Encrypted Client Hello (ECH)

What is Encrypted Client Hello?

From Mozilla:

ECH is a new TLS extension that also protects the identity of the websites we’re visiting – filling the privacy gap in our existing online security infrastructure.

Usually, when a browser connects to a site, it transmits the site’s name in its unencrypted initial message, allowing network operators or observers on the network to monitor the websites visited by each user.

ECH uses a public key fetched over the Domain Name System (DNS) to encrypt the first message between a browser and a website, protecting the name of the visited website from prying eyes and dramatically improving user privacy.

Encrypted Client Hello (ECH) - FAQ:

From Cloudflare:

Encrypted Client Hello (ECH) is a successor to ESNI and masks the Server Name Indication (SNI) that is used to negotiate a TLS handshake. This means that whenever a user visits a website on Cloudflare that has ECH enabled, no one except for the user, Cloudflare, and the website owner will be able to determine which website was visited.

Already tried ESNI in the past before it was phased out by firefox. Was reading up on ECH, looks helpful for restrictive networks. May test it out.


Looks good, but afaik you can enforce which dns the network uses? You just reroute all outgoing requests on port 53 to your chosen dns? Unless you use some vpn or something, but at that point ech seams kind of useless.

Yes! All DoH servers, whether locally hosted or via provided by online services, can be used to fetch ECH records.

ECH relies on DoH for its functionality, as it encrypts the initial connection to a website by leveraging the encryption keys provided by DNS over HTTPS. Therefore, to use ECH in Firefox, you must also have DoH enabled.

At the moment i don’t know if DoH is still needed in firefox to use ECH, if my whole network already uses DoH running on OpenWRT. May have to test it out.

Unless you use some vpn or something, but at that point ech seams kind of useless.

Depends on your threat model.

From FAQ:

Yes, in fact, combining ECH with a VPN can provide an extra layer of privacy and security. To use ECH with a VPN, the DNS over HTTPS protection level should be Configure DNS over HTTPS protection levels in Firefox to Increased or Max Protection mode. This is because Default Protection mode uses the VPN provider’s DNS rather than DoH in order to ensure traffic is correctly routed. Please note that where VPNs are used in a corporate or self-hosted environment to connect to resources not available on the public internet, changing the DNS protection level may make those private resources unavailable in Firefox.