Encrypted Client Hello (ECH) is a security protocol designed to increase user privacy by encrypting the content exchanged between clients and servers when they are establishing a connection. Increased user privacy — what’s not to like?
Unfortunately, in the view of many enterprise security professionals, the increased privacy promised by ECH could simultaneously reduce their ability to detect and respond to threats. Widespread adoption of the security protocol would severely curtail the ability of enterprises to identify and block connections to malicious domains.
Late last year, our team at Corrata noticed an uptick in detections of an ECH domain. The numbers were small — low thousands among hundreds of millions of domain scans — but nonetheless intriguing. Did this herald the primetime arrival of ECH? Would widely-used security tools soon be blind to large swaths of internet traffic?
We recently studied billions of connections to web servers made by enterprise employee mobile devices to answer these questions. Here’s what we found:
Co-founder and CEO of Corrata.
How ECH works
You’ve seen the padlock symbol and https designation in the address bar of your browser. Both are indications that the website you’re visiting uses the Transport Layer Security (TLS) internet encryption standard, which protects communications between an endpoint device and a web server. The vast majority of internet traffic uses the TLS 1.3 standard — ECH was designed as an extension to that standard.
Without ECH, a client will reveal the domain of the website it’s attempting to visit before the encrypted connection is established. This means that any entity that can see the user’s internet traffic — such as mobile operators, Internet Service Providers (ISPs), enterprise security teams and bad actors — can see their destination, even when the user and the server take precautions to avoid this.
ECH encrypts the entire Client Hello message (the first message sent by a client in a TLS handshake) so that only the gateway to the intended server, which holds the corresponding private key, can decrypt this inner message and complete the handshake securely. Network observers can no longer see which specific domain a user is trying to access.
Why does that matter?
Important cybersecurity tools like Secure Web Gateways and Next Generation Firewalls rely on that visibility to detect and block access to content that could represent a threat, such as phishing or malware download sites. Beyond security teams, ISPs have a commercial interest in understanding how their subscribers use the internet, and governments want to be able to passively monitor and potentially restrict access to illegal, malicious, or unacceptable content.
The visibility is particularly important for banks and other heavily regulated industries that are often required to monitor their incoming and outgoing internet traffic. As it stands, these organizations can decrypt traffic selectively without looking at sensitive data like employee PII or health records. But if ECH blocks filtering tools, banks will have to decrypt all internet traffic in order to remain compliant with regulations — degrading user privacy in the process.
ECH adoption is low, but risks remain for enterprises and users
Our analysis of the adoption and impact of ECH for enterprise users brought good news and bad news. Although overall adoption is very low (more than 9% of the top 1 million domains are ECH-enabled, but less than .01% of TLS connections used the protocol), malicious actors are already taking advantage of the anonymity the protocol provides: 17% of all ECH-enabled sites are risky. Chrome users with encrypted DNS enabled are most at risk.
You might wonder if such a small portion of internet traffic matters. If less than one-tenth of one percent of internet connections are using ECH, should enterprise security teams even worry about the protocol’s potential risks?
The short answer is yes.
To work, ECH requires traffic to flow through a content delivery network (CDN) that supports the protocol. Cloudflare is currently the only CDN that supports ECH, and the company has played an important role in driving ECH adoption. (Notably, Apple’s iOS does not support ECH.)
We found that over 90% of phishing detections use Cloudflare infrastructure. In addition to the ECH anonymity, these sites take advantage of other Cloudflare features. For example, the “captcha” page can direct desktop traffic to a legitimate site while mobile traffic is sent to a fake one.
We should expect ECH to grow in popularity over time, because there are opportunities and incentives for both the server side and client side to drive adoption. On the client side, Safari could support the standard or Chrome could enable encrypted DNS by default.
Server side
On the server side, you would need to see wholesale migration to Cloudflare (unlikely) or default support from other CDNs. It’s worth noting that ECH adoption is a positive for the CDNs. The complexity of implementation means more websites will opt to use CDN services — and the CDNs would become the only infrastructure players with widespread visibility of internet traffic.
For now, security teams can breathe a sigh of relief because the community’s fears that enterprise internet traffic would go dark are not yet being realized. But it would be irresponsible to expect this to continue long-term, given the significant market opportunities that ECH adoption offers for the CDN industry. The threat posed by the protocol must be taken seriously.
Tracking ECH and its cloak of secrecy is no longer optional for enterprise security teams. Our data shows that while the potential certainly exists for ECH to become a thorn in the side of defenders, this is the time to prepare rather than panic.
We list the best cloud firewalls.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
