personal machine, CURL my naughty site, download the assets, and paste the code into the browser (or just use a browser inside of VS Code). But that's a lot of effort.
@@BellCube DoH doesn't require user to have permissions to change DNS settings, because it's a app layer thing. There is no practical way to stop users for using DoH or to force them to use company DoH servers. User can always use portable version of the browser with their own settings and there really is nothing you can do against that. What you can do is to block known DoH servers but if user has a will, they are ways to go around that and they are not very complicated. And it doesn't even need to be any naughty sites, but things like facebook or steam or whatever the company wants to block. While most users are not even trying to go past the first obstacle or even simply follow the guideline saying that you are not allowed, there will be rebels. Not to mention that there often are people with higher permissions. It's really a lost battle if user truly wants to do something.
I think I might switch to Firefox because of ECH.
you are really good at explaining shit. so glad I found your channel
So how to defend against these root certificates (if you're a beginner)
i love you man thank you for your service
I'm currently studying network security and it's kinda shocking how little IPv6 has been in all of my courses so far. My networking class didn't even have a graded assignment for it.
ECH has it's country cousin, "Encrypted Client Howdy"....
Ah yes, DNS encryption - a service whose time has come...cheers!
Addendum: whoops! Had no idea that it would create anti-malware efforts difficult.
Almost 30 years since 1998? Bro is living 5 years in the future!
I want a full soyjack and glowie meme image pack from the images used on this channel
Me too! Make it a telegram sticker would be also a good idea
I Appreciate your information!!! They are using AI to connect and targeted all cellular connections perhaps directly through carriers or maybe fusion centers !!! I always have multiple and duplicated mobile operators on my phone. Getting rid of iPhone as soon as possibly can.
Can't "they" still see where I'm going by checking the outer sni?
on GRC podcast I read that only 6 root CAs are enough to cover 99.7% of the web! And we can delete the remaining 100 small ones.
Provided that these CAs are not associated or affiliated with Microsoft, Google or any massive tech company proven to be shady/data greedy.
What's the point of this if your ISP can see what ip adresses you are connecting to anyway. You can easily figure out what sites one visits by their ip adresses
11:37 the correct way was always: use a proxy and explicitly config it, so the user knows it's configured.
if thats TP Link N600 on the table -- thats an awesome choice for OpenWRT :3
The trusted root certificate part is hilarious.
Can’t the ISP see the IP address and do a reverse lookup to see what web pages we’re visiting?
yes
11:30 i work in a hospital in IT, and damm we will not let people view websites without blockers and filters....
Finally someone pointed it out
What is a good DNS provider to use with this?
Unbound local recursive server
Or quad9
Quad9
mullvad has a dns server but not entirely sure if they implemented ECH for it yet
What do you have to do to get google to show ads of hot single dragons in my area?😂
Obvious joke, but it cracked me up.
How does this differ from a vpn or proxy? It sounds like it’s basically just a cloudflare hosted vpn at the core
I mean, I trust cloudflare a lot more than expressnordsharkvpn but still
With proxy (that vpn basically is too) you have to trust third party to manage your data safely. ECH doesn't require trust from third party, well other than what HTTPS does with certs.
I love all of your videos. you are so funny and your videos are very informative and entertaining i learn something new every time i watch your videos!! please keep up the great work.
Real talk
Pre-sale for Staxums STX is a once-in-a-lifetime chance. Reserve your place!
Let’s go. Finally my school won’t be able to block stuff know :)
thank you for the great video jayson tatum
What's chuck's website? Can someone tell me a example, I'm not aware of this new phenomenon (obviously I wanna learn).
good stuff
indeed
So, we are going to see firefox plugins to firewalls? Which can communicate to the browser to see if the site you plan to visit is forbidden or not? :)
HTTPS isn’t bulletproof. SSL stripping exists, and how do you think IPS works on firewalls. They strip the SSL
For admin cant they have a system that just dose ip checking and updating block list
Nope, because as he mentioned in the video, one IP can host a large number of different sites, both good and malicious.
this is some cool shit but couldnt they just force DNS for network admins on there own DNS and they could still monitor and block traffic that way?
Can I get the image at 4:52 as a wallpaper?
This is cool but also a pain in the ass for network mantainers... business level firewalls are basically useless with this, hope they find a way to route encrypted traffic without destroying clients privacy
I can still see the SNI website name even with ECNH in chrome and Mozilla. Can you explain
I checked with Wireshark the other day, (used quad9) thinking it was my dns settings so I switched to Cloudflare and checked on there website if it worked or not and it was broken for me as well... everything else worked perfectly except SNI... for those that might not know, Cloudflare has a test site where you can check if dns over tls, dnssec tls and SNI are all working as they should... the only downside to it is you'd have to use there services to see if they work... I switched back to my preferred dns settings after I checked... there's definitely something wrong in Firefox 'couse I toggled everything as it should...
