John ShaftAh #OpenSSL 4.0.0 est sorti la semaine dernière. Je note :
- Le support de SSLv3 dégage pour de bon
- Arrivée des salutations chiffrées (#ECH)
- De la crypto du turfu (post-quantique)
https://github.com/openssl/openssl/releases/tag/openssl-4.0.0
YOOTAOpenSSL 4.0 Strengthens Privacy and Removes Legacy Protocols
OpenSSL 4.0.0 adds Encrypted Client Hello to protect browsing privacy, removes obsolete protocols, and introduces post-quantum cryptography.https://yoota.it/en/openssl-4-0-strengthens-privacy-and-removes-legacy-protocols/
YOOTAOpenSSL 4.0: privacy rafforzata e addio ai protocolli vecchi
OpenSSL 4.0.0 arriva con il supporto a Encrypted Client Hello per proteggere la privacy nella navigazione, rimuove protocolli obsoleti e introduce crittografia post-quantum.https://yoota.it/openssl-4-0-privacy-rafforzata-e-addio-ai-protocolli-vecchi/
Harry Sintonen
𝕂𝚞𝚋𝚒𝚔ℙ𝚒𝚡𝚎𝚕™«OpenSSL 4.0 verschlüsselt, was TLS bisher verraten hat:
OpenSSL 4.0.0 ist da: Die Kryptobibliothek entfernt Altlasten, führt ECH für mehr Datenschutz ein und bereitet auf Post-Quantum-Kryptografie vor.»
Ich nutze OpenSSL doch technisch habe ich davon so gut wie keine Ahnung. Ich sehe dies als positiv da nun auch PQC und ja Technik entwickelt sich permanent weiter wenn auch nicht auf sofort.
🔏 https://www.heise.de/news/OpenSSL-4-0-verschluesselt-was-TLS-bisher-verraten-hat-11259152.html
#openssl #verschlusselung #internet #ssl #webtech #ech #pqc #PQCryptography
Gea-Suan Lin
kpcyrd 🏴I pushed curl-rustls-8.19.0-3-x86_64.pkg.tar.zst to Arch Linux, with this version it's now possible to encrypt the TLS client hello:
curl-rustls -sSv --ech hard --doh-url='https://dns.mullvad.net/dns-query' 'https://defo.ie/ech-check.php'
Should display:
<p>SSL_ECH_OUTER_SNI: cover.defo.ie <br />
SSL_ECH_INNER_SNI: defo.ie <br />
The --doh-url is mandatory, otherwise curl won't query the `https` dns records (dig +short https defo.ie).
For opportunistic ECH use `--ech true`.
CyberVeille.ch📢 RFC 9849 : Publication du standard TLS Encrypted Client Hello (ECH) par l'IETF
📝 ## 🌐 Contexte
Publié le 3 mars 2026 sur le datatracker de l'IETF (https://datatracker.ietf.org/doc/rfc9849/), ce document constitue la **RFC 9849**, un standard de la catégorie *Standa...
📖 cyberveille : https://cyberveille.ch/posts/2026-02-04-rfc-9849-publication-du-standard-tls-encrypted-client-hello-ech-par-l-ietf/
🌐 source : https://datatracker.ietf.org/doc/rfc9849/
#ECH #HPKE #Cyberveille
Guardian Project#Mainstream adoption, here we come! The official #Debian package for #curl just got #ECH support:
https://samueloph.dev/blog/i-use-curl-with-ech-btw-in-debian/
#Android has added new polices for enforcing ECH:
https://developer.android.com/reference/android/security/NetworkSecurityPolicy#DOMAIN_ENCRYPTION_MODE_ENABLED
shx@samueloph The hard part, for all the self hosting small scale setups, will be the key rotation and DNS part of the story. E.g. implementing https://datatracker.ietf.org/doc/html/draft-ietf-tls-wkech will probably create many fancy scripts with sharp edges until it works for every custom setup.
OTOH if you've a small scale setup with only a handful of domains your anonymity set is so small that the value of ECH might be questionable.
If it help someone: The Caddy guy already ships in beta ECH support with the DNS plugins.
A well-known URI for publishing service parameters
We define a well-known URI at which an HTTP origin can inform an authoritative DNS server, or other interested parties, about its Service Bindings. Service binding data can include Encrypted ClientHello (ECH) configurations, that may change frequently. This allows the HTTP origin, in collaboration with DNS infrastructure elements, to publish and rotate its own ECH keys. Other service binding data such as information about TLS supported groups is unlikely to change quickly, but the HTTP origin is much more likely to have accurate information when changes do occur. Service data published via this mechanism is typically available via an HTTPS or SVCB resource record.