Menu
EN

Encrypted Client Hello didn't solve censorship, but still may have a role to play

In November 2024, Russia began blocking Cloudflare’s implementation of Encrypted Client Hello (ECH), a privacy-focused extension of the TLS protocol. “This technology is a means of circumventing restrictions on access to information banned in Russia. Its use violates Russian law and is restricted by the Technical Measure to Combat Threats (TSPU),” the statement by the Russian Internet regulator read.

Russia, known for its tight control over internet access, views ECH as a tool for bypassing geo-restrictions, though that was never its intended purpose. This move follows a broader pattern of censorship and surveillance. Over the past few years, Russia has been cracking down on VPNs, making it harder for users to circumvent government-imposed restrictions.

So, what exactly is ECH, and why is it being blocked in Russia? And, more importantly, could it face similar restrictions in other countries with limited internet freedoms? Last year, we gave a breakdown of what ECH is, along with its weak and strong points. Let’s quickly recap the key points.

ECH: look under the hood

Encrypted Client Hello (ECH) is a new protocol designed to enhance privacy during the initial handshake between your browser and a website’s server. Normally, when you visit a website, your browser sends an unencrypted “hello” message (called the Client Hello) to the server. This message includes information like the domain name of the website you’re trying to visit — known as the Server Name Indication (SNI). The problem is, without encryption, this information is visible to anyone who can see your internet traffic, such as your ISP, which means they can tell exactly which websites you're visiting (however, not what you’re doing on them).

ECH solves this problem by encrypting that initial message. Instead of the SNI, which can reveal the website’s name, ECH splits the message into two parts. The outer part contains a generic, non-sensitive server name (for example, cloudflare-ech.com), which is visible to anyone watching the traffic. The inner part, which contains the actual website you’re visiting, is encrypted. Only the client-facing server (like Cloudflare’s server) can decrypt this part and pass the request on to the correct website without anyone in the middle seeing the details.

In simple terms, ECH helps keep the websites you visit private, even at the start of the connection, making it harder for third parties to monitor your browsing activity. However, while ECH adds an extra layer of privacy, it’s not a complete solution on its own, especially for those looking to bypass censorship or ensure full anonymity online. In these cases, a VPN might still be your best option.

Unfulfilled hopes

While the proposed ECH protocol was never designed as a tool to bypass censorship or geo-blocking, some, for various reasons, hoped it could serve that purpose. But that’s not what ECH was built for. Its main goal was always to make the connection between your browser and the website server more secure. As Cloudflare put it at the time, ECH was meant to be “the last puzzle piece to privacy” — not in the sense of dodging restrictions, but in a purely technical sense of the word.

Before ECH, there was still one last unencrypted piece of data in the TLS protocol. TLS, or Transport Layer Security, is the standard encryption method that keeps data safe as it moves across the internet. Solving this — that is, figuring out how to encrypt that final piece of data — was a major engineering task. So, that was the mission and that mission was successfully accomplished, no more, no less.

There’s a big difference between designing a working method and making it work in the real world, though. That’s why, when Cloudflare first rolled out ECH in 2023, they had to roll it back due to some unspecified “issues.” In September 2024, Cloudflare announced it was restarting the ECH rollout, and it only took about a month for Russia’s internet regulator to block the feature.

First signs of blocking and glimpsing the future

Last year, we played devil’s advocate and suggested a few ways network operators could try to block ECH. One of those methods was a cruder approach, which is exactly what the Russian authorities have chosen. They’re blocking known client-facing servers, like cloudflare-ech.com, essentially forcing website owners to opt out of ECH if they want to avoid their sites being broken. The blocking occurs when both of the following elements are present in the connection request:

  • SNI extension with the value cloudflare-ech.com (which is a domain used to indicate the use of Cloudflare’s ECH service)
  • ECH extension itself (which encrypts part of the connection handshake to enhance privacy)

If both elements are detected, the connection is blocked. The Russian internet watchdog confirmed the blocking, saying that it was triggered by CloudFlare’s move to enable the use of Encrypted Client Hello (ECH) on its services by default.

While a more disruptive tactic would’ve been to block all ECH traffic globally, it seems the Russian regulator is focusing on blocking the specific combination of Cloudflare’s SNI extension and the ECH extension. This targeted approach doesn’t disrupt the whole protocol, just Cloudflare’s ECH implementation.

Russia isn’t the only country where internet access is restricted — China is also blocking ECH, but with a more flexible approach. And it may not stop there. There are quite a few nations that from time to time resort to blocking various services and mechanisms on the pretext of maintaining law and order. India, some European nations and countries in the Middle East are some of them. As ECH adoption grows, we can expect even more countries to start limiting it.

Let’s take it one step further and look at corporate networks. They already weren’t too happy about Encrypted DNS — a privacy-focused protocol that encrypts your DNS queries, which prevents third parties from snooping on the websites you’re trying to visit (and that we use in AdGuard DNS). And now with ECH, things could get even trickier in their eyes. After all, their main goal is to control the traffic that flows through their systems. It’s not that they’re being malicious — it’s just that companies focused on internet security need to have control over what’s happening on their networks. So, it’s likely they’ll take a page from some governments’ playbooks and start restricting ECH as well.

What’s next

All of the above does not mean that ECH is useless, and has no role to play in the internet infrastructure of tomorrow. On the contrary, it’s an essential part of it, and that’s why we have added ECH support in our Windows, Mac, and Android apps. It does have the potential to make browsing more private.

