IdeaWell

Project ideas from Hacker News discussions.

RFC 9849. TLS Encrypted Client Hello

Original Article

Hacker News Discussion

📝 Discussion Summary (Click to expand)

1. ECH is still a moving target – deployment is hard
“If the load balancer can force a downgrade …” – j16sdiz
 “If your load balanced doesn’t support ECH, don’t tell clients to use ECH.” – gzread
“Nginx also supports ECH now, since the December release.” – arowthway
 “Caddy already supports ECH, leaning on the DNS plugins to automate setting the DNS HTTPS records to wire it up.” – francislavoie

2. Downgrade and DNS‑level attacks are still a concern
“The loadbalancer can force a downgrade.” – j16sdiz
 “If the load balancer can force a downgrade, an attacker can do it as well.” – micw
“DNSSEC can also protect against malicious SVCB/HTTPS records …” – jeroenhd
 “DNSSEC alone is obviously useless because any attacker … can just as easily monitor DNS traffic.” – tptacek

3. ECH is a tool for censorship‑resistance, but not a silver bullet
“A pretty interesting feature of ECH is that the server does not need to validate the public name … so clients can use public_name’s that middleboxes (read: censors) approve to connect to other websites.” – tialaramex
 “Domain fronting is why ECH exists.” – tialaramex
“If users don’t trust the Fortigate … you can only block at the IP layer.” – hypeatei
 “Governments will request platforms to disable ECH or ask for other signals to be reported.” – sedatk

4. The tooling ecosystem is still catching up
“SSL Labs doesn’t appear to be actively maintained …” – ivanr
 “There is a well‑maintained alternative to SSL Labs you can recommend?” – crote
“I use testssl.sh … because I can test things not publicly accessible.” – Bender
 “JA4 hashing with ECH is still a work‑in‑progress.” – ArcHound

These four threads—deployment hurdles, downgrade/DNS security, censorship‑resistance, and tooling—capture the bulk of the discussion.

🚀 Project Ideas

ECH Load Balancer Compatibility Manager

Summary

  • Detects whether a load balancer supports ECH and automatically configures split‑mode or fallback.
  • Provides a real‑time dashboard showing ECH health per domain and alerts on downgrade attempts.
  • Core value: eliminates manual troubleshooting and downtime caused by ECH incompatibility.

Details

Key Value
Target Audience DevOps, Site Reliability Engineers, Cloud Ops teams
Core Feature Auto‑detect ECH support, auto‑configure split‑mode, real‑time monitoring & alerts
Tech Stack Go (backend), React + TypeScript (frontend), Prometheus + Grafana (metrics), Docker
Difficulty Medium
Monetization Revenue‑ready: $49/month per domain

Notes

  • “If the load balancer can force a downgrade” – users like ferdzo are frustrated when Cloudflare forces ECH on free tier.
  • “Split mode to only have the load balancer decrypt the server name section” – the tool implements this out of the box.
  • Practical utility: teams can quickly verify ECH status without manual openssl s_client tests, reducing support tickets.

DNSSEC & DoH Integrity Monitor

Summary

  • Continuously verifies DNSSEC signatures and DoH/DoT responses for configured zones.
  • Alerts when records are tampered or resolvers are compromised.
  • Core value: gives operators confidence that DNS queries are authentic and unmodified.

Details

Key Value
Target Audience DNS administrators, security teams, compliance officers
Core Feature Real‑time DNSSEC validation, DoH/DoT integrity checks, webhook alerts
Tech Stack Rust (core), PostgreSQL, Node.js (API), Grafana dashboards
Difficulty Medium
Monetization Revenue‑ready: $99/month for up to 10 zones

Notes

  • “I want to know when that happens” – users like jeroenhd want to detect DNS tampering.
  • “DNSSEC can also protect against malicious SVCB/HTTPS records” – the monitor checks both.
  • Discussion around “DoH is the answer” makes this a timely tool for many.

ECH Preload List & Policy Service

Summary

  • Maintains an official ECH preload list similar to HSTS preload.
  • Provides an API for browsers and a browser extension that enforces ECH usage.
  • Core value: standardizes ECH adoption and protects users from downgrade attacks.

Details

Key Value
Target Audience Browser vendors, CDN operators, privacy‑focused users
Core Feature ECH preload registry, API, enforcement extension, analytics dashboard
Tech Stack Python (FastAPI), SQLite, Chrome/Firefox extension (WebExtensions), CI/CD
Difficulty Medium
Monetization Revenue‑ready: $199/month for enterprise API access

Notes

  • “If browsers roll out something akin to the HSTS preload list” – this directly addresses that need.
  • “HSTS preload list forces browsers to connect over HTTPS” – analogous ECH preload would force encrypted ClientHello.
  • Practical utility: CDN operators can submit domains, browsers can automatically enforce, reducing downgrade risk.

ECH Automation & Key Rotation Tool

Summary

  • CLI tool that generates ECH keys, creates/updates SVCB/HTTPS DNS records, and rotates keys automatically.
  • Supports small servers by allowing IP‑based certificates and public_name domains.
  • Core value: removes manual configuration headaches for ECH deployment.

Details

Key Value
Target Audience System administrators, small‑site owners, DevOps
Core Feature ECH key generation, DNS record automation, ACME integration, key rotation scheduler
Tech Stack Go (CLI), ACME client library, DNS provider SDKs (Cloudflare, Route53, etc.)
Difficulty Medium
Monetization Hobby

Notes

  • “Caddy already supports ECH, leaning on the DNS plugins to automate setting the DNS HTTPS records” – this tool extends that automation to any server.
  • “Small servers need a public_name that may not match cert” – the tool can provision a separate domain or use IP certs.
  • “MBCook: ECH never been offered for all websites using CF” – the tool helps bring ECH to all sites, not just large CDNs.

Read Later