Enhanced Security with Encrypted Client Hello (ECH)

When the Internet was first developed, security was a distant concern and the majority of network traffic was unencrypted. This lack of encryption made it vulnerable to interception by those with the necessary access and means. As time passed, passive monitoring of Internet traffic expanded, and significant strides in security were made with the advent of SSL (Secure Sockets Layer) and later TLS (Transport Layer Security) protocols. However, the revelations made by Edward Snowden shed light on the extent of passive monitoring and prompted the Internet Engineering Task Force (IETF) to declare pervasive monitoring as an attack, leading to the development of measures to counteract it.

Since then, the industry has worked persistently to encrypt metadata to prevent passive monitoring. First, the encryption of DNS queries, which reveal the websites a user visits, became possible. Later, Google advocated the deprecation of certificate revocation checking via Online Certificate Status Protocol (OCSP), which also exposed website names. Only two areas retained information of interest: the TLS handshake and the IP address.

TLS 1.3, released with the goal of reducing plaintext data transmission, introduced partial handshake encryption, concealing client and server certificates. Introducing full encryption into the TSL protocol is still an ongoing effort. In the TLS protocol, this data is transmitted via the Server Name Indication (SNI) extension, and the concept of Encrypted SNI (ESNI) was born. Subsequently, ESNI evolved into Encrypted Client Hello (ECH), which aimed to encrypt the entire handshake.

How does ECH work, and how is it incorporated into the TLS protocol? Encryption requires the establishment of encryption keys. However, a TLS handshake must occur to exchange those keys. In order to encrypt the server's identity before the handshake, encryption keys must be published in the DNS records. A client can then securly connect with the server to do the TLS handshake without exposing the domain name of the server. However, this still leaves the IP address unencrypted. The solution to this involves aggregating thousands and even millions of websites onto the same IP addresses. This approach effectively obscures the specific websites being visited, frustrating any attempts to monitor traffic with precision.

In terms of support, major web browsers are actively working to integrate ECH. Chrome and Firefox are making significant strides in this direction. Additionally, the DefO project is diligently updating OpenSSL to accommodate these advancements. While Cloudflare had initially announced support for ECH, they have temporarily postponed the implementation, with plans to release it later this year.

The adoption of ECH represents a significant step forward in bolstering the security and privacy of Internet users. As the web browser ecosystem aligns with these developments, users can look forward to a more secure and private online experience. With the collaborative efforts of industry leaders and organizations, the era of passive monitoring and unencrypted network traffic is gradually coming to an end, bringing us closer to a more secure and private Internet landscape.

Originally posted on Mon Nov 6, 2023