How can we help?

Encrypted Client Hello (ECH)

Follow

What is ECH?

TLS Encrypted ClientHello (ECH) is an experimental mechanism for Transport Layer Security version 1.3 (TLS 1.3) that is designed for encrypting ClientHello messages under a server public key. 

The intent of ECH is to protect the privacy of users by preventing someone who is monitoring network traffic to able to determine the domain name of a website that a user is browsing to.

What major browsers support ECH?

ECH is currently available In Mozilla's Firefox browser as an experimental feature that can only be enabled in about:config.  For more information about Mozilla's ECH implementation, visit the Mozilla Security Blog.

For Edge Version 105 and above, ECH can only be enabled for test purposes with the following option for the command.

edge.exe --enable-features=EncryptedClientHello

For more information about ECH in Edge : You can now Enable Encrypted Client Hello (Encrypted SNI or ESNI/ECH) in Microsoft Edge - Microsoft Tech Community

For Chrome ECH is not currently available.  Google is planning on experimenting with this new feature as early as Chrome version 104, but only for a small subset of users, (and it is highly unlikely that this would include education users). 

When the ECH feature is released for Chrome it is expected that it will be disabled by default, and it is likely that it will also be possible to disable it entirely via the Google Administration interface for managed devices. This would allow Netsweeper filtering to continue to work normally.

Up-to-date information about Google's plans for ECH can be found at the Chrome Platform Status page for this feature.  As of August 2022, the status shows as Specification currently under development in a Working Group.

What are the potential risks involved with ECH?

If you cannot decrypt an ESNI or ECH based request,  you can only block requests by the destination IP address, or when using our hostname/IP cache (rDNS Cache) by the hostname. This will have the unwanted side effect of only being able to block sites based on their IP address or hostname.

However, you can mitigate any risks by simply not enabling this experimental feature in your networks.

Netsweeper Support statement

Netsweeper is committed to providing our user-base with world-class filtering. We will implement changes, fixes, and try to work around any technology that inhibits our ability to so, including ECH. 

If you have further questions or concerns about this feature, please reach out to our Support Team by emailing support@netsweeper.com.

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request