1. Forum
  2. Fidonet
  3. CONSPRCY

  • Is a new privacy protocol

    From Mike Powell@1:2320/105 to All on Thu Aug 21 08:36:55 2025
    Is a new privacy protocol helping malicious actors more than Internet users?

    Date:
    Thu, 21 Aug 2025 08:48:45 +0000

    Description:
    Malicious sites are already taking advantage of the security blindspot to
    gain a foothold among sites using ECH.

    FULL STORY ======================================================================

    Encrypted Client Hello (ECH) is a security protocol designed to increase user privacy by encrypting the content exchanged between clients and servers when they are establishing a connection. Increased user privacy whats not to
    like?

    Unfortunately, in the view of many enterprise security professionals, the increased privacy promised by ECH could simultaneously reduce their ability
    to detect and respond to threats. Widespread adoption of the security
    protocol would severely curtail the ability of enterprises to identify and block connections to malicious domains.

    Late last year, our team at Corrata noticed an uptick in detections of an ECH domain. The numbers were small low thousands among hundreds of millions of domain scans but nonetheless intriguing. Did this herald the primetime
    arrival of ECH? Would widely-used security tools soon be blind to large
    swaths of internet traffic?

    We recently studied billions of connections to web servers made by enterprise employee mobile devices to answer these questions.

    Here's what we found: How ECH works

    Youve seen the padlock symbol and https designation in the address bar of
    your browser. Both are indications that the website youre visiting uses the Transport Layer Security (TLS) internet encryption standard, which protects communications between an endpoint device and a web server. The vast majority of internet traffic uses the TLS 1.3 standard ECH was designed as an
    extension to that standard.

    Without ECH, a client will reveal the domain of the website its attempting to visit before the encrypted connection is established. This means that any entity that can see the users internet traffic such as mobile operators, Internet Service Providers (ISPs), enterprise security teams and bad actors
    can see their destination, even when the user and the server take precautions to avoid this.

    ECH encrypts the entire Client Hello message (the first message sent by a client in a TLS handshake) so that only the gateway to the intended server, which holds the corresponding private key, can decrypt this inner message and complete the handshake securely. Network observers can no longer see which specific domain a user is trying to access.

    Why does that matter?

    Important cybersecurity tools like Secure Web Gateways and Next Generation Firewalls rely on that visibility to detect and block access to content that could represent a threat, such as phishing or malware download sites. Beyond security teams, ISPs have a commercial interest in understanding how their subscribers use the internet, and governments want to be able to passively monitor and potentially restrict access to illegal, malicious, or
    unacceptable content.

    The visibility is particularly important for banks and other heavily
    regulated industries that are often required to monitor their incoming and outgoing internet traffic. As it stands, these organizations can decrypt traffic selectively without looking at sensitive data like employee PII or health records. But if ECH blocks filtering tools, banks will have to decrypt all internet traffic in order to remain compliant with regulations degrading user privacy in the process.

    ECH adoption is low, but risks remain for enterprises and users

    Our analysis of the adoption and impact of ECH for enterprise users brought good news and bad news. Although overall adoption is very low (more than 9%
    of the top 1 million domains are ECH-enabled, but less than .01% of TLS connections used the protocol), malicious actors are already taking advantage of the anonymity the protocol provides: 17% of all ECH-enabled sites are
    risky. Chrome users with encrypted DNS enabled are most at risk.

    You might wonder if such a small portion of internet traffic matters. If less than one-tenth of one percent of internet connections are using ECH, should enterprise security teams even worry about the protocols potential risks?

    The short answer is yes.

    To work, ECH requires traffic to flow through a content delivery network (
    CDN ) that supports the protocol. Cloudflare is currently the only CDN that supports ECH, and the company has played an important role in driving ECH adoption. (Notably, Apples iOS does not support ECH.)

    We found that over 90% of phishing detections use Cloudflare infrastructure.
    In addition to the ECH anonymity, these sites take advantage of other Cloudflare features. For example, the captcha page can direct desktop traffic to a legitimate site while mobile traffic is sent to a fake one.

    We should expect ECH to grow in popularity over time, because there are opportunities and incentives for both the server side and client side to
    drive adoption. On the client side, Safari could support the standard or
    Chrome could enable encrypted DNS by default.

    Server side

    On the server side, you would need to see wholesale migration to Cloudflare (unlikely) or default support from other CDNs. Its worth noting that ECH adoption is a positive for the CDNs. The complexity of implementation means more websites will opt to use CDN services and the CDNs would become the
    only infrastructure players with widespread visibility of internet traffic.

    For now, security teams can breathe a sigh of relief because the communitys fears that enterprise internet traffic would go dark are not yet being realized. But it would be irresponsible to expect this to continue long-term, given the significant market opportunities that ECH adoption offers for the
    CDN industry. The threat posed by the protocol must be taken seriously.

    Tracking ECH and its cloak of secrecy is no longer optional for enterprise security teams. Our data shows that while the potential certainly exists for ECH to become a thorn in the side of defenders, this is the time to prepare rather than panic.

    This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry
    today. The views expressed here are those of the author and are not
    necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

    ======================================================================
    Link to news story: https://www.techradar.com/pro/is-a-new-privacy-protocol-helping-malicious-acto rs-more-than-internet-users

    $$
    --- SBBSecho 3.28-Linux
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)