RFC 9849. TLS Encrypted Adetɔfoɔ Hello

Internet Asase a Ɛresakra no a Worekɔ

Mfeɛ du du pii ni no, intanɛt de ne ho ato kari pɛ a ɛyɛ mmerɛw a ɛda ahobanbɔ ne nea wotumi hu ntam so. Protocol ahorow te sɛ Transport Layer Security (TLS), padlock ahyɛnsode a ɛwɔ wo browser no mu no tweatibo no aboa kɛse ma yɛakora yɛn data no so. Nanso, nsɛm bi a ɛho hia da so ara wɔ hɔ a ɛda adi pefee: Server Name Indication (SNI). Saa dijitaal sɛnkyerɛnne yi a ɛkyerɛ server bi a ɛkyerɛ wɛbsaet a worebɔ mmɔden sɛ wobɛkɔ so no, wɔde mena a wɔmfa encryption biara nka ho wɔ TLS nsa a wɔde di dwuma mfiase no mu. Bere a ɛho hia ma routing traffic wɔ wiase a wɔkyɛ hosting mu no, saa a wɔda no adi yi ma kokoamsɛm mu nsonsonoe kɛse ba. Wɔn a wɔde Intanɛt so dwumadi ma, wɔn a wɔhwɛ nkitahodi nhyehyɛe so, ne wɔn a wobetumi atie wo no betumi ahu wɛbsaet biara a wobɛkɔ, sɛ wɔde nsɛm a ɛwɔ mu no ankasa ayɛ encryption mpo a. Ɛha na nkɔsoɔ titire bi, a wɔakyerɛw wɔ RFC 9849 mu na wɔfrɛ no Encrypted Client Hello (ECH), hyɛn asɛnka agua no mu, ɛhyɛ bɔ sɛ ɛbɛto saa kwan kɛseɛ a ɛtwa toɔ yi mu wɔ wɛb kokoamsɛm mu.

Dɛn ne RFC 9849 ne Encrypted Client Hello (ECH)?

RFC 9849, a wɔato din wɔ ɔkwan a ɛfata so "Service Binding and Parameter Specification via the DNS," yɛ gyinapɛn krataa a ɛkyerɛkyerɛ nhyehyɛe a wɔde bɛyɛ Encrypted Client Hello. ECH yɛ TLS 1.3 protocol no ntrɛwmu a ɛde Client Hello nkrasɛm no nyinaa sie, a SNI data a ɛho hia no ka ho. Ne titiriw no, ɛde nkrasɛm a wɔabɔ no kokoam a wɛbsaet somfo a wɔahyɛ da ayɛ no nkutoo na ebetumi akyerɛkyerɛ mu si nsɛm a wɔakyerɛw no pefee "Mepɛ sɛ mekɔ example.com" ananmu. Eyi hwɛ hu sɛ efi anammɔn a edi kan koraa wɔ nkitahodi nhyehyɛe no mu no, wɔde baabi a worekɔ no asie na aniwa a ɛhwɛ netɛw no so. ECH mfa SNI no nsie kɛkɛ; ɛsan nso kata nsateaa nkyerɛwee afoforo a ebetumi aba wɔ nsa a wɔde bɔ mu no so, te sɛ ciphersuites a wɔboa, na ɛma wonya osuahu a ɛyɛ pɛ na ɛyɛ kokoam browsing. Mfiridwuma no de cryptographic akwan di dwuma de ma akraman no kwan ma ɔyɛ ɔmanfo safoa bi fi wɛbsaet no DNS kyerɛwtohɔ ahorow mu, na afei ɔde di dwuma de encrypt nsa a wɔde di dwuma ho data a ɛho hia no.

Mfaso a Ɛda Hɔ a Ɛwɔ ECH a Wɔfa no Atrɛw So

ECH a wɔde bedi dwuma no hyɛ bere titiriw bi agyirae ma dijitaal kokoamsɛm ne ahobammɔ. Ne mfasoɔ trɛw kɔ akyiri sen sɛ wode wo browsing abakɔsɛm besie wo ISP kɛkɛ.

