SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Tuesday, March 10th, 2026: Encrypted Client Hello; ExitTool Vulnerability;
11 snips
Mar 10, 2026 Discussion of the new RFCs that formalize Encrypted Client Hello and DNS-based key bootstrapping. Exploration of why encrypting the Client Hello improves SNI privacy and reduces fingerprinting. Coverage of deployment status and Cloudflare support. Walkthrough of a critical ExifTool flaw that lets image processing run commands. Warning about Nextcloud Flow leaking super-admin secrets via Windmill.
AI Snips
Chapters
Transcript
Episode notes
Encrypted Client Hello Now A Standard
- Encrypted Client Hello (ECH) standardizes encrypting almost the entire TLS client hello to close a remaining metadata leak.
- RFCs 9848 and 9849 define ECH and DNS bootstrapping using HTTPS and SVCB records, replacing SNI-only encryption approaches used previously.
DNS Bootstrapping Is Key For ECH
- ECH requires the client to learn a public key via DNS, so HTTPS and service binding (SVCB) records carry the bootstrap data.
- HTTPS records are common for web use; SVCB is for non-HTTP TLS applications, enabling broader adoption.
Decide Policy Before Blocking ECH Bootstraps
- Consider blocking or monitoring HTTPS/SVCB DNS records if your business cannot tolerate losing client-hello visibility.
- Be cautious: blocking HTTPS may also block HTTP/3/QUIC negotiation, so align actions with business needs.