Issue / Fault definition
What is it?
Encrypted Client Hello (ECH) is an extension to TL1.3 that is currently being standardised for release that aims to improve end-to-end privacy when browsing the web. It will do this by encrypting a part of the TLS handshake called Server Name Indication (SNI) that is currently sent in plain text and discloses the hostname the client is connecting to.
Server Name Indication (SNI) data is commonly used by content filters to identify and filter web traffic or indicators of compromise. Once it is encrypted, it will allow TLS traffic to bypass content filtering devices that rely on SNI data as they won’t be able to determine where the traffic is going.
It will not impact clients that have a Forward Proxy explicitly configured.
When is it being released?
Google is planning to begin experimenting with its implementation of ECH for a small portion of its users, beginning with Chrome version 104 at the earliest. The stable release of this is currently expected on July 28 2022. They are unlikely to trial this on enterprise/school customers.
Will this affect other Chromium-based browsers (ie Microsoft Edge)?
The functionality will be included in the upstream Chromium code base and be available for different browser vendors to include this functionality in their products. If you are using a browser-based on Chromium, we suggest that you reach out to the browser vendor to ask about their timelines for implementing ECH and the steps that you should take to disable it in their product.
Known Fixes / Solutions
- Configure clients to use either an explicit forward proxy
- Disable ECH within the client’s browser settings
Google will be implementing a group policy setting in Google Chrome to allow IT administrators to disable ECH and allow their web filtering to continue to work as expected.
Details on how you can disable ECH can be found here