How do you enable ech on firefox?
Not visiting Chuck but can I visit Sneed's website?
This is cool. Is this getting around chinas Great Wall?
I'm concerned about how you know about the fluffy dragon meme....
We can't have ipv6 because of free market
Can you make a Video, where you put these puzzle tiles together , so someone can surf normally? Like watching UA-cam, write comments on X and deliver Pizza like
Maybe you can also make videos, how about to avoid new known viruses and so on
Would you recommend hosting an onion?
1:30 There is actually a scarcity of sand for silicon chips
I don't think you got the point lol. Maybe you just wanted to add a fun fact?
@@w花b I did get the point. I just wanted to add a fun fact
my isp blocks certain websites ordered by government. Obviously we can proxy or VPN to these sites. Some sites are protected behind Cloudflare and i used to be able to still navigate to these sites with https, not using my ISPs DNS and using encrypted DNS, etc. but eventually my ISP was still able to block the conenction. I guess they use the unencrypted hello to determine the site. So, i guess this will be something that will help circumvent this type of blocking/censorship. The whole idea of government issued root certificates is nuts (I hate it passionately) and it will just make the internet more and more insecure than it already is. I'm against government levels of censorship but the governments will just roll out the "protecting children" mantra, when it is nothing of the sort. For me, it's fine for a company or a parent to have the ability to certain block websites/content to protect a company's network or a child from being exposed to adult material but my government as the gatekeeper for my kids and ultimately me and other adults, no thanks!
Ive had the feeling BTC would be going to 40k as well. Clearing out all my Alts going into BTC and Staxum only, maybe a little BNB.
I would like to implement DOH with ECH and SNI on a router level. But i think that would require disabling it on every client browser and then using NAT to force it through my router. is this correct?
So little websites support ech or esni. Implementing this on a router level is probably not worth it, you will need to make your own certificate which will break some apps already
@0ka354 I was afraid of that. Just getting DoH working is going to be a chore.
How to check if ech is working or not?
Sounds like a useful feature.
What options are there to use ECH currently?
There is a simple solution to filtering ECH for governments and companies - just block all ECH traffic. Russia already does this with eSNI.
8:48 - well they're not lying, they can't see anything on their end!
the wacky little black NAS that's first in the network chain though, yeah - that thing can!
but fortuantely that little blakc NAS thingy is just a figment of your tortured mind as you learn that skateboarding and waterboarding have much in common
How does it work with DPI?
DPI just blocks all ech or esni connections
Thanks for spreading information. As always good job bro !
So I was wondering: is there any way to manually sanitize the certificates? I know we can't just distrust or delete them, without bricking Windows(did that once, had to restart in safe mode and put them back lol). But what about limiting their scope? Almost all the MS certs "Intended Purposes" are set to (in mmc>certs), and I'm assuming all the service account certs are inherited from the main computer account category.
If anyone knows of such work already being done in a forgotten corner of github, highly appreciated if you shared it.
Linux
@@marto624 how is using linux solving my windows related curiosity, smartass?
Ask endermanch, he'll probably know
Nowdays i barely check my favorite anime because they got blocked by ISP's deep packet inspection. DoH is useless , would like to use vpn but dont want to bother :(
Why not? i just use ones that protestors in communist countries use for free. If they didn't get arrested - it's a safe bet that they work
This may eventually make VPNs kinda obsolete. (EDIT: Commercial VPNs, I mean.)
the way vpns are used nowadays was always pointless and did nothing, paying for vpn is paying for someone other than ISP to log your network traffic and nothing more, the only real usecase of vpn is to allow access to sensitive company or university data to workers and students from home, government data is of course too sensitive even for vpn so I'm not aware of anyone doing this in that area.
@@shinobuoshino5066 They're useful as a way to shift surveillance away from your ISP and as a way to spoof location. I'd rather Mullvad know my visited sites than Comcast.
But yes, I know about the intended use of VPNs. I actually run OpenVPN on my home router so that I can access my home network remotely.
Jokes on you I've been using it for years already in Brave and Firefox 😎
how the fuck is this still a thing in 2023- i was talking about this in my google interview in like 2008
4:56 .... tempting
the fact that ECH has existed for ages but is taking forever to start rolling out in any meaningful way is... concerning for all the wrong reasons...
I was the 20,000th view 😂😅❤
ISP still can block ip whatsoever
Great, now schools are going to tell kids that they can't use Firefox. Can't wait until Chrome has this, if ever
Has been enabled by default in Chrome for desktop 117
4:57 Hot single fuzzy dragons? I definitely gonna click that
I love your vids but could you please use a dark mode or something? I'm getting flashbanged everytime you show us a web page 😎
4:56 Damit how did he know? You be spying on me Mental outlaw?
And it came out of Cloudflair, not Mullvad!
Last call for you guys to ape into Staxum. Nothing better this year..