In an era where digital privacy is increasingly under threat, a new technology called Encrypted Client Hello (ECH) has just been announced recently as a beacon of hope for safeguarding your online activities. Developed as a successor to ESNI (Encrypted Server Name Indication), ECH promises to secure our online interactions and make browsing the web a bit more private.
Plain Text Internet
In the early days of the internet, web communications occurred in plain text, leaving your online activities exposed to prying eyes at every turn. Whether you were making a bank transfer or browsing a website, every digital footstep you took could potentially be tracked and monitored by various intermediaries along the way.
While the introduction of encryption protocols like SSL and TLS offered significant protection for the content you view and upload, certain elements of online communication remained vulnerable. Two key aspects that privacy advocates identified were DNS (Domain Name System) requests and the Server Name Indication (SNI).
DNS requests, which translate human-readable website names into IP addresses, were initially unencrypted, allowing anyone to see which websites you were inquiring about. To address this, Cloudflare introduced DNS over HTTPS (DoH) in 2019, followed by Oblivious DNS over HTTPS in 2020, which even shielded these requests from Cloudflare itself.
However, the SNI remained the last piece of the puzzle. During a TLS handshake, which occurs when you connect to a website using HTTPS, your browser reveals the server’s name (website) it intends to visit as part of the unencrypted process. This meant that intermediaries could still discern which websites you were accessing based on the SNI.
The introduction of Encrypted Client Hello (ECH) brings a new era of online privacy. With ECH enabled, the browser initiates a TLS handshake with Cloudflare(or any other provider), but the customer-specific hostname is kept hidden. Instead, intermediaries only see that you are visiting a domain on the DNS, without the ability to determine which one specifically.
To understand how ECH works, it’s essential to grasp the mechanics of a TLS handshake. Traditionally, a TLS handshake begins with the ClientHello message, which contains critical information such as ciphers to use, TLS version, and the SNI (server name indication).
When a user visits a website enabled with ECH, the ClientHello message is split into an outer part and an inner part. The outer part, visible to intermediaries, contains general information about the connection. The inner part, encrypted and secure, includes the actual server name the user intends to visit. This ensures that even intermediaries cannot determine the specific website a user is accessing.
The adoption of ECH by major web browsers like Google Chrome and Firefox is already underway. For website owners and operators concerned about user privacy, enabling it on your CDN of choice is a step in the right direction. ECH has been made available for all cloudflare users and should be available on other CDNs soon.
As more internet service providers and web hosts implement ECH, the internet’s landscape will shift towards a more private and secure future. With each provider that embraces the technology, the collective effort to protect online privacy gains momentum, making it increasingly challenging for anyone to eavesdrop on your internet activities. This is a great step in the right direction!