Despite some questionable technical decisions, ECH will improve privacy for many people. Along with Encrypted DNS, it will help reduce the visibility of what users are doing online, making it harder for third parties like ISPs and censors to track their activity. As with any privacy tool, it’s important to note that ECH is just one part of the equation.

Besides, for ECH to truly be a game-changer, it needs to be widely adopted — and that’s not something that will happen in the short term. It’s also worth noting that some users will be left out due to restrictions imposed by governments or corporate network administrators. On top of that, some websites might not enable ECH or may opt out altogether, in order to avoid breaking things for users who are subject to these restrictions.

At the end of the day, ECH is a good mechanism, but it’s not a silver bullet. It was never designed to, and won’t, guarantee your privacy. If you’re serious about privacy, it’s better to rely on more robust, tailored tools like a VPN.

Do you rely on ECH for privacy protection? Let us know your thoughts

Liked this post?
18,400 18400 user reviews
Excellent!

AdGuard for Windows

AdGuard for Windows is more than an ad blocker. It is a multipurpose tool that blocks ads, controls access to dangerous sites, speeds up page loading, and protects children from inappropriate content.
By downloading the program you accept the terms of the License agreement
Read more
18,400 18400 user reviews
Excellent!

AdGuard for Mac

AdGuard for Mac is a unique ad blocker designed with macOS in mind. In addition to protecting you from annoying ads in browsers and apps, it shields you from tracking, phishing, and fraud.
By downloading the program you accept the terms of the License agreement
Read more
18,400 18400 user reviews
Excellent!

AdGuard for Android

AdGuard for Android is a perfect solution for Android devices. Unlike most other ad blockers, AdGuard doesn't require root access and provides a wide range of app management options.
By downloading the program you accept the terms of the License agreement
Read more
18,400 18400 user reviews
Excellent!

AdGuard for iOS

The best iOS ad blocker for iPhone and iPad. AdGuard eliminates all kinds of ads in Safari, protects your privacy, and speeds up page loading. AdGuard for iOS ad-blocking technology ensures the highest quality filtering and allows you to use multiple filters at the same time
By downloading the program you accept the terms of the License agreement
Read more
18,400 18400 user reviews
Excellent!

AdGuard VPN

74 locations worldwide

Access to any content

Strong encryption

No-logging policy

Fastest connection

24/7 support

Try for free
By downloading the program you accept the terms of the License agreement
Read more
18,400 18400 user reviews
Excellent!

AdGuard Content Blocker

AdGuard Content Blocker will eliminate all kinds of ads in mobile browsers that support content blocker technology — namely, Samsung Internet and Yandex.Browser. While being more limited than AdGuard for Android, it is free, easy to install and still provides high ad blocking quality.
By downloading the program you accept the terms of the License agreement
Read more
18,400 18400 user reviews
Excellent!

AdGuard Browser Extension

AdGuard is the fastest and most lightweight ad blocking extension that effectively blocks all types of ads on all web pages! Choose AdGuard for the browser you use and get ad-free, fast and safe browsing.
18,400 18400 user reviews
Excellent!

AdGuard Assistant

A companion browser extension for AdGuard desktop apps. It offers an in-browser access to such features as custom element blocking, allowlisting a website or sending a report.
18,400 18400 user reviews
Excellent!

AdGuard DNS

AdGuard DNS is a foolproof way to block Internet ads that does not require installing any applications. It is easy to use, absolutely free, easily set up on any device, and provides you with minimal necessary functions to block ads, counters, malicious websites, and adult content.
18,400 18400 user reviews
Excellent!

AdGuard Home

AdGuard Home is a network-wide software for blocking ads & tracking. After you set it up, it’ll cover ALL your home devices, and you don’t need any client-side software for that. With the rise of Internet-Of-Things and connected devices, it becomes more and more important to be able to control your whole network.
18,400 18400 user reviews
Excellent!

AdGuard Pro for iOS

AdGuard Pro has much to offer on top of the excellent iOS ad blocking in Safari already known to the users of the regular version. By providing access to custom DNS settings, the app allows you to block ads, protect your kids from adult content online, and safeguard your personal data from theft.
By downloading the program you accept the terms of the License agreement
Read more
18,400 18400 user reviews
Excellent!

AdGuard for Safari

Ad blocking extensions for Safari are having hard time since Apple started to force everyone to use the new SDK. AdGuard extension is supposed to bring back the high quality ad blocking back to Safari.
18,400 18400 user reviews
Excellent!

AdGuard Temp Mail

A free temporary email address generator that keeps you anonymous and protects your privacy. No spam in your main inbox!
18,400 18400 user reviews
Excellent!

AdGuard for Android TV

AdGuard for Android TV is the only app that blocks ads, guards your privacy, and acts as a firewall for your Smart TV. Get warnings about web threats, use secure DNS, and benefit from encrypted traffic. Relax and dive into your favorite shows with top-notch security and zero ads!
Downloading AdGuard To install AdGuard, click the file indicated by the arrow Select "Open" and click "OK", then wait for the file to be downloaded. In the opened window, drag the AdGuard icon to the "Applications" folder. Thank you for choosing AdGuard! Select "Open" and click "OK", then wait for the file to be downloaded. In the opened window, click "Install". Thank you for choosing AdGuard!
Install AdGuard on your mobile device