frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

RFC 9849. TLS Encrypted Client Hello

https://www.rfc-editor.org/rfc/rfc9849.html
55•P_qRs•2h ago

Comments

weitzj•1h ago
Will this have an impact on Loadbalancers? Like does one have to do client side load balancing like in gRPC?
j16sdiz•1h ago
The loadbalancer can force a downgrade .
micw•33m ago
If the load balancer can force a downgrade, an attacker can do it as well.
grenran•46m ago
My understanding is that you can use split mode to only have the load balancer decrypt the server name section, and forward the actual session and key exchange down to the backend without doing double layer encryption.
ivanr•1h ago
I wrote about ECH a couple of months ago, when the specs were still in draft but already approved for publication. It's a short read, if you're not already familiar with ECH and its history: https://www.feistyduck.com/newsletter/issue_127_encrypted_cl...

In addition to the main RFC 9849, there is also RFC 9848 - "Bootstrapping TLS Encrypted ClientHello with DNS Service Bindings": https://datatracker.ietf.org/doc/rfc9848/

There's an example of how it's used in the article.

fmajid•38m ago
Thanks for the writeup, Ivan, I am a great fan of your work!

Now we need to get Qualys to cap SSL Labs ratings at B for servers that don't support ECH. Also those that don't have HSTS and HSTS Preload while we're at it.

ivanr•26m ago
Thanks! Sadly, SSL Labs doesn't appear to be actively maintained. I've noticed increasing gaps in its coverage and inspection quality. I left quite a while ago (2016) and can't influence its grading any more, sadly.
ferdzo•16m ago
It's an interesting feature, but it's pushing my buttons lately. Specifically on Cloudflare it is on by default, and on the free tier you can't disable it and you need a business plan for it. Which I think is stupid, but never the less it's causing us problems. We are trying some split-dns setup for a company "intranet", and if the site's have be accessed before, the ECH is remembered. So the browser tries and it eventually fails with ECH Error or on Firefox it just hangs like it's loading all the time. And it's so frustrating, because sometimes it works, sometimes it doesn't, you can clear cache and stuff and it still won't work, sometimes it works in Incognito sometimes it doesn't. This is not a real problem, but since we haven't fully switched to the "intranet" and we use some of the WAF features of Cloudflare sometimes it is so frustrating.
capitol_•11m ago
Split dns is such an ugly hack, it causes no end of hard to debug problems.
arch-choot•12m ago
Glad that it's published, I'd been following it since ESNI draft days. Was pretty useful back when I was in India since Jio randomly blocked websites, and cloudflare adopted the ESNI draft on its servers as did Firefox client side which made their SNI based blocking easy to bypass.

There was a period where I think both disabled ESNI support as work was made on ECH, which now is pretty far along. I was even able to setup a forked nginx w/ ECH support to build a client(browser) tester[0].

Hopefully now ECH can get more mainstream in HTTPS servers allowing for some fun configs.

A pretty interesting feature of ECH is that the server does not need to validate the public name (it MAY) , so clients can use public_name's that middleboxes (read: censors) approve to connect to other websites. I'm trying to get this added to the RustTLS client[1], now might be a good time to pick that back up.

[0] https://rfc9849.mywaifu.best:3443/ [1] https://github.com/rustls/rustls/issues/2741

Motorola GrapheneOS devices will be bootloader unlockable/relockable

https://grapheneos.social/@GrapheneOS/116160393783585567
651•pabs3•8h ago•190 comments

RFC 9849. TLS Encrypted Client Hello

https://www.rfc-editor.org/rfc/rfc9849.html
55•P_qRs•2h ago•10 comments

Agentic Engineering Patterns

https://simonwillison.net/guides/agentic-engineering-patterns/
126•r4um•4h ago•30 comments

Better JIT for Postgres

https://github.com/vladich/pg_jitter
50•vladich•3h ago•9 comments

A CPU that runs entirely on GPU

https://github.com/robertcprice/nCPU
87•cypres•5h ago•28 comments

TikTok will not introduce end-to-end encryption, saying it makes users less safe

https://www.bbc.com/news/articles/cly2m5e5ke4o
231•1659447091•8h ago•169 comments

