Encrypted Client Hello (ECH) in Censorship Circumvention
Authors: Niklas Niere (Paderborn University), Felix Lange (Paderborn University), Nico Heitmann (Paderborn University), Juraj Somorovsky (Paderborn University)
Year: 2025
Issue: 2
Pages: 64–73
Abstract: Censors have long censored Transport Layer Security (TLS) traffic by inspecting the domain name in the unencrypted Server Name Indication (SNI) extension. By encrypting the SNI extension, the Encrypted ClientHello (ECH) prevents censors from blocking TLS traffic to certain domains. Despite this promising outlook, ECH’s current capability to contest TLS censorship is unclear; for instance, Russia has started censoring ECH connections successfully. This paper clarifies ECH’s current role for TLS censorship. To this end, we evaluate servers’ support for ECH and its analysis and subsequent blocking by censors. We determine Cloudflare as the only major provider supporting ECH. Additionally, we affirm previously known ECH censorship in Russia and uncover indirect censorship of ECH through encrypted DNS censorship in China and Iran. Our findings suggest that ECH’s contribution to censorship circumvention is currently limited: we consider ECH’s dependence on encrypted DNS especially challenging for ECH’s capability to circumvent censorship. We stress the importance of censorship-resistant ECH to solve the long-known problem of SNI-based TLS censorship.
Copyright in FOCI articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.