• Ɔdefoɔ Kokoamsɛm a Wɔayɛ no Yie: Ɛnam SNI no a wɔde encrypt so no, ECH siw nnipa foforɔ kwan sɛ wɔbɛhyehyɛ wo intanɛt dwumadiɛ ho nsɛm a ɛkɔ akyiri a egyina wɛbsaet ahodoɔ a wokɔ so no so. Eyi yɛ anammɔn titiriw a ɛbɛma wɔasan de ɔdefo no din aba wɛb no so.
• Censorship ne Discrimination a Wɔbɛsiw: Wɔ mmeaeɛ bi no, wɔgyina SNI so yi intanɛt so. ECH ma ɛyɛ den kɛse ma network-level filters sɛ wobesiw kwan a wɔfa so kɔ wɛbsaet anaa nnwuma pɔtee bi so, na ɛhyɛ intanɛt a wɔabue kɛse ho nkuran.
• Reduced Surface for Cyberattacks: Ntuafoɔ taa de SNI data a wɔankora so di dwuma de de wɔn ani si nnwuma pɔtee bi anaa wɔn a wɔde di dwuma so. Ɛdenam saa nsɛm yi a ɛma ɛyɛ basaa so no, ECH ma kar akwan nhwehwɛmu ne onipa a ɔwɔ mfinimfini ntua ahorow bi yɛ den.
• Intanɛt Gyinapɛn a Ɛhwɛ Daakye: ECH gyina hɔ ma TLS abɔdeɛ mu nkɔsoɔ, a ɛto kokoamsɛm mu nsonsonoeɛ a akyɛ na ɛne nnyinasosɛm a ɛne sɛ "ɛbɔ biribiara ho ban" no hyia. Ɛde mfitiaseɛ foforɔ si hɔ ma deɛ ɛsɛ sɛ wɔn a wɔde di dwuma no hwɛ kwan firi nkitahodiɛ a ahobanbɔ wom mu.

ECH ne Daakye a Ɛwɔ Ahobammɔ Adwumayɛ mu

Wɔ nnwuma fam no, nsakraeɛ a ɛkɔ intanɛt a ɛyɛ ankorankoro de so no nya sɛdeɛ wɔyɛ adwuma na wɔbɔ wɔn digyital agyapadeɛ ho ban tẽẽ. Bere a nnwumakuw de wɔn ho to cloud-based platforms ne modular operating systems te sɛ Mewayz so kɛse de hwɛ wɔn adwumayɛ so no, ahobammɔ a ɛwɔ nkitahodi biara mu no yɛ nea ɛho hia sen biara. ECH hwɛ sɛ wɔbɛbɔ nkitahodi a ɛda odwumayɛni bi mfiri ne adwumayɛ application ahorow ntam—a wɔde ahyɛ nnwuma te sɛ Mewayz so—no ho ban afi nea wobegye afi packet a edi kan koraa no mu. Eyi ho hia titiriw ma nnwumakuw a wodi nsɛm a ɛho hia ho dwuma, efisɛ ɛde ahobammɔ a ɛho hia ka ho wɔ atie a wɔde tie a ɛyɛ nwonwa ho. Mfiridwuma ho nimdeɛ a ɛboa ECH a wogye tom no kyerɛ sɛ wɔde wɔn ho ahyɛ ahobammɔ a ɛyɛ foforo mu, a ebetumi ayɛ ahotoso kɛse ama wɔn a wɔkra nneɛma ne wɔn ahokafo. Sɛnea ahobammɔ ho ɔbenfo bi kae wɔ nkɔmmɔbɔ bi a ɛfa wɛb protocol daakye ho no:

"ECH nyɛ ade bi kɛkɛ; ɛyɛ nteɛso a ɛho hia wɔ TLS mfitiaseɛ nhyehyɛɛ no mu. Ɛwie bɔhyɛ a ɛfa end-to-end encryption ho denam hwɛ a ɛhwɛ sɛ wo nkitahodi no 'envelope' no yɛ kokoam de te sɛ krataa a ɛwɔ mu no."

Nneɛma a ɛde nkɔsoɔ a ɛte saa di kan, a Mewayz ka ho, wɔ gyinabea pa sɛ ɛbɛma tebea a ahobanbɔ wom ankasa ama adwumayɛ a ɛho hia wɔ adwumayɛ mu, ahwɛ sɛ adwumakuo no data bɛkɔ so ayɛ kokoamsɛm na ɛyɛ ade titire.

