TZUTC: -0500   
   MSGID: 1396.consprcy@1:2320/105 2d0c5c6b   
   PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   FORMAT: flowed   
   Is a new privacy protocol helping malicious actors more than Internet users?   
      
   Date:   
   Thu, 21 Aug 2025 08:48:45 +0000   
      
   Description:   
   Malicious sites are already taking advantage of the security blindspot to    
   gain a foothold among sites using ECH.   
      
   FULL STORY   
   ======================================================================   
      
   Encrypted Client Hello (ECH) is a security protocol designed to increase user   
   privacy by encrypting the content exchanged between clients and servers when   
   they are establishing a connection. Increased user privacy  whats not to    
   like?    
      
   Unfortunately, in the view of many enterprise security professionals, the   
   increased privacy promised by ECH could simultaneously reduce their ability    
   to detect and respond to threats. Widespread adoption of the security    
   protocol would severely curtail the ability of enterprises to identify and   
   block connections to malicious domains.    
      
   Late last year, our team at Corrata noticed an uptick in detections of an ECH   
   domain. The numbers were small  low thousands among hundreds of millions of   
   domain scans  but nonetheless intriguing. Did this herald the primetime   
   arrival of ECH? Would widely-used security tools soon be blind to large    
   swaths of internet traffic?    
      
   We recently studied billions of connections to web servers made by enterprise   
   employee mobile devices to answer these questions.   
      
   Here's what we found: How ECH works   
      
   Youve seen the padlock symbol and https designation in the address bar of    
   your browser. Both are indications that the website youre visiting uses the   
   Transport Layer Security (TLS) internet encryption standard, which protects   
   communications between an endpoint device and a web server. The vast majority   
   of internet traffic uses the TLS 1.3 standard  ECH was designed as an   
   extension to that standard.    
      
   Without ECH, a client will reveal the domain of the website its attempting to   
   visit before the encrypted connection is established. This means that any   
   entity that can see the users internet traffic  such as mobile operators,   
   Internet Service Providers (ISPs), enterprise security teams and bad actors   
   can see their destination, even when the user and the server take precautions   
   to avoid this.    
      
   ECH encrypts the entire Client Hello message (the first message sent by a   
   client in a TLS handshake) so that only the gateway to the intended server,   
   which holds the corresponding private key, can decrypt this inner message and   
   complete the handshake securely. Network observers can no longer see which   
   specific domain a user is trying to access.   
      
   Why does that matter?    
      
   Important cybersecurity tools like Secure Web Gateways and Next Generation   
   Firewalls rely on that visibility to detect and block access to content that   
   could represent a threat, such as phishing or malware download sites. Beyond   
   security teams, ISPs have a commercial interest in understanding how their   
   subscribers use the internet, and governments want to be able to passively   
   monitor and potentially restrict access to illegal, malicious, or    
   unacceptable content.    
      
   The visibility is particularly important for banks and other heavily    
   regulated industries that are often required to monitor their incoming and   
   outgoing internet traffic. As it stands, these organizations can decrypt   
   traffic selectively without looking at sensitive data like employee PII or   
   health records. But if ECH blocks filtering tools, banks will have to decrypt   
   all internet traffic in order to remain compliant with regulations  degrading   
   user privacy in the process.   
      
   ECH adoption is low, but risks remain for enterprises and users   
      
   Our analysis of the adoption and impact of ECH for enterprise users brought   
   good news and bad news. Although overall adoption is very low (more than 9%    
   of the top 1 million domains are ECH-enabled, but less than .01% of TLS   
   connections used the protocol), malicious actors are already taking advantage   
   of the anonymity the protocol provides: 17% of all ECH-enabled sites are   
   risky. Chrome users with encrypted DNS enabled are most at risk.    
      
   You might wonder if such a small portion of internet traffic matters. If less   
   than one-tenth of one percent of internet connections are using ECH, should   
   enterprise security teams even worry about the protocols potential risks?    
      
   The short answer is yes.    
      
   To work, ECH requires traffic to flow through a content delivery network (    
   CDN ) that supports the protocol. Cloudflare is currently the only CDN that   
   supports ECH, and the company has played an important role in driving ECH   
   adoption. (Notably, Apples iOS does not support ECH.)    
      
   We found that over 90% of phishing detections use Cloudflare infrastructure.   
   In addition to the ECH anonymity, these sites take advantage of other   
   Cloudflare features. For example, the captcha page can direct desktop traffic   
   to a legitimate site while mobile traffic is sent to a fake one.    
      
   We should expect ECH to grow in popularity over time, because there are   
   opportunities and incentives for both the server side and client side to    
   drive adoption. On the client side, Safari could support the standard or   
   Chrome could enable encrypted DNS by default.   
      
   Server side    
      
   On the server side, you would need to see wholesale migration to Cloudflare   
   (unlikely) or default support from other CDNs. Its worth noting that ECH   
   adoption is a positive for the CDNs. The complexity of implementation means   
   more websites will opt to use CDN services  and the CDNs would become the    
   only infrastructure players with widespread visibility of internet traffic.    
      
   For now, security teams can breathe a sigh of relief because the communitys   
   fears that enterprise internet traffic would go dark are not yet being   
   realized. But it would be irresponsible to expect this to continue long-term,   
   given the significant market opportunities that ECH adoption offers for the   
   CDN industry. The threat posed by the protocol must be taken seriously.    
      
   Tracking ECH and its cloak of secrecy is no longer optional for enterprise   
   security teams. Our data shows that while the potential certainly exists for   
   ECH to become a thorn in the side of defenders, this is the time to prepare   
   rather than panic.    
      
    This article was produced as part of TechRadarPro's Expert Insights channel   
   where we feature the best and brightest minds in the technology industry   
   today. The views expressed here are those of the author and are not   
   necessarily those of TechRadarPro or Future plc. If you are interested in   
   contributing find out more here:   
   https://www.techradar.com/news/submit-your-story-to-techradar-pro   
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/is-a-new-privacy-protocol-helping-malicious-acto   
   rs-more-than-internet-users   
      
   $$   
   --- SBBSecho 3.28-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700   
   SEEN-BY: 226/30 227/114 229/110 111 114 206 300 307 317 400 426 428   
   SEEN-BY: 229/470 664 700 705 266/512 291/111 320/219 322/757 342/200   
   SEEN-BY: 396/45 460/58 712/848 902/26 2320/0 105 304 3634/12 5075/35   
   PATH: 2320/105 229/426