Encrypted Client Hello Explained

When you visit a website, your web browser and the website need to “shake hands” to agree on how to keep your communication private. This handshake is done using a technology called TLS (Transport Layer Security). A part of this handshake involves your browser saying, “Hi, I’m here! Here’s the list of things I support,” and this message is called the “Client Hello.”

The Client Hello includes some information about the website you’re trying to visit, like its name. Normally, this information isn’t hidden, which means others can see which website you’re trying to access, even if the rest of your communication is secure. This visibility can be a problem for privacy but is one of the ways a web filter can do its job.

What is Encrypted Client Hello (ECH)?

Encrypted Client Hello (ECH) is a new way to make this handshake even more private. It has been in development within the security industry for a few years and it has still not been officially finalised. This means that things can still change between now and when the standard is fully agreed upon.

The goal of ECH is to ensure greater degrees of privacy and security across the Internet. This is great news for standard users of the Internet, however, makes it much more of a challenge for legitimate safeguarding purposes within Education.

With ECH, the “Client Hello” message is encrypted, so no one else can see which website you’re trying to visit, not even someone monitoring your network.

How Could ECH Affect Web Filters?

Web filters are tools used in schools to block access to inappropriate websites and adhere to KCSiE and DfE guidance. Some of these filters work by looking at the “Client Hello” message to see which website you’re trying to visit. If they see a blocked website name, they can stop you from accessing it.

When ECH is used, the “Client Hello” message is encrypted. This means that the web filter can’t see the website name anymore. If the filter or web browser does not support SSL/TLS decryption (a method to look inside secure communications) and a web browser is forced to use ECH, the web filter might:

  1. Not Accurately Report Web Activity: The filter won’t know which website you’re trying to access and therefore reporting of web activity might not be accurate.
  2. Not Block Some Websites: The filter won’t know which websites you’re trying to access and might let inappropriate or harmful content through.
  3. Block Everything: To avoid letting blocked sites through, the filter might block all websites it cannot understand, which could be very inconvenient.

What Can Be Done?

As a Schools Broadband customer, you are protected by either Netsweeper or FortiGuard web filtering. The good news is that both systems support SSL/TLS decryption, which means that generally you are still protected.

We are also deploying new DNS servers which will remove the ability for some devices to request ECH to be enabled. This is more relevant to unmanaged devices or BYOD devices. We expect these to be configured and installed by February 2025 at the very latest.

To ensure that you are as protected from this change as possible, there are a few things that we would recommend double checking and changing:

  1. Are you decrypting? Do you have the Schools Broadband decryption certificate installed on all managed devices and do you require BYOD users to install the same certificate to decrypt web browsing requests?

  2. Use Schools Broadband DNS Server: Ensure you are using the Schools Broadband DNS servers only (85.92.188.226 & 85.92.168.104).

  3. Disable ECH in browser settings: You can currently prevent ECH directly within the web browser and we recommend doing this on all managed devices. Common guides on how to do this can be found here

In Conclusion

ECH makes online activities more private by hiding the websites you visit, but it can create challenges for web filters and safeguarding duties that rely on needing to see this information. It’s important to balance privacy with the need for effective web filtering, and in Education we recommend disabling the use of ECH wherever possible on school managed devices. Doing this and in conjunction with the services that Education ISPs like ourselves provide, you will continue to ensure students are protected.

On BYOD and unmanaged devices, this becomes more difficult as you are unable to make any fundamental changes to the device’s settings. Our new DNS server implementation early next year will allow us to strip a devices request to enable ECH on unmanaged devices. This will help customers who have large BYOD/unmanaged estates and don’t currently use decryption with these devices.

Schools should therefore assess the risk that this new privacy technology poses against the schools safeguarding duties for users of these BYOD and unmanaged devices.

As Encrypted Client Hello is still a new technology, we are continuing to monitor this within the industry and will update this page where needed.

Request More Information

Contact Us Form