Google Chrome Canary gets experimental Encrypted Client Hello (ECH) support

Martin Brinkmann
Nov 25, 2022
Google Chrome
|
14

Google Chrome Canary users may enable experimental support for Encrypted Client Hello (ECH) now. Encrypted Client Hello, also referred to as Secure SNI, improves the privacy of Internet connections. It is rather technical, but broken down to its core, ECH protects hostnames from being exposed to the Internet Service Provider, network provider and other entities with the capability of listening in on the network traffic.

chrome encrypted client hello

You may check if ECH is enabled in your browser using Cloudflare's Browsing Experience Security Check website.

The introduction of ECH support in Google Chrome Canary marks the beginning of a wider rollout among most Chromium-based browsers. While experimental flags may be removed without further notice at any time, it seems unlikely that ECH support will not be rolled out to Chrome Stable and other browsers based on Chromium. Mozilla added support for ECH in 2021 already in Firefox.

ADVERTISEMENT

Chrome Canary users who want to give this a try need to make the following adjustments in Chrome Canary:

  1. Load chrome://settings/help to make sure that the latest version of Chrome Canary is installed. Chrome checks for updates and will install any that it finds. A restart is then required to complete the updating.
  2. Load chrome://flags/#encrypted-client-hello in the browser's address bar.
  3. Set the status of the Encrypted ClientHello flag to Enabled.
  4. Restart Google Chrome.

Encrypted Client Hello is enabled in Chrome after the restart. You may undo the change at any time by setting the status of the flag to Disabled using the step by step instructions above. Use Cloudflare's test page or any other test page to find out if the feature is working as advertised.

chrome experimental ech

Google describes the feature in the following way:

"When enabled, Chrome will enable Encrypted ClientHello support. This will encrypt TLS ClientHello if the server enables the extension via the HTTPS DNS record"

Web servers need to support the feature, which means that it does not work on the majority of sites visited in Chrome Canary at the time of writing. The feature is available for all supported operating systems, including Windows, Mac, Linux, Android and Chrome OS.

Now You: do you use Secure DNS, ECH and other security/privacy features? (thanks ISO8601 for the tip)

Summary
Google Chrome Canary gets experimental Encrypted Client Hello (ECH) support
Article Name
Google Chrome Canary gets experimental Encrypted Client Hello (ECH) support
Description
Google Chrome Canary users may enable experimental support for Encrypted Client Hello (ECH) now. Encrypted Client Hello, also referred to as Secure SNI, improves the privacy of Internet connections.
Advertisement

Previous Post: «
Next Post: «

Comments

  1. fxgsfg said on November 25, 2022 at 11:49 am
    Reply

    is there a point in turning it on if no server actually use it?

    1. ECJ said on November 25, 2022 at 3:12 pm
      Reply

      A lot of websites use CDN’s like CloudFlare to speed up their websites.

      I would imagine if someone is using CloudFlare DNS on their device (such as 1.1.1.1 or 1.1.1.2 – or their DNS-over-TLS/DNS-over-HTTPS equivalents), then they will likely be directed to the closest CloudFlare CDN to them (which are spread out worldwide) and in which case the CloudFlare servers are going to support Encrypted Client Hello (ECH).

  2. Leopeva64 said on November 25, 2022 at 12:55 pm
    Reply

    Speaking of Chrome Canary, the “Live Caption” feature now supports five more languages in this version, and in the future there will be an option to “live translate” those captions:

    https://redd.it/z3rtwt

    .

  3. John G. said on November 25, 2022 at 2:12 pm
    Reply

    Very interesting upcoming feature, I wonder when Edge Chromium will release this great advance as well. Thanks for the article.

    1. Leopeva64 said on November 25, 2022 at 2:59 pm
      Reply

      This is already available in Edge, go to the flags page and enable this one:

      “Support for HTTPS records in DNS”

      edge://flags/#dns-https-svc

      1. John G. said on November 25, 2022 at 4:03 pm
        Reply

        @Leopeva64, thanks for the information!

      2. John G. said on November 25, 2022 at 4:59 pm
        Reply

        “Support for HTTPS records in DNS”
        edge://flags/#dns-https-svcb

        This does not work with latest Edge Chromium.

      3. John G. said on November 25, 2022 at 5:12 pm
        Reply
  4. Leopeva64 said on November 25, 2022 at 2:54 pm
    Reply
  5. Coriy said on November 25, 2022 at 6:58 pm
    Reply

    Google doing something that increases user privacy? That doesn’t sound like them. They probably still get you telemetric data, somehow.

    1. Herman Cost said on November 26, 2022 at 1:07 am
      Reply

      Google thinks that the user privacy does not apply to Google’s capturing and use of your personal data. However, they will gladly help you protect yourself from anyone who is not paying them to use the information they have about you.

      Of course this serves the purpose of motivating those who can no longer get access to your data to pay Google to use it for them.

  6. irontwat said on November 26, 2022 at 1:08 am
    Reply

    The first-paragraph sentence ” Encrypted Client Hello, also referred to as Secure SNI, improves the privacy of Internet connections” is confusing.

    First, I think you want “Encrypted SNI” (=ESNI), not “Secure”.

    Second, “previously referred to as” would be clearer than “also referred to as”. ECH replaces ESNI.
    Details: https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello

  7. John G. said on November 26, 2022 at 9:55 am
    Reply

    How to enable ESNI in Firefox:

    about:config
    network.security.esni.enabled > true

    1. John G. said on November 26, 2022 at 10:01 am
      Reply

      For Firefox versions >85:

      about:config
      network.dns.echconfig.enabled > true
      network.dns.use_https_rr_as_altsvc > true

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.