ECH hopes to remedy the interoperability and deployment challenges of its predecessor

Encrypted Client Hello: Upcoming Firefox 85 rollout builds momentum for ESNI successor

UPDATED Mozilla has announced plans to replace an earlier browser encryption technology with Encrypted Client Hello (ECH), staring with Firefox 85.

More specifically Draft 8 of ECH offers a successor to the similar, but less sophisticated Encrypted SNI (ESNI) technology, whose recently revealed shortcomings were deemed to make it unsuitable as a privacy technology.

“To address the shortcomings of ESNI, recent versions of the specification no longer encrypt only the SNI extension and instead encrypt an entire Client Hello message (thus the name change from ‘ESNI’ to ‘ECH’),” Mozilla explained in a blog post announcing its adoption of the technology.

You say goodbye…

Server Name Indication (SNI) is an extension to Transport Layer Security (TLS) protocol that allows multiple secure websites to be served on the same IP address. The technology transmits the domain name of the website you want to visit in plaintext.

ESNI masks a server’s name so that ISPs or WiFi hotspot providers can’t infer a user’s surfing habits.

However, analysis has shown that encrypting only the SNI extension provides incomplete privacy protection for web users.

For example, “during session resumption, the Pre-Shared Key extension could, legally, contain a cleartext copy of exactly the same server name that is encrypted by ESNI”, Mozilla explained.

In addition, real-world attempts to deploy ESNI have run afoul of interoperability and deployment challenges that mitigate against its widespread usage.

… I say hello

ECH is far more than just a renamed update to ESNI. For example, ECH also adds a retry mechanism to increase reliability with respect to server key rotation and DNS caching.

Put simply, ECH encrypts the full handshake so that sensitive metadata is kept secret.

Used in conjunction, both ECH and DNS-over-HTTPS are aimed at offering end-to-end user privacy.

Mozilla working with Cloudflare, are earlier adopter of the technology, and others on standardizing the Encrypted Client Hello specification at the Internet Engineering Task Force.

A blog post by Cloudflare provides a technical backgrounder on ECH.

In response to queries from The Daily Swig, Cloudflare said it is actively working on various aspects of the Encrypted Client Hello (ECH) project with Mozilla, including working on finishing the specification for ECH at the IETF.

Cloudflare’s head of research, Nick Sullivan, added that it was also “writing an implementation of the emerging standard in Go and contributing to an implementation in BoringSSL. We are working with Mozilla to validate our implementations,” he added.

The rollout of ECH by Cloudflare is set to gather momentum this year.

Sullivan explained that Cloudflare is “building support for ECH into Cloudflare's global network with an intent to enable support for ECH for Cloudflare customers in 2021.”

“This implementation is meant to be compatible with all browsers that plan on supporting ECH, including Firefox,” he added.

An update to Draft 9 of the protocol (which is targeted for wider interoperability testing and deployment) is forthcoming, according to Mozilla.

The Daily Swig also asked Mozilla to comment on how it was working together with CloudFlare as well as a line on challenges might arise when it comes to deploying ECH at scale. We’ll update this story as and when we hear more.

Firefox 85 is currently in beta and due for full rollout by the end of January.

This story was updated to add comment from Cloudflare's Nick Sullivan

RELATED Cloudflare rolls out encrypted SNI