Encrypted Client Hello faces barriers to adoption but malicious actors are already taking advantage of the anonymity the protocol provides, according to Living With ECH Report
DUBLIN, May 21, 2025 /PRNewswire/ -- Corrata, the leading mobile endpoint threat detection and response provider, published the Living With ECH Report. The first-of-its-kind report examines the impact of the Encrypted Client Hello (ECH), a new privacy protocol that information security professionals fear could make widely-used security tools blind to large swaths of internet traffic.
ECH is an extension to TLS 1.3, the most recent version of the Transport Layer Security standard used to secure the vast majority of internet communications. ECH proposes to enhance privacy by encrypting key information between devices and Content Delivery Networks (CDNs), preventing network providers from identifying the names of websites that individuals are looking to access. Information security professionals have raised concerns that its implementation may compromise the ability of enterprises to detect and counter cyber threats.
The inaugural report analyzed first-party platform data - billions of connections to web servers made by enterprise employee mobile devices - between January and March 2025. According to the research, more than 9% of the top 1 million domains are ECH-enabled, but less than .01% of TLS connections used the protocol. However, even though ECH is rarely relied upon in practice, malicious actors are taking advantage of the anonymity the protocol provides: 17% of the total ECH-enabled sites are risky. Chrome users with encrypted DNS enabled are most at risk.
Findings from the Living With ECH Report include:
ECH could degrade, not improve, privacy: Banks and other regulated entities are often required to monitor the internet traffic going into and out of their organization. To date, these enterprises have been able to selectively decrypt traffic without looking at sensitive data like employees' health records. But with ECH blocking their filtering, enterprises would have little choice but to decrypt all internet traffic for inspection, drastically degrading employees' privacy.
Cloudflare is driving ECH adoption: Cloudflare remains the sole tier-one CDN supporting ECH. Almost all of the sites that are ECH-enabled use Cloudflare infrastructure. Major website owners also seem to be wary of adopting the protocol, concerned that users might be blocked from accessing their services by enterprise security infrastructure or by public authorities. While ECH reduces the visibility of internet service providers (ISPs) and enterprise security teams, CDNs like Cloudfare can still access data under the protocol.
Malicious actors are taking advantage of Cloudflare: Over 90% of phishing detections use Cloudflare infrastructure, according to Corrata's analysis. In addition to the anonymity provided by ECH, these sites take advantage of other Cloudflare features. For example, the "captcha" page can be used to direct desktop traffic to the legitimate site while mobile traffic is sent to the fake one. Alternatively, traffic not coming from the targeted country may be redirected to the legitimate site. These are deliberate tactics to avoid detection by security providers.
Barriers to widespread adoption are high: Widespread adoption of ECH would severely curtail the ability of enterprises to identify and block connections to malicious domains, but industry heavyweights who play different roles and have varied motivations must all support ECH before its use can become widespread. While 20% of devices are configured to use encrypted DNS and DNS resolvers which support ECH, the lack of support from browsers such as Safari and operating systems such as Android make such choices moot.
"The extremely low level of ECH adoption suggests that the security community's fears that enterprise internet traffic would go dark are not yet being realized," said Matthieu Bentot, CTO of Corrata. "While the potential certainly exists for ECH to become a thorn in the side of defenders, the early signs are that this is the time to prepare rather than panic."
The Living With ECH Report is available today.
Research Methodology
Corrata analyzed billions of connections made by devices running Corrata's threat detection and response solution. Corrata's software is used to protect iOS and Android devices and is representative of that important segment of enterprise internet traffic. Corrata has visibility of DNS query and TLS connection metadata for all of these connections and tracked the number of successful ECH connections created between January and March 2025.
About Corrata
Corrata provides endpoint threat detection and response for mobile. Our pioneering architecture delivers real-time visibility into threats targeting both iOS and Android devices, without compromising performance or privacy. Corrata software detects and disables malware, blocks phishing attacks and ensures compromised devices cannot access sensitive data. Corrata has customers across multiple verticals including healthcare, logistics, manufacturing and the public sector and is verified for use with FirstNet, the US Government network for first responders. With deployment in less than 24 hours and seamless integration into your existing security infrastructure, Corrata ensures your mobile environment is no longer your weakest link. Corrata is a proud member of the Microsoft Intelligent Security Association and Cyber Ireland. Visit corrata.com.
View original content:https://www.prnewswire.co.uk/news-releases/corrata-report-examines-impact-of-new-privacy-protocol-that-threatens-to-make-security-tools-blind-to-internet-traffic-302461022.html
