hey guys my router is configured with stubby and it is working great thanks to the stubby developer.
im using captive portal and internet is sharing by my building owner.
one thing i noticed cloudflare browser check is showing all good except secure SNI so will the building owner knows what im surfing on the internet?
and any way to fix this secure SNI ?
OpenWrt or stubby has nothing to do with this, as this is not a mechanism that depends on encrypted DNS lookups, but rather how the https connection is made (broadly speaking). So this happens at the webserver/browser level. For secure SNI (or ECH, Encrypted Client Hello) to work, both the webserver of the website you are visiting as well as your browser must support this.
For your browser, you can try another test here. If your browser does not support ECH, you either have to update your browser or change to a different one. AFAIK Firefox and Chrome should have no issues with SNI, but for example Safari generally only supports ECH on mobile as of now. I have no idea what it is like for other popular browsers.
For the webserver side, unfortunately, as of now most webservers/proxies do not natively support this (see here). So currently, ECH support throughout the web is a hit or miss. Although, Cloudflare did re-enable experimental ECH support a while ago. So if a site is using Cloudflare as its proxy, there's a good chance it uses ECH. You can always check by opening https://example.org/cdn-cgi/trace and checking if it says sni=encrypted (but note that, of course, first you have to get your browser to actually support it).
As far as your building owner goes:
Accessing a website without ECH is in a way comparable to using unencrypted DNS. For example, if you access this thread with the url https://forum.openwrt.org/t/no-secure-sni-stubby/228928, someone monitoring the traffic would (just) see that you're making a connection to forum.openwrt.org. But they don't see the exact site you're accessing and the data you're sending/receiving. They do, however, know which (sub)domain you connected to. You can see this for yourself if you just open Wireshark on your computer and connect to a website. You will see a packet like this:
61 2.875830 <your IP> 2a03:b0c0:3:d0::168b:9001 TLSv1.3 449 Client Hello (SNI=forum.openwrt.org)
This is all the info your building owner gets, though—if they even monitor this. Of course, you have to decide for yourself how comfortable you are with them potentially seeing this.
Because ECH rollout is being somewhat slow as described above, the only way apart from simply hoping and waiting for greater ECH adoption is using a VPN. But even then, you just change who you're trusting. Because with a VPN, instead of your building owner seeing your Client Hello packet, your VPN provider will see it. So using a VPN is nothing else than deciding that your VPN provider is more trustworthy than your building owner (which might not be the case for all VPN providers).
Hope this clears things up a bit!
thank you so much bro for such a nice explanation.
im using chrome on my windows laptop.
above is the result of test.
Interesting! Good to see it's working, but at the same time weird that it failed Cloudflare's test. Probably if you run the Cloudflare test again, it will be fine.
for now its not working but I noticed sometimes it do work and some times it doesn't.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.
