How can we help?

Encrypted Client Hello (ECH) FAQ

Follow

What is ECH?

TLS Encrypted ClientHello (ECH) is a mechanism for Transport Layer Security version 1.3 (TLS 1.3) that is designed for encrypting ClientHello messages under a server public key.  The intent of ECH is to protect the privacy of users by preventing someone who is monitoring network traffic to able to determine the domain name of a website that a user is browsing to.

A great in-depth breakdown of ECH can be found here: ECH Protocol - CloudFlare Docs

What major browsers utilize the ECH Protocol?

ECH is currently enabled by default In Mozilla's Firefox browser, as well as Google Chrome and most Chromium based browsers.  There are test-sites available to test for ECH connections, however as of the time of publishing this article, there were none that seemed consistent enough to recommend herein.

What are the potential risks involved with ECH?

The risk of the Encrypted Client Hello handshake is that we will not be able to parse the SNI (Server Name Indication) information for the resulting connection.  This will cause the connection to be logged as https://ip.of.remote.host:443, instead of the full hostname of the URI.

This can lead to potential issues with both filtering and logging end-user traffic.

What can I do to ensure my deployment is parsing SNI?

Any time you decrypt with NSProxy, the site will downgrade the connection from ECH.  However, if decryption is not being utilized, the alternative is to filter DNS.  Our PDNS-Recursor solution already supports the format of dns://example.com?qtype=NN.

If NSProxy decryption is not being applied, then it is important to use our DNS filtering in combination, if only to deny DNS HTTP requests (qtype=65) which will cause it to fall back to regular unencrypted SNI automatically.

Netsweeper Support statement

Netsweeper is committed to providing our user-base with world-class filtering.  If you have further questions or concerns about this feature, or need help determining if you are using NSProxy decryption or DNS Filtering, please reach out to your Netsweeper Account Manager or our Support Team by emailing support@netsweeper.com.

 

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request