Encrypted Client Hello (ECH) represents a protocol designed to enhance privacy within TLS connections. The technology encrypts the ClientHello message -- the initial communication a client sends to a server during the TLS handshake.

Traditionally, the ClientHello message contains metadata including Server Name Indication (SNI), which reveals information about the client's intended destination before complete encryption occurs. This metadata exposure creates privacy vulnerabilities, as network observers can infer which websites or services users attempt to access. ECH resolves this by encrypting the ClientHello, making it challenging for third parties to identify the target server.

This technology builds upon established protocols like TLS and DNS encryption methods, specifically DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT).

Implications to Content Filtering Solutions

ECH creates challenges for content filtering solutions, particularly those utilizing inline network inspection. The technology conceals SNI in the encrypted ClientHello, preventing inline filters from detecting and analyzing destination hostnames in real time.

Impact to Inline Content Filtering Applications

Inline content filtering solutions commonly employed in corporate and educational networks depend on packet inspection for traffic monitoring and control. With ECH encrypting the SNI, these solutions can no longer detect the requested domain in the TLS handshake. This limitation reduces the effectiveness of inline, domain-based filtering for services previously reliant on SNI visibility without traffic decryption.

No Impact to DNS Based Content Filtering

DNS-based content filtering experiences minimal direct impact from ECH. Since ECH only encrypts the ClientHello message in the TLS handshake without altering the DNS query itself, DNS filtering solutions like CleanBrowsing can continue intercepting and responding to DNS queries for content filtering purposes, provided DNS traffic remains unencrypted or is controlled by the filtering provider.

The ECH and Encrypted DNS Partnership Challenge

The combined implementation of ECH with encrypted DNS protocols -- DoH and DoT -- creates significant challenges for DNS-based content filtering solutions. Encrypted DNS channels circumvent traditional DNS-based filtering, as queries between client and DNS server become encrypted, preventing inline network filters from intercepting, analyzing, or modifying these requests.

Networks may address this by blocking DoH and DoT traffic or routing all DNS traffic through specific DNS providers to maintain filtering capabilities.

Conclusion

While ECH advances user privacy by concealing sensitive metadata within the TLS handshake, it complicates content filtering solutions depending on this information visibility. DNS-based filters like CleanBrowsing remain functional under ECH, though they must navigate the complexity of encrypted DNS protocols including DoH and DoT.