How to disable Chromium Encrypted Client Hello (ECH) Implementation

Chromium Encrypted Client Hello

Issue / Fault definition

What is it?

Encrypted Client Hello (ECH) is an extension to TL1.3 that is currently being standardised for release that aims to improve end-to-end privacy when browsing the web. It will do this by encrypting a part of the TLS handshake called Server Name Indication (SNI) that is currently sent in plain text and discloses the hostname the client is connecting to.

Server Name Indication (SNI) data is commonly used by content filters to identify and filter web traffic or indicators of compromise. Once it is encrypted, it will allow TLS traffic to bypass content filtering devices that rely on SNI data as they won’t be able to determine where the traffic is going.

It will not impact clients that have a Forward Proxy explicitly configured.

When is it being released?

Google is planning to begin experimenting with its implementation of ECH for a small portion of its users, beginning with Chrome version 104 at the earliest. The stable release of this is currently expected on July 28 2022. They are unlikely to trial this on enterprise/school customers.

Impact

Will this affect other Chromium-based browsers (ie Microsoft Edge)?

The functionality will be included in the upstream Chromium code base and be available for different browser vendors to include this functionality in their products. If you are using a browser-based on Chromium, we suggest that you reach out to the browser vendor to ask about their timelines for implementing ECH and the steps that you should take to disable it in their product.

Known Fixes / Solutions

  1. Configure clients to use either an explicit forward proxy
  2. Disable ECH within the client’s browser settings

Google will be implementing a group policy setting in Google Chrome to allow IT, administrators, to disable ECH and allow their web filtering to continue to work as expected.

They have not yet released details about this policy but have confirmed that they will provide further details via the Chrome Enterprise Releases Notes when the release is ready. These can be found here. They do not currently contain the details but will be updated when the experimental functionality is released.

If you found this article helpful, would you consider buying me a Coffee?

Leave a Reply

Your email address will not be published.