from Hacker News

Disabling Encrypted ClientHello in Google Chrome, and Why

by new23d on 10/9/23, 6:02 PM with 5 comments

  • by new23d on 10/9/23, 6:02 PM

    Google Chrome v117 turned on TLS Encrypted ClientHello by default (on 27 Sep?) This will impact the effectiveness and accuracy of outbound traffic filtering* - for those who've implemented it (regardless of vendor.) We've written a short blog post on disabling it with PowerShell, Windows Registry and Google Chrome UI for those who may need to roll this out ASAP and regain visibility. (Disclosure: we are a vendor of an outbound filtering solution and this has impacted our customers already.)

    *for many websites, the domain name visibility during an HTTPS handshake will no longer be available to firewalls/proxies (unless they were terminating.)

  • by evanjrowley on 10/9/23, 6:56 PM

    DiscrimiNAT Firewall seems like a useful product: https://chasersystems.com/

    Reminds me somewhat of Zscaler.

  • by josephcsible on 10/9/23, 10:06 PM

    The fact that it's possible for a middlebox to detect ECH at all is a flaw in the protocol, IMO.