Protocol Shorts: TLS Encrypted Client Hello

31 March 2026

Season 1 · Episode 33 · 27:57

1×

On this page

Show notes

Episode 33 – Protocol Shorts: TLS Encrypted Client Hello.

This episode explores TLS Encrypted Client Hello (ECH) and how it improves privacy on the internet by hiding sensitive metadata that was previously exposed during the TLS handshake. While traditional TLS encrypts the actual data exchanged between client and server, key details like the Server Name Indication (SNI), which reveals the website you are visiting, remained visible to intermediaries such as ISPs or network middleboxes.

Glen explains how ECH addresses this gap by encrypting most of the Client Hello message using keys obtained via secure DNS, preventing third parties from easily identifying user activity. The discussion also covers real-world implications, including the impact on network infrastructure that relies on traffic inspection and the role of cloud providers in TLS termination.

Learn more

https://datatracker.ietf.org/doc/rfc9849/ — TLS Encrypted Client Hello
https://blog.cloudflare.com/encrypted-client-hello/ — Practical explanation of ECH and deployment
https://developer.mozilla.org/en-US/docs/Web/Security/Transport_Layer_Security — TLS fundamentals and handshake overview
https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/ — another TLS handshake overview
https://tls12.xargs.org/ — a tls 1.2 handshake, explained byte by byte
https://tls13.xargs.org/ — a tls 1.3 handshake, explained byte by byte
https://www.rfc-editor.org/rfc/rfc8446 — TLS 1.3 specification and handshake details
https://blog.mozilla.org/security/2021/01/07/encrypted-client-hello-the-future-of-esni-in-firefox/ — Firefox perspective on ECH adoption
https://blog.mozilla.org/security/2021/01/07/encrypted-client-hello-the-future-of-esni-in-firefox/ — Firefox perspective on ECH adoption
https://samueloph.dev/blog/i-use-curl-with-ech-btw-in-debian/ — blog article about adding ECH into curl
https://www.rfc-editor.org/rfc/rfc9460 — a DNS record type that publishes connection parameters for a service
https://fosdem.org/2026/schedule/event/CKANPK-programmable_networking_with_rama/ — FOSDEM 2026 talk about Rama

Rama

If you like this podcast you might also like our modular network framework in Rust: https://ramaproxy.org

Chapters

Intro
Understanding the TLS Handshake Process
Understanding Middle Boxes and Network Behavior
The Privacy Gap in Network Traffic
Current Usage and Future of ECH
Consequences of ECH for Existing Infrastructures
Future of ECH: Privacy vs. Trust
Outro

Netstack.FM

More information: https://netstack.fm/#episode-33

Join our Discord: https://discord.gg/29EetaSYCD

Reach out to us: hello@netstack.fm

Music for this episode was composed by Dj Mailbox. Listen to his music at https://on.soundcloud.com/4MRyPSNj8FZoVGpytj.

Transcript

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

Glen (Plabayo)

Elizabeth (Plabayo)

← All episodes