Awiei: Intanɛt a Ɛyɛ Ankorankoro Kɛse reba

RFC 9849 ne Encrypted Client Hello gyina hɔ ma nkɔso kɛse a ɛkɔ anim wɔ hwehwɛ a wɔhwehwɛ sɛ wobenya kokoam intanɛt ankasa. Bere a nsakrae no bɛhwehwɛ sɛ wɔyɛ nsakrae wɔ browser, server, ne DNS infrastructure nyinaa so no, nkɔso no reyɛ kɛse. Browser adetɔnfo atitiriw ne cloud providers de mmoa redi dwuma dedaw. Wɔ wɔn a wɔde di dwuma awiei no fam no, ɛkyerɛ sɛ wɔbɛsan anya wɔn dijitaal kokoam nsɛm no fã bi. Wɔ nnwuma a wɔde nnɛyi nhyiam ase di dwuma fam no, ɛkyerɛ ahobammɔ fapem a emu yɛ den. Bere a saa gyinapɛn yi nya nnipa pii gye tom no, yɛrebɛn intanɛt a wɔbɔ yɛn nkitahodi no fã biara ho ban default so, na ɛma ahotoso ne ahobammɔ kɛse ma obiara wɔ intanɛt so.

Nsɛmmisa a Wɔtaa Bisa

Internet Asase a Ɛresakra no a Worekɔ

Mfeɛ du du pii ni no, intanɛt de ne ho ato kari pɛ a ɛyɛ mmerɛw a ɛda ahobanbɔ ne nea wotumi hu ntam so. Protocol ahorow te sɛ Transport Layer Security (TLS), padlock ahyɛnsode a ɛwɔ wo browser no mu no tweatibo no aboa kɛse ma yɛakora yɛn data no so. Nanso, nsɛm bi a ɛho hia da so ara wɔ hɔ a ɛda adi pefee: Server Name Indication (SNI). Saa dijitaal sɛnkyerɛnne yi a ɛkyerɛ server bi a ɛkyerɛ wɛbsaet a worebɔ mmɔden sɛ wobɛkɔ so no, wɔde mena a wɔmfa encryption biara nka ho wɔ TLS nsa a wɔde di dwuma mfiase no mu. Bere a ɛho hia ma routing traffic wɔ wiase a wɔkyɛ hosting mu no, saa a wɔda no adi yi ma kokoamsɛm mu nsonsonoe kɛse ba. Wɔn a wɔde Intanɛt so dwumadi ma, wɔn a wɔhwɛ nkitahodi nhyehyɛe so, ne wɔn a wobetumi atie wo no betumi ahu wɛbsaet biara a wobɛkɔ, sɛ wɔde nsɛm a ɛwɔ mu no ankasa ayɛ encryption mpo a. Ɛha na nkɔsoɔ titire bi, a wɔakyerɛw wɔ RFC 9849 mu na wɔfrɛ no Encrypted Client Hello (ECH), hyɛn asɛnka agua no mu, ɛhyɛ bɔ sɛ ɛbɛto saa kwan kɛseɛ a ɛtwa toɔ yi mu wɔ wɛb kokoamsɛm mu.

Dɛn ne RFC 9849 ne Encrypted Client Hello (ECH)?

