ECH protocol in browser
Chrome continues to evolve its security mechanisms, and one of the latest technologies to gain attention is the Encrypted Client Hello (ECH). This protocol, formerly known as ESNI (Encrypted Server Name Indication), aims to enhance privacy when establishing HTTPS connections.
Why is ECH needed?
When a TLS connection (the main protocol for providing secure connections on the Internet) is established, the browser sends a Server Name Indication (SNI) message. It contains the name of the domain to which the request is going and is transmitted in clear text, which allows outsiders (for example, ISPs) to see which site the user is connecting to, even if the connection itself is encrypted. This is how Youtube slows down.
ECH solves this problem by encrypting not only the contents of the connection, but also the Client Hello message itself, which includes SNI. This makes it difficult to monitor traffic and helps protect user privacy online.
How does ECH work?
The ECH protocol adds an additional encryption step early in the TLS setup. When a browser supports ECH, it uses the public key provided by the server via DNS to encrypt its “Client Hello”. The server that receives this request can decrypt it using its private key and continue establishing a secure connection, keeping the SNI hidden from prying eyes.
If the server does not support ECH, the browser can fall back to default behavior by sending SNI in the clear, as it currently does.
How to enable ECH in Chrome
Go to Settings.
Select the “Privacy and security” section on the left.
Click on Security.
Make sure the “Use secure DNS” option is enabled.
In the Select DNS provider drop-down menu, use any preset option.
Check the work for example on this site https://rbpdtdbxxovqvwsl.1tw.live.
It is important to remember that for ECH to function fully, it is necessary that not only the browser, but also the server support this protocol, and that the DNS record with the public key is configured correctly.
You can check which sites support ECH here.
