 The latest internet protocol that privacy advocates are getting really excited for is encrypted client hello. This new protocol is seen as the successor to encrypted server name indication which faced some deployment issues and it ultimately provided incomplete protection against someone listening in on the wire like an ISP or a nation state from figuring out what websites you were ultimately going to. Now to really grasp the importance of ECH I think it's good to go over a little bit of history at least for those who don't know about it about how the web was developed. So going back to 1997 when HTTP 1.1 was introduced not HTTPS that would come later HTTP 1.1 it provided a very important new feature and that was the HTTP host header and this made it possible so that people who had websites and other services on the internet which was basically everyone in every company back then okay remember this was the middle of the dot-com boom all of these different websites so not literally all of them but many different websites could run on a single server with a single IP address. This was the final part of the Band-Aid solution to the IP problem really the IPv4 problem because IPv6 would have also solved the problem and it still could solve the issue of running out of IP addresses because there's more IPv6 addresses than there are grains of sand but even though IPv6 was drafted back in 1998 it still isn't used that much outside of mobile networks and nobody really seems to want to bother with the learning how it works. So the host header HTTP host header slowed IP exhaustion for the people that were creating websites and that slowed the exhaustion for end users wanting to get on the internet and it helped create the world that we have today we're almost 30 years after its ratification most of us still don't need to anything about how IPv6 works. Now let's talk about encryption again at this point we're still sending all of our web traffic in the clear so people listening on the wire can see everything that you're doing on the internet or worse yet they can perform a man in the middle attack on your traffic which means that they can alter the data that you're sending in real time I mean imagine you send a message to your bank saying a transfer $200 to your mother but instead you end up transferring $20,000 to some Nigerian Prince not a good way to start your day so in the year 2000 HTTPS was formally specified by RFC and then over time browsers like Chrome and Firefox started putting these scary messages in your browser if you visited a non-HTPS site and thus this pushed just about everyone into using HTTPS on their site and lets encrypt software also makes it really easy to create and renew HTTPS certificates on your website so there's really no reason to not use HTTPS in current year but one issue that HTTPS never resolved was encrypting the server name indication remember that host header that I talked about earlier the only way that that communication works when you have different websites on a single IP address is you have to save the name of the website that you want to connect to in the clear so think of it like you're delivering a pizza to an apartment building you get to the front desk and you got to tell the security person there the name of the person who ordered the pizza to get it delivered to the customer so even with HTTPS your ISP or anyone who's listening on the wire can see what websites you go to they can't see what specific pages you're viewing basically everything after the dot-com forward slash is encrypted and they can't see what you type into forums and whatnot so usernames and passwords those are also encrypted but just this view of being able to see what website you go to alone could be a major privacy concern especially when it's combined with other information that can be inferred about the connection like let's say you go to a website that's owned by Chuck and you spend a few hours there on the website and several gigabytes of encrypted data are sent over the wire back to you and then you close down your browser for the night or maybe you then log in to some no-fap forum or visit a no-fap forum I might not know exactly what you did there during that session on Chuck's site but of course I know what you did and I'm going to find a way to monetize what you did like telling you to click here to see hot singles in your area so eavesdroppers you know they can also determine the application layer protocol negotiation extension or ALPM which can then tell them what kind of connection that you're making you know is it email is it HTTP is it SSH etc. Now of course VPNs are an option to potentially mitigate this eavesdropping that people can do but the VPN is still able to see all the same data that your ISP can or potentially more because if you use VPN with your cellular connection and your home internet connection like they typically tell you to the VPN provider is access to all that data whereas without the VPN that data might be split between two completely different companies furthermore with VPNs we're talking about a service that is oftentimes owned by some shady overseas holding company that is also heavily invested into online ads themselves and they also pay influencers to spread straight-up lies about VPNs like oh it's going to encrypt your hecking traffic from hackers with cool guy VPN when the reality is your connection was already encrypted with the exception of the sni and the alpn ever since HTTPS became mainstream which is like two decades in now or at least a decade in and there isn't much that hackers can do with that data anyway as long as you're using an HTTPS connection so now we finally have encrypted client hello this was first introduced in firefox version 118 and it encrypts the full tls 1.3 handshake that modern browsers and modern HTTPS uses and cloud flare has a pretty good illustration of how this works on their blog which i recommend reading this if you're interested in a deeper explanation of how and why this stuff came about mozilla's