Navigating Encrypted Client Hello (ECH): Insights from RSAC™ 2025 Conference ​

• Major Content Delivery Networks (CDNs) are rapidly adopting ECH, indicating a shift in how internet privacy is enforced and signaling broad industry changes.
• While ECH enhances user privacy, it can limit network monitoring capabilities; complexities include reduced visibility, threat detection and compliance enforcement.
• ECH’s regulatory and operational challenges mean organizations need to evaluate the impact of their exposure and strengthen their security postures. 

While most of the RSAC™ 2025 Conference focused on AI, we used our RSAC presentation to highlight a topic security teams can’t afford to ignore, ECH: Hello to Enhanced Privacy or Goodbye to Visibility? The digital landscape is undergoing a seismic shift with the introduction of Encrypted Client Hello (ECH), a new IETF standard that promises enhanced privacy but poses significant challenges for enterprise network security. ​ 

As an extension to Transport Layer Security (TLS) 1.3, ECH encrypts metadata in the TLS Client Hello message that was previously visible, including sensitive information such as the Server Name Indication (SNI). ​While this innovation bolsters user privacy, it simultaneously disrupts traditional security practices, creating a complex win-lose scenario for enterprises. ​

Privacy at a cost

ECH is already deployed in production and supported by major browsers, though it remains disabled when explicit proxies are configured. ​Content Delivery Networks (CDNs) like Cloudflare, Fastly, Amazon and Akamai are leading the charge in its adoption, with 99.9% of the top 10,000 websites relying on CDNs. ​This widespread deployment underscores the transformative impact ECH is having on the internet ecosystem. ​

The primary advantage of ECH lies in its ability to prevent the leakage of TLS metadata to on-path devices, enhancing user privacy. ​By encrypting the ClientHello message, ECH ensures that intermediary network devices cannot access sensitive information such as the destination server hostname, making it particularly beneficial for scenarios where multiple unrelated sites are hosted by the same CDN. ​With ECH enabled, these sessions appear indistinguishable to inspection tools, preserving the confidentiality of the final destination. ​

This increased privacy comes at a potentially heavy cost. For enterprises, ECH significantly reduces network visibility, effectively preventing selective decryption of TLS traffic. ​Loss of visibility has profound implications for network security solutions, which rely on metadata to monitor traffic, detect malware, enforce acceptable use policies and prevent data exfiltration. ​It hinders security teams from detecting critical incidents, thereby increasing compliance risks and operational costs. ​

But the impact of ECH extends beyond individual organizations to the broader internet ecosystem. ​It accelerates the shift from an infrastructure-based security model to an application-layer approach. ​Protocols like QUIC and HTTP/3 are moving the communication stack outside the kernel on endpoints, further diminishing the role of traditional network security measures. ​This paradigm shift aligns with human rights advocates, who argue for security at the content delivery layer rather than the infrastructure layer, but it also raises questions about the feasibility of filtering malicious content even at the endpoint level. ​

ECH: An attack vector

The regulatory and compliance implications of ECH are equally significant. ​For critical infrastructures and government agencies, encrypted traffic can serve as an attack vector, complicating efforts to detect and respond to threats. ​While decrypting and inspecting an organization’s own traffic is a standard security practice, ECH disrupts this model, forcing enterprises to rethink their approach to compliance and threat intelligence. ​

This shift towards encrypted traffic can be traced back to the post-Snowden era, when the IETF began hardening its definition of attackers. RFC 7258, published in 2013, identified pervasive monitoring as an attack, setting the stage for subsequent developments like TLS 1.3, DNS over HTTPS (DoH), and now ECH. ​These advancements represent the final pieces of a larger puzzle aimed at enhancing privacy and security on the internet. ​

While ECH offers clear privacy advantages, its drawbacks pose serious concerns for several stakeholders.​ Enterprises, public networks, educational institutions and child online protection initiatives are among the use cases that face unanticipated challenges. ​National and regional administrations must grapple with the impact on threat intelligence sharing, organizational self-defense and overall resilience. ​This is not merely a technological problem. It’s also a security operations and sovereignty issue that requires a coordinated response. ​

How security teams can navigate ECH 

To navigate this complex landscape, enterprises must take proactive steps. First, organizations should confirm the presence of ECH traffic on their networks and disable ECH on managed endpoints. ​Security stacks should be configured to decrypt traffic destined for known ECH client-facing servers, effectively disabling ECH per TLS session. ​Then, over the next three to six months, enterprises should evaluate the impact of ECH on their network security stack and DNS infrastructure, engaging legal and regulatory compliance teams to understand the broader implications.

The introduction of ECH marks a turning point in the evolution of internet security. It challenges traditional models, making enterprises adapt to a new reality that forces a careful balancing act between privacy and security. As the ecosystem continues to evolve, organizations must strike a delicate balance between protecting user privacy and maintaining robust security measures. ​While the road ahead is fraught with challenges, it also offers an opportunity to rethink and redesign security practices for the modern digital age.

Dive into this topic further by reading our ECH Primer.