Bjørn Ivar Teigen

Are Internet Service Providers about to go blind?

October 4, 2023

ISPs are about to lose a key capability: Understanding what users are doing on their network. Some prominent players are deploying new technology now, and the change could happen very fast.


The introduction of Encrypted Client Hello (ECH) by the Internet Engineering Task Force (IETF) represents a significant change in web security. Designed to augment HTTPS handshake procedures, ECH aims to enhance user privacy by encrypting previously exposed data. While this is a milestone for internet security, it also poses questions for the future of deep packet inspection (DPI) tools. This blog post will delve into the intricacies of ECH and explore its implications on web privacy and security.

What is Encrypted Client Hello?

Encrypted Client Hello is an extension to the Transport Layer Security (TLS) protocol. This cryptographic protocol is the backbone of secure communications on the internet, ensuring that the data transferred between your web browser and the servers you interact with is encrypted. ECH enhances this by encrypting the "ClientHello" message sent from the client to the server during the initial handshake. Cloudflare just announced that ECH is now available to all of their customers and Google announced ECH will be supported by default in Chrome.- so we can expect the use of ECH to increase rapidly in the near future. It is difficult to underestimate the combined power wielded by CloudFlare and Chrome. But what makes ECH so important? To answer that, let's look at what Server Name Indication (SNI) actually is.

Server Name Indication (SNI)

What is SNI?

Server Name Indication is an extension of the TLS protocol that allows a server to host multiple SSL certificates on a single IP address. In simple terms, SNI lets a web server know the domain name that the client is trying to reach. This is crucial for servers that host multiple websites under different domain names.

How SNI can leak the URLs you visit

While SNI has been instrumental in making the web more secure and efficient, it also has a significant privacy downside. During the initial TLS handshake between a client and a server, the SNI field, which indicates the specific website you're trying to visit, is sent in plaintext. This means that anyone monitoring your network traffic—be it your Internet Service Provider, hackers on a public Wi-Fi network, or even government agencies—can see the URLs of the websites you are visiting, even if the actual content is encrypted via HTTPS.

For example, if you're visiting “, the content and your interaction with the site are encrypted, but the URL “” is visible to anyone with access to your network traffic.

How ECH improves privacy

This is where Encrypted Client Hello comes into play. By encrypting the "ClientHello" message, ECH ensures that the SNI field is also encrypted. This additional layer of privacy effectively makes it much more difficult for third parties to determine which websites you are visiting. With ECH, only your computer, the company hosting the website you’re visiting, and the website itself, knows which URL you’re visiting.

Adaptation of DPI Tools

What is Deep Packet Inspection?

Deep Packet Inspection is a form of computer network packet filtering that examines both the header and the data part of the packet as it passes through an inspection point. Unlike basic packet filtering, which only checks the header, DPI goes into the payload of the packet, allowing it to uncover more details about network traffic. Observing the SNI is the main technique utilised for classifying network traffic in DPI tools.

Is DPI Widely Used?

Yes, DPI is a widely-used technology with applications in various sectors:

  • Network Security: Identifying malicious packets and preventing cyber-attacks.

  • Data Loss Prevention: Ensuring that sensitive information is not leaked outside the network of an organisation.

  • Traffic Management: Allocating bandwidth and prioritising different types of traffic.

  • Legal and Regulatory Compliance: Monitoring and logging network data to ensure compliance with policies or regulations. As well as enforcing mandatory blocking of certain webpages

The impact of ECH on DPI tools

With the introduction of ECH, the landscape for deep packet inspection tools is bound to change. Most DPI tools rely on SNI information to classify traffic.The encrypted "ClientHello" message will force these tools to evolve to focus more on heuristic methods and behavioural analysis, but these only cover some of the use cases. Essentially, this will lead ISPs to be near blind to the usage over their network. Parental controls, content filtering and similar will move to the end-user device (Apple, Google, Microsoft), or to the CDN providers like Fastly, CloudFlare and Google (Who can still see the unencrypted SNI).

Recommendation to service providers

Service providers who leverage DPI tools for cybersecurity or QoS need to take a close look at how robust their technology vendors are to ECH. For parental controls and regulatory compliance, there may be nothing ISPs can do. They can’t reasonably block all of Cloudflare, Fastly, and the other CDNs, and instead may come to rely on them to enable parental controls and content filtering in general. For QoS, usage-pattern analysis, and network quality analysis, behavioural traffic pattern algorithms are emerging as a robust and future proof alternative to DPI. Learn more about Domos Behavioural Traffic Classification.


Be the first to know with our emails

Thank your for subscribing!