Protocol Shorts: TLS Encrypted Client Hello

Mar 31, 2026

Ask episode

Chapters

Transcript

Episode notes

Episode 33 – Protocol Shorts: TLS Encrypted Client Hello.

This episode explores TLS Encrypted Client Hello (ECH) and how it improves privacy on the internet by hiding sensitive metadata that was previously exposed during the TLS handshake. While traditional TLS encrypts the actual data exchanged between client and server, key details like the Server Name Indication (SNI), which reveals the website you are visiting, remained visible to intermediaries such as ISPs or network middleboxes.

Glen explains how ECH addresses this gap by encrypting most of the Client Hello message using keys obtained via secure DNS, preventing third parties from easily identifying user activity. The discussion also covers real-world implications, including the impact on network infrastructure that relies on traffic inspection and the role of cloud providers in TLS termination.

Learn more:

https://datatracker.ietf.org/doc/rfc9849/ — TLS Encrypted Client Hello
https://blog.cloudflare.com/encrypted-client-hello/ — Practical explanation of ECH and deployment
https://developer.mozilla.org/en-US/docs/Web/Security/Transport_Layer_Security — TLS fundamentals and handshake overview
https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/ — another TLS handshake overview
https://tls12.xargs.org/ — a tls 1.2 handshake, explained byte by byte
https://tls13.xargs.org/ — a tls 1.3 handshake, explained byte by byte
https://www.rfc-editor.org/rfc/rfc8446 — TLS 1.3 specification and handshake details
https://blog.mozilla.org/security/2021/01/07/encrypted-client-hello-the-future-of-esni-in-firefox/ — Firefox perspective on ECH adoption
https://blog.mozilla.org/security/2021/01/07/encrypted-client-hello-the-future-of-esni-in-firefox/ — Firefox perspective on ECH adoption
https://samueloph.dev/blog/i-use-curl-with-ech-btw-in-debian/ — blog article about adding ECH into curl
https://www.rfc-editor.org/rfc/rfc9460 — a DNS record type that publishes connection parameters for a service
https://fosdem.org/2026/schedule/event/CKANPK-programmable_networking_with_rama/ — FOSDEM 2026 talk about Rama

Rama

If you like this podcast you might also like our modular network framework in Rust: https://ramaproxy.org

Chapters

00:00 Intro
00:27 Understanding the TLS Handshake Process
06:54 Understanding Middle Boxes and Network Behavior
08:33 The Privacy Gap in Network Traffic
14:08 Current Usage and Future of ECH
18:00 Consequences of ECH for Existing Infrastructures
24:19 Future of ECH: Privacy vs. Trust
26:32 Outro

Netstack.FM

More information: https://netstack.fm/#episode-33

Join our Discord: https://discord.gg/VN77rKHR

Reach out to us: hello@netstack.fm

Music for this episode was composed by Dj Mailbox. Listen to his music at https://on.soundcloud.com/4MRyPSNj8FZoVGpytj.