Handshake Encryption: Endgame (an ECH update)

Cloudflare has begun its initial deployment of TLS Encrypted ClientHello (ECH), an extension designed to protect sensitive metadata during connection establishment. ECH encrypts the ClientHello message, which includes parameters such as the service name, making it unintelligible to network attackers. The protocol is similar to DNS-over-HTTPS (DoH) but has a closed set of authorized domains, preventing domain fronting. ECH aims to improve connection privacy and security on the Internet by encrypting names in DNS and TLS while addressing various potential attack vectors. Cloudflare plans to expand the deployment of ECH slowly, monitoring for failures and working with other stakeholders to find a feasible deployment model that ensures user privacy without hindering network functionality.