MacBook Pro with M5 Pro and M5 Max

https://www.apple.com/newsroom/2026/03/apple-introduces-macbook-pro-with-all-new-m5-pro-and-m5-max/
780•scrlk•19h ago•813 comments

Graphics Programming Resources

https://develop--gpvm-website.netlify.app/resources/
91•abetusk•7h ago•10 comments

On the Design of Programming Languages (1974) [pdf]

https://web.cs.ucdavis.edu/~su/teaching/ecs240-w17/readings/PLHistoryGoodDesign.PDF
40•jruohonen•3d ago•2 comments

Show HN: Rust compiler in PHP emitting x86-64 executables

https://github.com/mrconter1/rustc-php
26•mrconter11•2d ago•24 comments

Claude's Cycles [pdf]

https://www-cs-faculty.stanford.edu/~knuth/papers/claude-cycles.pdf
632•fs123•22h ago•256 comments

Voxile: A ray-traced game made in its own engine and programming language

https://elbowgreasegames.substack.com/p/voxray-games-pushes-major-update
193•spacemarine1•12h ago•52 comments

Speculative Speculative Decoding (SSD)

https://arxiv.org/abs/2603.03251
41•E-Reverance•6h ago•6 comments

Textadept

https://orbitalquark.github.io/textadept/
134•giancarlostoro•3d ago•21 comments

My spicy take on vibe coding for PMs

https://www.ddmckinnon.com/2026/02/11/my-%f0%9f%8c%b6-take-on-vibe-coding-for-pms/
95•dmckinno•10h ago•91 comments

Reverse-Engineering the Wetware: Spiking Networks and the End of Matrix Math

https://metaduck.com/reverse-engineering-the-wetware-spiking-networks-td-errors-and-the-end-of-ma...
20•pgte•2d ago•6 comments

You can use newline characters in URLs

https://lemire.me/blog/2026/02/28/you-can-use-newline-characters-in-urls/
76•chmaynard•3d ago•34 comments

Weave – A language aware merge algorithm based on entities

https://github.com/Ataraxy-Labs/weave
122•rs545837•7h ago•79 comments

Mount Mayhem at Netflix: Scaling Containers on Modern CPUs

https://netflixtechblog.com/mount-mayhem-at-netflix-scaling-containers-on-modern-cpus-f3b09b68beac
58•vquemener•3d ago•26 comments

When AI writes the software, who verifies it?

https://leodemoura.github.io/blog/2026/02/28/when-ai-writes-the-worlds-software.html
229•todsacerdoti•17h ago•227 comments

Welcoming Elizabeth Barron as the New Executive Director of the PHP Foundation

https://thephp.foundation/blog/2026/02/27/welcoming-elizabeth-barron-new-executive-director/
28•ulrischa•2d ago•16 comments

Indefinite Book Club Hiatus

https://whatever.scalzi.com/2026/03/03/indefinite-book-club-hiatus/
18•cdrnsf•5h ago•10 comments

An Interactive Intro to CRDTs (2023)

https://jakelazaroff.com/words/an-interactive-intro-to-crdts/
145•evakhoury•14h ago•23 comments

Launch HN: Cekura (YC F24) – Testing and monitoring for voice and chat AI agents

83•atarus•19h ago•20 comments

The largest acidic geyser has been putting on quite a show

https://www.usgs.gov/observatories/yvo/news/echinus-geyser-back-action-now
49•1659447091•8h ago•1 comments

GPT‑5.3 Instant

https://openai.com/index/gpt-5-3-instant/
347•meetpateltech•15h ago•272 comments

Circle Games (2019)

https://srconstantin.wordpress.com/2019/06/06/circle-games/
6•surprisetalk•2d ago•2 comments

Number Research Inc

https://numberresearch.xyz/
31•eieio•7h ago•16 comments

Giving LLMs a personality is just good engineering

https://www.seangoedecke.com/giving-llms-a-personality/
23•dboon•6h ago•14 comments

Intel's make-or-break 18A process node debuts for data center with 288-core Xeon

https://www.tomshardware.com/pc-components/cpus/intels-make-or-break-18a-process-node-debuts-for-...
285•vanburen•14h ago•242 comments