In recent years, online privacy has been a central topic for both users and companies that offer web services. With the advancement of encryption technologies, the ability of intermediaries—such as Internet Service Providers (ISPs)—to monitor and filter user traffic has been significantly reduced. One of the most recent innovations in this field is the Encrypted Client Hello (ECH), a protocol that is transforming the way web traffic is protected, making it much more difficult to block or censor websites.
What is Encrypted Client Hello (ECH)?
The ECH is an extension of the TLS (Transport Layer Security)Transport Layer Security (TLS) is a security protocol … protocol, which is used to secure communication between a web browser and a server. Although TLS encrypts most of the information transmitted during a connection, there was a critical part that remained in plain text: the Server Name Indication (SNI). The SNI is a field in the initial phase of the connection (the “handshake”) that informs the server of the domain name the user wishes to access.
The problem with SNI is that any intermediary—such as an Internet Service Provider—could inspect this field to see which website the user was trying to access, even if the rest of the connection was encrypted. This has been a key tool for governments and ISPs when blocking access to certain websites, as they only needed to identify the server name to filter traffic.
The challenge of ECH: Encrypting the SNI
The ECH protocol addresses this vulnerability by encrypting the SNI along with other initial connection data, thus concealing the name of the server the user wants to access. Instead of an intermediary being able to see the exact domain, they will only see that the user is attempting to connect to a server using ECH, but they won’t know the specific domain being accessed.
This advancement renders content blocking techniques based on SNI—such as those used in Spain by Movistar and LaLiga to block sites hosting pirated content—practically ineffective. Since a large number of websites are hosted on the Cloudflare content distribution network, which activated ECH in October 2023, internet blocking has become much more complicated for ISPs and copyright entities.
How does ECH work?
In a traditional TLS connection, the client (browser) sends a message called ClientHello to the server, which contains a list of cryptographic algorithms, the TLS version, and, crucially, the plain text SNI. With ECH, this message is divided into two parts: an outer and an inner part. The outer part contains non-sensitive information, such as the cryptographic algorithm to be used, while the inner part includes encrypted SNI.
The intermediary, such as an ISP, can only see the outer part of the ClientHello, which reveals generic information. The actual SNI, specifying the exact domain, remains hidden until the server, which has the key to decrypt the message, receives and decrypts it.
Implications for censorship and content blocking
The introduction of ECH represents a significant change in how governments and ISPs can impose restrictions on the internet. Previously, systems like DPI (Deep Packet Inspection) could analyze the SNI to identify and block access to certain sites. However, with ECH enabled, this technique becomes obsolete as they cannot see which site is being visited.
This has raised concerns among entities that rely on blocking websites to enforce copyright laws or censorship policies. A recent example in Spain is the struggle of LaLiga and ISPs to block sites streaming unauthorized football matches. With ECH, previously blocked websites may become accessible again as ISPs cannot identify connections to those sites.
The impact of Cloudflare on ECH adoption
Cloudflare, one of the largest providers of web security and performance services, has been instrumental in the adoption of ECH. With over 20% of websites globally hosted on its network, the activation of ECH in October 2023 marked a milestone in web traffic security and privacy. Although Cloudflare had to temporarily deactivate ECH shortly after its launch due to technical issues, it is expected that by August 2024, ECH will be mandatory for all free Cloudflare accounts and optional for paid plans.
This means that more websites will be protected by ECH, making it more challenging to block content on the web. For users, this advancement offers increased privacy and freedom, enabling them to access websites without fear of their connections being inspected or blocked.
What’s next for ECH?
As ECH continues its deployment, both privacy advocates and regulators will be monitoring its implications. For ISPs and copyright entities, this new protocol poses a challenge in combating unauthorized content. However, for users and supporters of net neutrality, ECH represents a crucial advancement in protecting privacy and freedom on the internet.
Meanwhile, browsers like Chrome and Firefox have already announced their support for ECH, ensuring that the protocol will be widely integrated in the coming years. In a world where online privacy is increasingly valued, Encrypted Client Hello appears destined to become an essential tool in safeguarding digital rights.
Conclusion
The Encrypted Client Hello protocol is a significant step toward greater privacy and security on the internet. Its ability to encrypt the SNI and hide the identity of visited websites from external intermediaries represents a revolution in how web traffic is managed. While it poses challenges for ISPs and entities seeking to block sites, it represents a crucial advancement in protecting user privacy. Over time, ECH could permanently alter the landscape of censorship and surveillance on the internet.