TZUTC: -0500
MSGID: 1396.consprcy@1:2320/105 2d0c5c6b
PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
BBSID: CAPCITY2
CHRS: ASCII 1
FORMAT: flowed
Is a new privacy protocol helping malicious actors more than Internet users?

Date:
Thu, 21 Aug 2025 08:48:45 +0000

Description:
Malicious sites are already taking advantage of the security blindspot to 
gain a foothold among sites using ECH.

FULL STORY
======================================================================

Encrypted Client Hello (ECH) is a security protocol designed to increase user
privacy by encrypting the content exchanged between clients and servers when
they are establishing a connection. Increased user privacy  whats not to 
like? 

Unfortunately, in the view of many enterprise security professionals, the
increased privacy promised by ECH could simultaneously reduce their ability 
to detect and respond to threats. Widespread adoption of the security 
protocol would severely curtail the ability of enterprises to identify and
block connections to malicious domains. 

Late last year, our team at Corrata noticed an uptick in detections of an ECH
domain. The numbers were small  low thousands among hundreds of millions of
domain scans  but nonetheless intriguing. Did this herald the primetime
arrival of ECH? Would widely-used security tools soon be blind to large 
swaths of internet traffic? 

We recently studied billions of connections to web servers made by enterprise
employee mobile devices to answer these questions.

Here's what we found: How ECH works

Youve seen the padlock symbol and https designation in the address bar of 
your browser. Both are indications that the website youre visiting uses the
Transport Layer Security (TLS) internet encryption standard, which protects
communications between an endpoint device and a web server. The vast majority
of internet traffic uses the TLS 1.3 standard  ECH was designed as an
extension to that standard. 

Without ECH, a client will reveal the domain of the website its attempting to
visit before the encrypted connection is established. This means that any
entity that can see the users internet traffic  such as mobile operators,
Internet Service Providers (ISPs), enterprise security teams and bad actors
can see their destination, even when the user and the server take precautions
to avoid this. 

ECH encrypts the entire Client Hello message (the first message sent by a
client in a TLS handshake) so that only the gateway to the intended server,
which holds the corresponding private key, can decrypt this inner message and
complete the handshake securely. Network observers can no longer see which
specific domain a user is trying to access.

Why does that matter? 

Important cybersecurity tools like Secure Web Gateways and Next Generation
Firewalls rely on that visibility to detect and block access to content that
could represent a threat, such as phishing or malware download sites. Beyond
security teams, ISPs have a commercial interest in understanding how their
subscribers use the internet, and governments want to be able to passively
monitor and potentially restrict access to illegal, malicious, or 
unacceptable content. 

The visibility is particularly important for banks and other heavily 
regulated industries that are often required to monitor their incoming and
outgoing internet traffic. As it stands, these organizations can decrypt
traffic selectively without looking at sensitive data like employee PII or
health records. But if ECH blocks filtering tools, banks will have to decrypt
all internet traffic in order to remain compliant with regulations  degrading
user privacy in the process.

ECH adoption is low, but risks remain for enterprises and users

Our analysis of the adoption and impact of ECH for enterprise users brought
good news and bad news. Although overall adoption is very low (more than 9% 
of the top 1 million domains are ECH-enabled, but less than .01% of TLS
connections used the protocol), malicious actors are already taking advantage
of the anonymity the protocol provides: 17% of all ECH-enabled sites are
risky. Chrome users with encrypted DNS enabled are most at risk. 

You might wonder if such a small portion of internet traffic matters. If less
than one-tenth of one percent of internet connections are using ECH, should
enterprise security teams even worry about the protocols potential risks? 

The short answer is yes. 

To work, ECH requires traffic to flow through a content delivery network ( 
CDN ) that supports the protocol. Cloudflare is currently the only CDN that
supports ECH, and the company has played an important role in driving ECH
adoption. (Notably, Apples iOS does not support ECH.) 

We found that over 90% of phishing detections use Cloudflare infrastructure.
In addition to the ECH anonymity, these sites take advantage of other
Cloudflare features. For example, the captcha page can direct desktop traffic
to a legitimate site while mobile traffic is sent to a fake one. 

We should expect ECH to grow in popularity over time, because there are
opportunities and incentives for both the server side and client side to 
drive adoption. On the client side, Safari could support the standard or
Chrome could enable encrypted DNS by default.

Server side 

On the server side, you would need to see wholesale migration to Cloudflare
(unlikely) or default support from other CDNs. Its worth noting that ECH
adoption is a positive for the CDNs. The complexity of implementation means
more websites will opt to use CDN services  and the CDNs would become the 
only infrastructure players with widespread visibility of internet traffic. 

For now, security teams can breathe a sigh of relief because the communitys
fears that enterprise internet traffic would go dark are not yet being
realized. But it would be irresponsible to expect this to continue long-term,
given the significant market opportunities that ECH adoption offers for the
CDN industry. The threat posed by the protocol must be taken seriously. 

Tracking ECH and its cloak of secrecy is no longer optional for enterprise
security teams. Our data shows that while the potential certainly exists for
ECH to become a thorn in the side of defenders, this is the time to prepare
rather than panic. 

 This article was produced as part of TechRadarPro's Expert Insights channel
where we feature the best and brightest minds in the technology industry
today. The views expressed here are those of the author and are not
necessarily those of TechRadarPro or Future plc. If you are interested in
contributing find out more here:
https://www.techradar.com/news/submit-your-story-to-techradar-pro

======================================================================
Link to news story:
https://www.techradar.com/pro/is-a-new-privacy-protocol-helping-malicious-acto
rs-more-than-internet-users

$$
--- SBBSecho 3.28-Linux
 * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)
SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700
SEEN-BY: 226/30 227/114 229/110 111 114 206 300 307 317 400 426 428
SEEN-BY: 229/470 664 700 705 266/512 291/111 320/219 322/757 342/200
SEEN-BY: 396/45 460/58 712/848 902/26 2320/0 105 304 3634/12 5075/35
PATH: 2320/105 229/426