ECH - if I understand correctly it's effective for sites hosted on big providers like Cloudflare, AWS, etc, but doesn't add much value when it comes to self-hosted domains or those on a dedicated server, as you'd still see traffic going to whatever IP and be able to infer from that which domain the user's browswer is talking to. I'm hoping someone can explain that I missed something.

And while we're explaining things... ODoH (indirectly mentioned in the article via the Encrypted DNS link) comes with a big bold warning it's based on the fundamental premise that the proxy and the target servers do not collude. When both are operated by the same company, how can you know they aren't colluding? Is there some mechanic in the protocol to help protect users from colluding servers?

"This means that whenever a user visits a website on Cloudflare that has ECH enabled, no one except for the user, Cloudflare, and the website owner will be able to determine which website was visited. Cloudflare is a big proponent of privacy for everyone and is excited about the prospects of bringing this technology to life.'

This isn't privacy. This is centralized snooping.

It's like Google's approach to third party cookies. Nobody other than Google can have tracking information.

The latest Zstandard exposes several parameters which are useful for reducing time to first byte latency in web compression. They make Zstandard cut the compressed data into smaller blocks, e.g. 4 KB, with the goal to fit a compressed block within a small number of packets, so the browswer can start to decompress without waiting for a full 128 KB block to be sent.

These parameters are described in the v1.5.6 release notes [0]. ZSTD_c_targetCBlockSize is the most notable, but ZSTD_c_maxBlockSize can also be used for a lower CPU cost but larger compressed size.

Are you using these features at Cloudflare? If you need any help using these, or have any questions, please open an issue on Zstandard's GitHub!

[0] https://github.com/facebook/zstd/releases/tag/v1.5.6

> Zstandard’s branchless design is a crucial innovation that enhances CPU efficiency

Given how branchless algorithms are helping optimize not just network transport (compression) and even OS system libs (no citation for this one, but I’ve heard), that I really wish colleges begin teaching this along with DS/Algo course material.

New standards for easier TLS fingerprinting and user-agent discrimination.

Edit: just look at how many sites you're locked out of if you don't have JS enabled or run an uncommon configuration.

DPI systems in Turkey weren't even checking QUIC packets when I was there, let alone ECH. But, browsers usually start with TCP first to negotiate QUIC support, which prevented bypass of web blocks. If you could force your browser to establish connection directly using QUIC, you could bypass all the blocks. That was last year though. Not sure about the current situation.

The benchmark for Zstandard against Brotli seems to miss a key information---the compression levels used for both algorithms, because both the compression ratio and compression time will depend on them. In fact this had been my long suspicion about introducing Zstandard to the web standard, because lower compression levels for Brotli are not that slow and it was never publicly mentioned whether improving lower Brotli levels deemed infeasible or not. Given Zstandard Content-Encoding was initially proposed by Meta, I'm not even sure they have at least tried.

Given we now have two strictly better algorithms than gzip, I also wonder about a hybrid scheme that starts with Zstandard but switches to Brotli when the compression time is no longer significant for given request. We might even be able to cheaply convert the existing Zstandard stream into Brotli with some restrictions, as they are really LZSS behind the scene?

What will ECH mean for places like China or South Korea? Do governments have access to Cloudflare logs? Only with court orders?

ECH seems directly opposed to Chinese governments control of the web.

Cloudflare is happy to make it harder for anyone other than Cloudflare to see everything that you're doing on the internet.

Don't trust cloudflare with standards control.

They do not have anybody else's best interests at heart and are actively centralizing that which was explicitly intended to not be centralized.

I use Tor for privacy.

CF blocks Tor; you can't get past the captcha.

What is the overlap of people who are reading a blogpost about Cloudflare standards and people who need a metaphor to understand what compression is? You have 7 paragraphs of highly technical information then just in case, you need to explain how compression works? Just tell your reader you think they're a moron and save yourself the keystrokes.

A very nice feature of zstd is that it is seekable. So you could map that to HTTP Range requests and go crazy about it.

Does it mean ECH works only with the Cloudflare since their example ECH contains unencrypted outer layer client hello?

re: ECH

let the cat and mice game between deep packet inspection (DPI) vendors and the rest of the encrypted internet continue. it’ll be amusing to see what they come up with (inaccurate guessing game ai/ml “statistical analysis” is about all they’ve got left, especially against the large umbrella that is cloudflare).

game on, grab your popcorn, it will be fun to watch.

After examining how scammers and phishers host their sites, I’ve realised that “private” for Cloudflare means protecting the privacy of criminals.

ECH makes it hard to block known scam sites at the network layer, for example.

ECH is going to be huge for people in regressive countries. For example Iran.

> New standards for a faster and more private Internet

> Zstandard

I get "faster" but how does it make the internet "more private". The word "private" only shows up exactly once on that page, in the title.

Let me just stress that the effect of Zstandard on individual end-user latency is a rounding error. No user will ever go: “That was a quick loading web site. Must be Zstandard!”. The effect is solely Cloudflare having to spend x% less bandwidth to deliver the content, saving on their network and server resources.