RFC 9849, a wɔato din wɔ ɔkwan a ɛfata so "Service Binding and Parameter Specification via the DNS," yɛ gyinapɛn krataa a ɛkyerɛkyerɛ nhyehyɛe a wɔde bɛyɛ Encrypted Client Hello. ECH yɛ TLS 1.3 protocol no ntrɛwmu a ɛde Client Hello nkrasɛm no nyinaa sie, a SNI data a ɛho hia no ka ho. Ne titiriw no, ɛde nkrasɛm a wɔabɔ no kokoam a wɛbsaet somfo a wɔahyɛ da ayɛ no nkutoo na ebetumi akyerɛkyerɛ mu si nsɛm a wɔakyerɛw no pefee "Mepɛ sɛ mekɔ example.com" ananmu. Eyi hwɛ hu sɛ efi anammɔn a edi kan koraa wɔ nkitahodi nhyehyɛe no mu no, wɔde baabi a worekɔ no asie na aniwa a ɛhwɛ netɛw no so. ECH mfa SNI no nsie kɛkɛ; ɛsan nso kata nsateaa nkyerɛwee afoforo a ebetumi aba wɔ nsa a wɔde bɔ mu no so, te sɛ ciphersuites a wɔboa, na ɛma wonya osuahu a ɛyɛ pɛ na ɛyɛ kokoam browsing. Mfiridwuma no de cryptographic akwan di dwuma de ma akraman no kwan ma ɔyɛ ɔmanfo safoa bi fi wɛbsaet no DNS kyerɛwtohɔ ahorow mu, na afei ɔde di dwuma de encrypt nsa a wɔde di dwuma ho data a ɛho hia no.

Mfaso a Ɛda Hɔ a Ɛwɔ ECH a Wɔfa no Atrɛw So

ECH a wɔde bedi dwuma no hyɛ bere titiriw bi agyirae ma dijitaal kokoamsɛm ne ahobammɔ. Ne mfasoɔ trɛw kɔ akyiri sen sɛ wode wo browsing abakɔsɛm besie wo ISP kɛkɛ.

ECH ne Daakye a ɛfa Adwumayɛ a Ahobammɔ Ho

Wɔ nnwuma fam no, nsakraeɛ a ɛkɔ intanɛt a ɛyɛ ankorankoro de so no nya sɛdeɛ wɔyɛ adwuma na wɔbɔ wɔn digyital agyapadeɛ ho ban tẽẽ. Bere a nnwumakuw de wɔn ho to cloud-based platforms ne modular operating systems te sɛ Mewayz so kɛse de hwɛ wɔn adwumayɛ so no, ahobammɔ a ɛwɔ nkitahodi biara mu no yɛ nea ɛho hia sen biara. ECH hwɛ sɛ wɔbɛbɔ nkitahodi a ɛda odwumayɛni bi mfiri ne adwumayɛ application ahorow ntam—a wɔde ahyɛ nnwuma te sɛ Mewayz so—no ho ban afi nea wobegye afi packet a edi kan koraa no mu. Eyi ho hia titiriw ma nnwumakuw a wodi nsɛm a ɛho hia ho dwuma, efisɛ ɛde ahobammɔ a ɛho hia ka ho wɔ atie a wɔde tie a ɛyɛ nwonwa ho. Mfiridwuma ho nimdeɛ a ɛboa ECH a wogye tom no kyerɛ sɛ wɔde wɔn ho ahyɛ ahobammɔ a ɛyɛ foforo mu, a ebetumi ayɛ ahotoso kɛse ama wɔn a wɔkra nneɛma ne wɔn ahokafo. Sɛnea ahobammɔ ho ɔbenfo bi kae wɔ nkɔmmɔbɔ bi a ɛfa wɛb protocol daakye ho no:

Awieeɛ: Intanɛt a Ɛyɛ Ankorankoro Kɛseɛ reba

RFC 9849 ne Encrypted Client Hello gyina hɔ ma nkɔso kɛse a ɛkɔ anim wɔ hwehwɛ a wɔhwehwɛ sɛ wobenya kokoam intanɛt ankasa. Bere a nsakrae no bɛhwehwɛ sɛ wɔyɛ nsakrae wɔ browser, server, ne DNS infrastructure nyinaa so no, nkɔso no reyɛ kɛse. Browser adetɔnfo atitiriw ne cloud providers de mmoa redi dwuma dedaw. Wɔ wɔn a wɔde di dwuma awiei no fam no, ɛkyerɛ sɛ wɔbɛsan anya wɔn dijitaal kokoam nsɛm no fã bi. Wɔ nnwuma a wɔde nnɛyi nhyiam ase di dwuma fam no, ɛkyerɛ ahobammɔ fapem a emu yɛ den. Bere a saa gyinapɛn yi nya nnipa pii gye tom no, yɛrebɛn intanɛt a wɔbɔ yɛn nkitahodi no fã biara ho ban default so, na ɛma ahotoso ne ahobammɔ kɛse ma obiara wɔ intanɛt so.