blog also has good coverage of this so just like with ESNI, ECH uses a public key that is distributed via DNS using DNS over HTTPS that the DNS connection is also encrypted you know that's of course another way that you can potentially eavesdrop on people with unencrypted DNS connections um and ideally you're also going to be using oblivious DNS over HTTPS since you know allegedly cloud flare themselves can't even see your connection or any information about your connection and so looking at the illustration here the client hello is now split into two parts so we have the client hello outer which contains nonsensitive information such as what ciphers are going to be used the tls version and also this thing called the outer sni which would be a common name like cloud flare ech.com at least for websites that are using their cdn service and then after this you can see that you know using their key here that everything else is encrypted the key share the alpn the inner sni which is the actual name of the website that you wanted to visit so this is really great especially as more privacy friendly DNS over HTTPS providers are rolled out like I could totally understand not wanting to use google's 8.8.8.8 or cloud flares 1.1.1.1 for this even though like cloud flare says that they can't snoop on your communications when you use oblivious DNS over HTTPS but you know cloud flare I don't know how much I'd be willing to trust that so this is overall a really really good thing for end users but it comes with a cost and that is ECH and cryptocline hello and DOH DNS over HTTPS really suck for network administrators okay so let's say that you are in charge of an enterprise network and one of your tasks is to make sure that employees are not visiting chucks websites when they're on the clock because that lowers productivity okay now normally you would block traffic you know filter or all kinds of different methods but it's really difficult to see the application layer stuff to do any of that like you would in a non ECH connection because you know when when ECH is in place it's kind of difficult for you to figure out where people are actually going and same thing if there's malware within the enterprise that's making ECH connections to a command and control server that also becomes much more difficult to look into what's going on with that connection and actually identify it as malware and you know ECH has to work this way because the whole point of ECH is to prevent companies from selling your data you know your sni data your alpn data other metadata associated with your connection same thing with nation states right it's to prevent them from locking you up or lowering your social lowering your social credit score for visiting certain websites that are deemed naughty within that nation state but things like parental controls in the browser don't really work well with ECH enabled this is actually one of the things that was mentioned on a mozilla's blog you know encrypted client hello frequently asked questions how does ECH impact parental controls if parental controls are applied we just disable that ECH encryption in order to avoid interfering with the parental controls because again if if you're trying to put parental controls at least at the browser level on your kid's device or I guess really at any level in a way you're being their network administrator now there's other ways that you could do it like you could probably block it at the device level but you know in the browser it's not compatible with ECH so it'll be really interesting to see how the industry responds to this because there's million dollar pieces of network equipment that would have their filtering defeated by this and like that's part of the reason why their this equipment is so expensive because it's able to do the filtering so quickly in traffic shaping and stuff like that so quickly and I really don't see enterprises or especially nation states just shrugging their shoulders and going oh well ECH is here we can't do anything now we're just going to let all of our fancy network equipment collect some dust I highly suspect what we're going to start seeing are more efforts to block things on the client side like with France's SREN bill SREN bill or with a government or a corporation encouraging or even installing by default on users devices a trusted root certificate which remember that's something that Russia launched last year when like you know big tech and like the rest of the internet was canceling them for invading Ukraine and they're like oh yeah here's our here's this new trusted root certificate that's going to let you know you the Russian people access the internet but I mean come on come on obviously there's some there's some extra things put in there to allow the Russian government to spy on people and the government of Kazakhstan also did this more overtly back in 2015 which you know as the name implies allowed that government to not only eavesdrop but to man in the middle all of their citizens communications all of Kazakhstan's internet is man in the middle which is far worse than what we currently have where if you're in one of these prox or if you're in one of these countries you can use proxies you can use VPNs you can use Tor or other mixed net mixed nets to bypass that government censorship all of those technologies would be defeated by a root certificate that is installed on the clients devices now I am in favor of VCH I like it I'm using it myself right now in Firefox but there are drawbacks that I just wanted to you know draw people's attention to both for network admins who legitimately need to filter traffic and for end users in countries without free speech laws who might just straight up backdoor people's computers to try and maintain their authority over the people if you enjoyed this video please like it and share it to hack the algorithm and purchase my merch on based dot when where you can automatically save 10 percent at checkout whenever you pay using Monero XMR have a great rest of your day