Encrypted Client Hello (ECH) is a new protocol designed to improve privacy in TLS (Transport Layer Security) connections. ECH’s main function is to encrypt the ClientHello message—the initial message a client sends to a server during the TLS handshake.
The ClientHello message typically contains metadata, such as the Server Name Indication (SNI), that can reveal information about the client’s intended destination before the data is fully encrypted. This metadata exposure poses privacy risks, as network observers can infer the websites or services a user is attempting to access. ECH addresses this concern by encrypting the ClientHello, making it difficult for third parties to determine the server a client intends to reach.
ECH is part of a broader movement to enhance internet privacy and security, building on established protocols like TLS and DNS encryption (e.g., DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT)).
Implications to Content Filtering Solutions
The introduction of ECH has implications for content filtering solutions, especially those that rely on inline network inspection. ECH presents unique challenges, as it conceals the SNI in the encrypted ClientHello, preventing inline filters from detecting and analyzing the destination hostname in real time.
Impact to Inline Content Filtering Applications
Many inline content filtering solutions, often used in corporate and educational networks, rely on packet inspection to monitor and control traffic. With ECH encrypting the SNI, these solutions can no longer detect the requested domain in the TLS handshake. This change limits the effectiveness of inline, domain-based filtering for services that previously depended on SNI visibility without decrypting the traffic.
No Impact to DNS Based Content Filtering
DNS-based content filtering is less affected by ECH directly, as ECH only encrypts the ClientHello message in the TLS handshake and does not alter the DNS query itself. DNS filtering solutions, such as CleanBrowsing, can still intercept and respond to DNS queries for content filtering as long as the DNS traffic is unencrypted or controlled by the filtering provider.
The ECH and Encrypted DNS Partnership Challenge
The combined use of ECH with encrypted DNS protocols—DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT)—poses significant challenges for DNS-based content filtering solutions. Encrypted DNS channels bypass traditional DNS-based filtering, as DNS queries between the client and DNS server are encrypted, preventing inline network filters from intercepting, analyzing, or altering these requests.
Some networks may choose to block DoH and DoT traffic or route all DNS traffic through a specific DNS provider (e.g., by enforcing network-wide DNS policies) to retain filtering capabilities.
While Encrypted Client Hello (ECH) represents a crucial step forward in enhancing user privacy by concealing sensitive metadata within the TLS handshake. It does complicate the work of content filtering solutions that depend on visibility into this information.
DNS-based filters, like CleanBrowsing, remain functional under ECH, though they must contend with the added complexity of encrypted DNS protocols like DoH and DoT.