What is ECH and do you need it?

The TLS handshake, which enables two devices to communicate securely over the internet, is itself not fully secure. Some parts of the negotiations are carried out using plaintext, which can allow network snoopers to see which websites a user is visiting, among other things. The Encrypted Client Hello (ECH) standard plugs this hole by encrypting sensitive TLS metadata. However, ECH is not (yet) supported by all websites or browsers. In this article we’ll look in greater detail at ECH and help you decide if you need to use it.

What is TLS?

Before we explore ECH more fully, it’s helpful to remind ourselves how TLS functions. Transport Layer Security (TLS), as well as its predecessor SSL, is a security protocol that authenticates the other party in a connection, checks the integrity of data, and provides encrypted protection.

TLS provides the security in HTTPS, ensuring that data traveling between browsers and websites is adequately protected. TLS can also secure file transfers, emails, and instant messaging when implemented over other protocols. All in all, it’s incredibly important to our online activity.

The TLS handshake is a subprotocol of TLS. It’s the part responsible for securely establishing a connection. In essence, the handshake establishes the parameters for communication.

A simplified handshake works like this:

The client contacts the server with a Client Hello Message. Contained within this message are a variety of parameters that the client supports. These include the version of TLS it works with; a nonce; the cipher suites it can use for encryption and authentication; its key-sharing parameters; and various other bits of data – such as the hostname of the website being accessed. These are sent in plaintext.

The server responds with a Server Hello message. This includes its encrypted digital certificate, and additional Certificate Verify and Finish messages. It also specifies the server’s selection from the client’s list of supported parameters, including the choice of TLS version, nonce, cipher suite, and key-sharing parameters.

The client also sends an encrypted Finish message, after which secure communication can begin.

If you’d like a more detailed explanation of TLS handshakes, read our in-depth article on the process here: TLS (SSL) handshakes explained.

The plaintext problem

The plaintext – also known as cleartext – data sent by the client in the Client Hello Message can be intercepted by third parties as it travels over the internet.

It can reveal information such as:

  • The target domain for a given connection via the plaintext Server Name Indication (SNI) extension. SNI ensures that a request is routed to the correct site if a web server hosts multiple domains.
  • The list of supported applications (such as HTTPS, email, or instant messaging) via the Application-Layer Protocol Negotiation (ALPN) list.

Why is this a problem?

  • SNI leaks mean that the hostname of the server the client is trying to connect to is visible. This makes it possible for governments to censor sites or other third parties to filter or monitor traffic.
  • ALPN leaks provide information about the client’s capabilities and what the connection is about to be used for.

Neither scenario is good for privacy, which is why the ECH extension was created.

What does ECH do?

Full handshake encryption was once proposed as a core feature of TLS 1.3, but wasn’t ultimately included. ECH plugs this omission by encrypting the most sensitive parts of the Client Hello Message.

It actually does this by sending two Client Hello Messages:

  1. The first – the Client Hello Outer – is sent in plaintext.
  2. The second – the Client Hello Inner – is encrypted and sent as an extension to the Client Hello Outer. ECH carries out its encryption using a public key, which it obtains by making a DNS query for the server’s HTTPS resource record. These records need to be fetched over an encrypted connection, which requires the use of DNS over HTTPS (DoH).
  3. The Client Hello Inner contains the client’s connection parameters, including the SNI of the server it’s trying to reach and the ALPN list.
  4. If the server cannot decrypt the Client Hello Inner, it tries to use the Client Hello Outer. The Client Hello Outer doesn’t complete the handshake, however. Instead, the ECH service provider signals to the client that its intended destination couldn’t be reached and sends along the correct ECH public key so that the client can retry decrypting the Client Hello Inner message.

Cloudflare, which was instrumental in developing the ECH protocol, says, “At a minimum, both ClientHellos must contain the handshake parameters that are required for a server-authenticated key-exchange.”

It goes on to say, “If the connection is established using the ClientHelloOuter, then the client is expected to immediately abort the connection and retry the handshake with the public key provided by the server”.

Which browsers support ECH?

Following successful experimentation with ECH, Google Chrome announced in September 2023 that it would switch on ECH by default from version 117 onwards.

Firefox made ECH available in version 118, which was released on September 26, 2023. In Firefox 119 – which was released on October 24, 2023 – it was enabled by default. However, it’s important to note that ECH is only active when DNS-over-HTTPS (DoH) is enabled.

Unfortunately, Mozilla says that DoH is currently only enabled by default in a few countries. It says: “As part of our continuing strategy to carefully measure the benefits and impact of DoH, we have released this feature by default in Russia, Ukraine as well as the US and Canada only so far.”

It’s possible to enable ECH in Microsoft Edge version 105 and above. Do the following:

  1. Right-click on the desktop shortcut of the Edge browser.
  2. Select properties.
  3. Add: Text to append to the Edge "Target" field. at the end of the “Target” field (note the space before the first two dashes in the image below).  Enabling ECH in Microsoft Edge.
  4. Click “Apply”.
  5. Click “Continue”.
  6. Open an Edge browser window and click on the three dots in the top-right corner of the screen.
  7. Select “Settings”.
  8. Select “Privacy, search and services”.
  9. Scroll down to “Security”.
  10. Under “Use secure DNS to specify how to lookup the network address for websites,” select “Choose a service provider”.
  11. Select “Cloudflare” from the list.
  12. Restart the browser and ECH will be enabled.

Some Virtual Private Network (VPN) providers – such as TunnelBear – are also beginning to offer support for the ECH protocol. Mozilla, which has been closely involved in ECH’s development, says combining ECH with a VPN can “provide an extra layer of privacy and security”.

How do I know if ECH is enabled?

It’s easy to check whether ECH is enabled on your browser. Just do the following:

  1. Go to: https://crypto.cloudflare.com/cdn-cgi/trace/
  2. Read down the list until you reach the “sni” entry.
  3. If ECH is enabled, this will read “sni=encrypted”. If not, it will read “sni=plaintext”.

This Cloudflare pages tells you when Server Name Indication is encrypted.

Alternatively, visit: https://defo.ie/ech-check.php. If ECH is enabled you’ll see a green tick, if not you’ll see a red cross.

A green tick shows that ECH is being used.

How do I use ECH on my website?

According to Mozilla, any website can employ ECH, “as long as it is equipped with the necessary server-side support”. CUJO AI provides a detailed explanation on how to set up an ECH-enabled website. Before you get started, you’ll need an ECH-supporting web browser, A registered domain name, authoritative DNS servers for the domain, and an ECH-capable web server with a TLS certificate.

FAQs: What is ECH and do you need it?

Will ECH affect my Internet speed?

Mozilla says that the data fetched by ECH is “only a few hundred bytes in size and too small to have any effect on your internet speed”.

What are the weaknesses of ECH?

While the ECH protocol is effective at hiding the domain names in the SNI, attackers may be able to use traffic analysis to make a guess about the value of the SNI. For example, ciphertext that is particularly long or very short suggests particularly long or short domain names.

The attacker can also be entirely passive and try to infer encrypted information from other visible metadata, such as packet sizes and timing. Cloudflare says that while the current ECH specification provides some mitigations, “their coverage is incomplete”.

Will ECH break websites?

No, Mozilla says that it has carried out a number of studies and tests to “ensure that websites will continue to operate correctly”.