---
title: Enable Encrypted Client Hello (ECH)
impact: MEDIUM
impactDescription: protects Server Name Indication (SNI) from eavesdropping and prevents leaking the visited website to the network
tags: tls, ech, sni, privacy, security, kotlin
---

## Enable Encrypted Client Hello (ECH)

Encrypted Client Hello (ECH) is a TLS extension that encrypts the entire `ClientHello` message during the handshake. This protects the Server Name Indication (SNI), which otherwise would allow network observers (ISPs, public Wi-Fi operators) to see which specific domain you are connecting to.

**About ECH:**
ECH solves the privacy problem where, even with HTTPS, the name of the website you are visiting is sent in plain text (SNI) during the initial connection setup.

**Implementation (Server-side via Nginx/Infrastructure):**

Kotlin backend applications usually sit behind a reverse proxy like Nginx or a Cloud Load Balancer that handles TLS.

```nginx
# Nginx with ECH support (requires a build with ECH support)
ssl_ech on;
ssl_ech_key /etc/nginx/certs/ech_private.key;
ssl_ech_config_list /etc/nginx/certs/ech_configs.list;
```

**DNS Configuration:**
ECH requires an `HTTPS` DNS record to contain the public key used for encrypting the `ClientHello`.

```text
# Example HTTPS DNS record
_https.example.com. IN HTTPS 1 . alpn="h2,h3" ipv4hint=1.2.3.4 ech="<base64_encoded_config>"
```

**Client-side (Kotlin/JVM Environment):**
Current JVM TLS implementations and typical libraries (OkHttp, Ktor Client) depend on the underlying JVM provider. Security providers like Bouncy Castle or newer Java versions are adding support for modern TLS extensions.

```kotlin
// Ensure TLS 1.3 is enabled, as ECH is a TLS 1.3 extension
val client = OkHttpClient.Builder()
    .connectionSpecs(listOf(ConnectionSpec.RESTRICTED_TLS)) // Enforces TLS 1.3
    .build()
```

**Benefits:**
- **Privacy:** Prevents network metadata leaks.
- **Security:** Reduces the effectiveness of censorship and site-specific traffic fingerprinting.

**Tools:** Cloudflare (supports ECH), Nginx with ECH, DNS HTTPS records, SSLLabs
