Encrypted Client Hello faces barriers to adoption but malicious actors are already taking advantage of the anonymity the protocol provides, according to Living With ECH Report
Corrata, the leading mobile endpoint threat detection and response provider, published the Living With ECH Report. The first-of-its-kind report examines the impact of the Encrypted Client Hello (ECH), a new privacy protocol that information security professionals fear could make widely-used security tools blind to large swaths of internet traffic.
ECH is an extension to TLS 1.3, the most recent version of the Transport Layer Security standard used to secure the vast majority of internet communications. ECH proposes to enhance privacy by encrypting key information between devices and Content Delivery Networks (CDNs), preventing network providers from identifying the names of websites that individuals are looking to access. Information security professionals have raised concerns that its implementation may compromise the ability of enterprises to detect and counter cyber threats.
Cyber Technology Insights : Connection Achieves Full Suite of Microsoft Security Specializations
The inaugural report analyzed first-party platform data — billions of connections to web servers made by enterprise employee mobile devices — between January and March 2025. According to the research, more than 9% of the top 1 million domains are ECH-enabled, but less than .01% of TLS connections used the protocol. However, even though ECH is rarely relied upon in practice, malicious actors are taking advantage of the anonymity the protocol provides: 17% of the total ECH-enabled sites are risky. Chrome users with encrypted DNS enabled are most at risk.
Findings from the Living With ECH Report include:
ECH could degrade, not improve, privacy: Banks and other regulated entities are often required to monitor the internet traffic going into and out of their organization. To date, these enterprises have been able to selectively decrypt traffic without looking at sensitive data like employees’ health records. But with ECH blocking their filtering, enterprises would have little choice but to decrypt all internet traffic for inspection, drastically degrading employees’ privacy.
Cyber Technology Insights : Proofpoint Acquires Nuclei to Boost Communications Capture and Archiving
Cloudflare is driving ECH adoption: Cloudflare remains the sole tier-one CDN supporting ECH. Almost all of the sites that are ECH-enabled use Cloudflare infrastructure. Major website owners also seem to be wary of adopting the protocol, concerned that users might be blocked from accessing their services by enterprise security infrastructure or by public authorities. While ECH reduces the visibility of internet service providers (ISPs) and enterprise security teams, CDNs like Cloudfare can still access data under the protocol.
Malicious actors are taking advantage of Cloudflare: Over 90% of phishing detections use Cloudflare infrastructure, according to Corrata’s analysis. In addition to the anonymity provided by ECH, these sites take advantage of other Cloudflare features. For example, the “captcha” page can be used to direct desktop traffic to the legitimate site while mobile traffic is sent to the fake one. Alternatively, traffic not coming from the targeted country may be redirected to the legitimate site. These are deliberate tactics to avoid detection by security providers.
Barriers to widespread adoption are high: Widespread adoption of ECH would severely curtail the ability of enterprises to identify and block connections to malicious domains, but industry heavyweights who play different roles and have varied motivations must all support ECH before its use can become widespread. While 20% of devices are configured to use encrypted DNS and DNS resolvers which support ECH, the lack of support from browsers such as Safari and operating systems such as Android make such choices moot.
“The extremely low level of ECH adoption suggests that the security community’s fears that enterprise internet traffic would go dark are not yet being realized,” said Matthieu Bentot, CTO of Corrata. “While the potential certainly exists for ECH to become a thorn in the side of defenders, the early signs are that this is the time to prepare rather than panic.”
Cyber Technology Insights : 2025 Small Business Survey Shows Spike in AI
To participate in our interviews, please write to our CyberTech Media Room at sudipto@intentamplify.com
Source: prnewswire
