Encrypted Client Hello – the last puzzle piece to privacy

Created on November 12, 2023 at 10:36 am

5 min TIME read

Today DATE we are excited to announce a contribution to improving privacy for everyone on the Internet. Encrypted Client Hello, a new proposed standard that prevents networks from snooping on which websites a user is visiting, is now available on all Cloudflare ORG plans.

Encrypted Client Hello PERSON (ECH) is a successor to ESNI and masks the Server Name Indication (SNI) that is used to negotiate a TLS ORG handshake. This means that whenever a user visits a website on Cloudflare ORG that has ECH ORG enabled, no one except for the user, Cloudflare ORG , and the website owner will be able to determine which website was visited. Cloudflare ORG is a big proponent of privacy for everyone and is excited about the prospects of bringing this technology to life.

Browsing the Internet and your privacy

Whenever you visit a website, your browser sends a request to a web server. The web server responds with content and the website starts loading in your browser. Way back in the early days DATE of the Internet this happened in ‘plain text’, meaning that your browser would just send bits across the network that everyone could read: the corporate network you may be browsing from, the Internet Service Provider ORG that offers you Internet connectivity and any network that the request traverses before it reaches the web server that hosts the website. Privacy advocates have long been concerned about how much information could be seen in "plain text": If any network between you and the web server can see your traffic, that means they can also see exactly what you are doing. If you are initiating a bank transfer any intermediary can see the destination and the amount of the transfer.

So how to start making this data more private? To prevent eavesdropping, encryption was introduced in the form of SSL ORG and later TLS. These are amazing protocols that safeguard not only your privacy but also ensure that no intermediary can tamper with any of the content you view or upload. But encryption only goes so far.

While the actual content (which particular page on a website you’re visiting and any information you upload) is encrypted and shielded from intermediaries, there are still ways to determine what a user is doing. For example, the DNS ORG request to determine the address (IP) of the website you’re visiting and the SNI are both common ways for intermediaries to track usage.

Let’s start with DNS ORG . Whenever you visit a website, your operating system needs to know which IP address to connect to. This is done through a DNS ORG request. DNS ORG by default is unencrypted, meaning anyone can see which website you’re asking about. To help users shield these requests from intermediaries, Cloudflare ORG introduced DNS ORG over HTTPS (DoH) in 2019 DATE . In 2020 DATE , we went one CARDINAL step further and introduced Oblivious DNS ORG over HTTPS which prevents even Cloudflare ORG from seeing which websites a user is asking about.

That leaves SNI as the last unencrypted bit that intermediaries can use to determine which website you’re visiting. After performing a DNS ORG query, one CARDINAL of the first ORDINAL things a browser will do is perform a TLS handshake. The handshake constitutes several steps, including which cipher to use, which TLS ORG version and which certificate will be used to verify the web server’s identity. As part of this handshake, the browser will indicate the name of the server (website) that it intends to visit: the Server Name Indication.

Due to the fact that the session is not encrypted yet, and the server doesn’t know which certificate to use, the browser must transmit this information in plain text. Sending the SNI in plaintext means that any intermediary can view which website you’re visiting simply by checking the first ORDINAL packet for a connection:

This means that despite the amazing efforts of TLS ORG and DoH ORG , which websites you’re visiting on the Internet still isn’t truly private. Today DATE , we are adding the final missing piece of the puzzle with ECH ORG . With ECH ORG , the browser performs a TLS handshake with Cloudflare ORG , but not a customer-specific hostname. This means that although intermediaries will be able to see that you are visiting a website on Cloudflare ORG , they will never be able to determine which one.

How does ECH ORG work?

In order to explain how ECH ORG works, it helps to first ORDINAL understand how TLS handshakes are performed. A TLS ORG handshake starts with a ClientHello part, which allows a client to say which ciphers to use, which TLS ORG version and most importantly, which server it’s trying to visit (the SNI).

With ECH ORG , the ClientHello message part is split into two CARDINAL separate messages: an inner part and an outer part. The outer part contains the non-sensitive information such as which ciphers to use and the TLS ORG version. It also includes an "outer SNI". The inner part is encrypted and contains an "inner SNI".

The outer SNI is a common name that, in our case, represents that a user is trying to visit an encrypted website on Cloudflare ORG . We chose cloudflare-ech.com PERSON as the SNI that all websites will share on Cloudflare ORG . Because Cloudflare controls that domain we have the appropriate certificates to be able to negotiate a TLS ORG handshake for that server name.

The inner SNI contains the actual server name that the user is trying to visit. This is encrypted using a public key and can only be read by Cloudflare ORG . Once the handshake completes the web page is loaded as normal, just like any other website loaded over TLS ORG .

In practice, this means that any intermediary that is trying to establish which website you’re visiting will simply see normal TLS handshakes with one CARDINAL caveat: any time you visit an ECH ORG enabled website on Cloudflare ORG the server name will look the same. Every TLS ORG handshake will appear identical in that it looks like it’s trying to load a website for cloudflare-ech.com ORG , as opposed to the actual website. We’ve solved the last puzzle-piece in preserving privacy for users that don’t like intermediaries seeing which websites they are visiting.

For full details on the nitty-gritty of ECH ORG technology, visit our introductory blog.

The future of privacy

We’re excited about what this means for privacy on the Internet. Browsers like Google Chrome ORG and Firefox ORG are starting to ramp up support for ECH ORG already. If you’re a website, and you care about users visiting your website in a fashion that doesn’t allow any intermediary to see what users are doing, enable ECH ORG

today DATE on Cloudflare ORG . We’ve enabled ECH ORG for all free zones already. If you’re an existing paying customer, just head on over to the Cloudflare ORG dashboard and apply for the feature. We’ll be enabling this for everyone that signs up over the coming few weeks DATE .

Over time, we hope others will follow our footsteps, leading to a more private Internet for everyone. The more providers that offer ECH ORG , the harder it becomes for anyone to listen in on what users are doing on the Internet. Heck, we might even solve privacy for good.

If you’re looking for more information on ECH ORG , how it works and how to enable it head on over to our developer documentation on ECH ORG .

Connecting to blog.lzomedia.com... Connected... Page load complete