Cloudflare 公司宣布开始推行 Encrypted Client Hello 标准Encrypt

Encrypted Client Hello (ECH) 是 Encrypted SNI 的后继者，它加密了用于协商 TLS 握手的服务器名称指示 (SNI)。
这意味着，每当用户访问 Cloudflare 上启用了 ECH 的网站时，除了用户、Cloudflare 和网站所有者之外，没有人能够确定访问了哪个网站。Cloudflare 目前已经强制为所有免费计划的用户默认启用了ECH，且无法手动关闭。

Cloudflare 所推行的ECH有着很强的特征，这意味着所有使用ECH的通信都很容易被识别。

附上Cloudflare Blog 《Helping build the next generation of privacy-preserving protocols》部分相关内容：

The Internet is part of ‘our’ Infrastructure

互联网是“我们的”基础设施的一部分

Roads should be well-paved, well lit, have accurate signage, and be optimally connected. They aren’t designed to stop a car based on who’s inside it. Nor should they be! Like transportation infrastructure, Internet infrastructure is responsible for getting data where it needs to go, not looking inside packets, and making judgments. But the Internet is made of computers and software, and software tends to be written to make decisions based on the data it has available to it.

道路应该铺设良好，光线充足，有准确的标志，并以最佳方式连接。 它们的设计目的不是根据车内人员来停车。 他们也不应该！ 与交通基础设施一样，互联网基础设施负责将数据送到需要去的地方，而不是查看数据包内部并做出判断。 但是互联网是由计算机和软件组成的，软件往往是根据它可用的数据来编写决策的。

Privacy-preserving protocols attempt to eliminate the temptation for infrastructure providers and others to peek inside and make decisions based on personal data. A non-privacy preserving protocol like HTTP keeps data and metadata, like passwords, IP addresses, and hostnames, as explicit parts of the data sent over the wire. The fact that they are explicit means that they are available to any observer to collect and act on. A protocol like HTTPS improves upon this by making some of the data (such as passwords and site content) invisible on the wire using encryption.

隐私保护协议试图消除基础设施提供商和其他人窥探内部并根据个人数据做出决策的诱惑。 非隐私保护协议（如 HTTP）将数据和元数据（如密码、IP 地址和主机名）保存为通过网络发送的数据的显式部分。 它们是明确的这一事实意味着它们可供任何观察者收集并采取行动。 像 HTTPS 这样的协议通过使用加密使某些数据（例如密码和站点内容）在网络上不可见来改进这一点。

The three protocols we are exploring today extend this concept.

我们今天正在探索的三个协议扩展了这个概念。

ECH takes most of the unencrypted metadata in TLS (including the hostname) and encrypts it with a key that was fetched ahead of time.

ECH 获取 TLS 中大部分未加密的元数据（包括主机名），并使用提前获取的密钥对其进行加密。

ODoH (a new variant of DoH co-designed by Apple, Cloudflare, and Fastly engineers) uses proxies and onion-like encryption to make the source of a DNS query invisible to the DNS resolver. This protects the user’s IP address when resolving hostnames.

ODoH（由 Apple、Cloudflare 和 Fastly 工程师共同设计的 DoH 的新变体）使用代理和洋葱式加密使 DNS 查询的来源对 DNS 解析器不可见。 这可以在解析主机名时保护用户的 IP 地址。

OPAQUE uses a new cryptographic technique to keep passwords hidden even from the server. Utilizing a construction called an Oblivious Pseudo-Random Function (as seen in Privacy Pass), the server does not learn the password; it only learns whether or not the user knows the password.

OPAQUE 使用一种新的加密技术来使密码即使对服务器也是隐藏的。 利用一种称为 Oblivious Pseudo-Random Function（如 Privacy Pass 中所见）的结构，服务器不会学习密码； 它只知道用户是否知道密码。

By making sure Internet infrastructure acts more like physical infrastructure, user privacy is more easily protected. The Internet is more private if private data can only be collected where the user has a chance to consent to its collection.

通过确保互联网基础设施更像物理基础设施，用户隐私更容易得到保护。 如果隐私数据只能在用户有机会同意收集的情况下收集，则互联网更加私密。