---
title: Enable Encrypted Client Hello (ECH)
impact: MEDIUM
impactDescription: protects Server Name Indication (SNI) from eavesdropping
tags: tls, ech, sni, privacy, security, infrastructure, php
---

## Enable Encrypted Client Hello (ECH)

Encrypted Client Hello (ECH) is a TLS extension that encrypts the entire `ClientHello` message during the TLS handshake. This prevents network eavesdroppers from seeing the Server Name Indication (SNI), essentially hiding the specific domain name you are visiting.

**Infrastructure Configuration:**

ECH is typically handled at the web server (Nginx/Apache) or CDN level (Cloudflare), not directly in PHP code.

**1. Nginx Configuration (where supported):**

```nginx
# Future-facing Nginx configuration
ssl_ech on;
ssl_ech_key /etc/nginx/ssl/ech-key.pem;
```

**2. DNS Configuration:**

You must publish an `HTTPS` or `SVCB` DNS record containing the ECH configuration string:

```text
# Example HTTPS record with ECH data
example.com. IN HTTPS 1 . alpn="h2" ech="<base64-ech-config>"
```

**How it works with PHP:**
PHP applications benefit from ECH transparently when served behind a compatible reverse proxy or CDN. No changes are required to the PHP logic itself, but developers should advocate for its use in production environments to improve user privacy.

**Current Support State:**
- **Cloudflare**: Provides one-click ECH support.
- **Browsers**: Chrome and Firefox have experimental or rolling support.
- **Privacy**: Crucial for bypassing censorship and preventing DNS/SNI-based tracking.

**Tools:** Cloudflare, NGINX (with ECH patches), DigiCert, DNS management