Business Cloudflare: Encrypted Client Hello (ECH) Effectively Defeats Pirate Site Blocking

https://torrentfreak.com/encrypted-client-hello-ech-effectively-defeats-pirate-site-blocking-231006/

https://archive.ph/PVPfT

October 6, 2023 by Ernesto Van der Sar

Cloudflare has enabled Encrypted Client Hello for all customers on free plans, which includes many pirate sites. The new privacy feature makes it impossible for Internet providers to track which websites subscribers visit. As a result, it also renders pirate site-blocking efforts useless, if both the site and the visitor have ECH enabled.

Website blocking has become the go-to anti-piracy measure for the entertainment industries when tackling pirate sites on the internet.

The practice has been around for well over 15 years and has gradually expanded to more than forty countries around the world.

The actual blocking is done by Internet providers, often following a court order. These measures can range from simple DNS blocks to more elaborate schemes involving Server Name Indication (SNI) eavesdropping, or a combination of both.

Thus far, the more thorough blocking efforts have worked relatively well. However, as privacy concerns grew, new interfering technologies have emerged. Encrypted DNS and SNI, for example, made blocking efforts much harder, although not impossible.

Encrypted Client Hello​

A few days ago, Internet infrastructure company Cloudflare implemented widespread support for Encrypted Client Hello (ECH), a privacy technology that aims to render web traffic surveillance futile. This means that site blocking implemented by ISPs will be rendered useless in most, if not all cases.

ECH is a newly proposed privacy standard that’s been in the making for a few years. The goal is to increase privacy for Internet users and it has already gained support from Chrome, Firefox, Edge, and other browsers. Users can enable it in the settings, which may still be experimental in some cases.



The main barrier to widespread adoption is that this privacy technology is a two-way street. This means that websites have to support it as well. Cloudflare has made a huge leap forward on that front by enabling it by default on all free plans, which currently serve millions of sites. Other subscribers can apply to have it enabled.

“Cloudflare is a big proponent of privacy for everyone and is excited about the prospects of bringing this technology to life,” Cloudflare writes in its announcement

“Encrypted Client Hello (ECH) is a successor to ESNI and masks the Server Name Indication (SNI) that is used to negotiate a TLS handshake. This means that whenever a user visits a website on Cloudflare that has ECH enabled, no one except for the user, Cloudflare, and the website owner will be able to determine which website was visited.”

ECH Defeats Site Blocking​

The push for increased piracy is well-intended but for rightsholders it represents a major drawback too; when correctly configured ECH defeats site-blocking efforts. Tests conducted by TorrentFreak show that ISP blocking measures in the UK, the Netherlands, and Spain were rendered ineffective.

This doesn’t automatically apply to all blocked sites, as the sites must have ECH enabled too. We have seen mixed results for The Pirate Bay, perhaps because it has a paid Cloudflare plan, but other pirate sites are easily unblocked.

This new privacy feature hasn’t gone unnoticed by pirate site operators. The people behind the Spanish torrent site DonTorrent, which had dozens of domains blocked locally, are encouraging users to try ECH.

“Before ECH, your online privacy was like a secret whispered in the wind, easily picked up by prying ears. But now, with ECH by your side, your data is like hidden treasure on a remote island, inaccessible to anyone trying to get there without the right key,” DonTorrent notes.

“This feature encrypts your data so that neither ISPs nor organizations like ACE and MPA [can] censor, persecute and intimidate websites that they consider ‘illegal’, the site adds in a fairly satirical blog post.

Privacy vs. Piracy​

Cloudflare and other tech companies are not supporting ECH to make site-blocking efforts obsolete. However, this privacy progress likely won’t be welcomed by rightsholders, who’ve repeatedly criticized Cloudflare for hiding the hosting locations of pirate sites.

TorrentFreak reached out to a major anti-piracy organization for a comment on these new developments, but we have yet to receive an on-the-record response. It wouldn’t be unthinkable, however, that we will see more blocking lawsuits against Cloudflare in the future.

For now, Cloudflare isn’t mentioning blocking at all. Instead, it is simply excited about making the Internet more private and secure for everyone.

“If you’re a website, and you care about users visiting your website in a fashion that doesn’t allow any intermediary to see what users are doing, enable ECH today on Cloudflare,” the company writes.

“Over time, we hope others will follow our footsteps, leading to a more private Internet for everyone. The more providers that offer ECH, the harder it becomes for anyone to listen in on what users are doing on the Internet. Heck, we might even solve privacy for good.”

—

* Note: We initially had trouble getting ECH to work. As it turns out, some ‘web shield’ functionalities in anti-virus software can cause issues.

 

[Fascist Frederick]

Even a faggot clock is based twice a day.

 

[Betonhaus]

Would this even work for Kiwifarms?

 

[draggs]

Would this even work for Kiwifarms?

The new privacy feature makes it impossible for Internet providers to track which websites subscribers visit. As a result, it also renders pirate site-blocking efforts useless, if both the site and the visitor have ECH enabled.

I think the answer is yes, that statement would apply to any site, not just "pirate sites"

Now some based geek at CF needs to liberate the ECH source code and set it free in the wild

 

[robobobo]

Would this even work for Kiwifarms?

No. The Farms are being attacked at the IP level, obfuscating the domain name through encryption wouldn't change anything when the routes themselves are being blocked at the infrastructure level. If someone lazy blocked the site by blacklisting the domain name on say a company firewall or such, this could evade that block.

 

[named]

I think the answer is yes, that statement would apply to any site, not just "pirate sites"

Cloudflare hosts all its sites off the same set of IP addresses and assigns your connection to a specific site partially based on the SNI (i.e there are multiple sites hosted on the same IP address). In the case of Kiwifarms, you can determine whether a clearnet connection is to it by only the final IP address without needing to inspect the SNI, and censorship was done by refusing to route to its IP address. The final IP address is part of the IP header and is viewable by every router along the chosen route.

Onion routing doesn't reveal the source IP and target IP to any individual node, so Tor access can't be blocked at the ISP level without much more intrusive filtering. (China will just block the offending Cloudflare IP and doesn't care to inspect the SNI.)

e: With regard to corporate proxies/firewalls, those will generally block any direct connection attempts and insert themselves as a MitM, so they have access to the SNI anyway. Those companies require you to add them as a root CA.

 

[Nitro!]

Encrypted Client Hello (ECH), a privacy technology that aims to render web traffic surveillance futile.

Unless the one doing the surveilling is Cloudflare.

 

[jertzog]

Does this also work for when Trend Micro automatically updates a router so sites you've visited before simply refuse to connect until you go in and manually whitelist them?