Samuel Henrique

We have enabled Encrypted Client Hello (ECH) on curl on Debian Experimental, for maximum privacy!

https://samueloph.dev/blog/i-use-curl-with-ech-btw-in-debian/

I use curl with ECH btw (in Debian) | Samuel Henrique (samueloph)

My personal website

Samuel Henrique (samueloph)
Mar 27 at 7:34amWeb
Show threadshx1d ago

@samueloph The hard part, for all the self hosting small scale setups, will be the key rotation and DNS part of the story. E.g. implementing https://datatracker.ietf.org/doc/html/draft-ietf-tls-wkech will probably create many fancy scripts with sharp edges until it works for every custom setup.
OTOH if you've a small scale setup with only a handful of domains your anonymity set is so small that the value of ECH might be questionable.
If it help someone: The Caddy guy already ships in beta ECH support with the DNS plugins.

#ech

A well-known URI for publishing service parameters

We define a well-known URI at which an HTTP origin can inform an authoritative DNS server, or other interested parties, about its Service Bindings. Service binding data can include Encrypted ClientHello (ECH) configurations, that may change frequently. This allows the HTTP origin, in collaboration with DNS infrastructure elements, to publish and rotate its own ECH keys. Other service binding data such as information about TLS supported groups is unlikely to change quickly, but the HTTP origin is much more likely to have accurate information when changes do occur. Service data published via this mechanism is typically available via an HTTPS or SVCB resource record.

IETF Datatracker