Episode 33 – Protocol Shorts: TLS Encrypted Client Hello.
This episode explores TLS Encrypted Client Hello (ECH) and how it improves privacy on the internet by hiding sensitive metadata that was previously exposed during the TLS handshake. While traditional TLS encrypts the actual data exchanged between client and server, key details like the Server Name Indication (SNI), which reveals the website you are visiting, remained visible to intermediaries such as ISPs or network middleboxes.
Glen explains how ECH addresses this gap by encrypting most of the Client Hello message using keys obtained via secure DNS, preventing third parties from easily identifying user activity. The discussion also covers real-world implications, including the impact on network infrastructure that relies on traffic inspection and the role of cloud providers in TLS termination.
Learn more:
- https://datatracker.ietf.org/doc/rfc9849/ — TLS Encrypted Client Hello
- https://blog.cloudflare.com/encrypted-client-hello/ — Practical explanation of ECH and deployment
- https://developer.mozilla.org/en-US/docs/Web/Security/Transport_Layer_Security — TLS fundamentals and handshake overview
- https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/ — another TLS handshake overview
- https://tls12.xargs.org/ — a tls 1.2 handshake, explained byte by byte
- https://tls13.xargs.org/ — a tls 1.3 handshake, explained byte by byte
- https://www.rfc-editor.org/rfc/rfc8446 — TLS 1.3 specification and handshake details
- https://blog.mozilla.org/security/2021/01/07/encrypted-client-hello-the-future-of-esni-in-firefox/ — Firefox perspective on ECH adoption
- https://blog.mozilla.org/security/2021/01/07/encrypted-client-hello-the-future-of-esni-in-firefox/ — Firefox perspective on ECH adoption
- https://samueloph.dev/blog/i-use-curl-with-ech-btw-in-debian/ — blog article about adding ECH into curl
- https://www.rfc-editor.org/rfc/rfc9460 — a DNS record type that publishes connection parameters for a service
- https://fosdem.org/2026/schedule/event/CKANPK-programmable_networking_with_rama/ — FOSDEM 2026 talk about Rama
Rama
If you like this podcast you might also like our modular network framework in Rust: https://ramaproxy.org
Chapters
- 00:00 Intro
- 00:27 Understanding the TLS Handshake Process
- 06:54 Understanding Middle Boxes and Network Behavior
- 08:33 The Privacy Gap in Network Traffic
- 14:08 Current Usage and Future of ECH
- 18:00 Consequences of ECH for Existing Infrastructures
- 24:19 Future of ECH: Privacy vs. Trust
- 26:32 Outro
Netstack.FM
More information: https://netstack.fm/#episode-33
Join our Discord: https://discord.gg/29EetaSYCD
Reach out to us: hello@netstack.fm
Music for this episode was composed by Dj Mailbox. Listen to his music at https://on.soundcloud.com/4MRyPSNj8FZoVGpytj.
