Back

Solutions like Encrypted Client Hello (ECH) remove the plaintext server name from the TLS handshake, which makes it far more difficult for hostile ISPs to block access to the sites and services you care about — but this isn’t widely supported yet. We hope that starts to change.

In the meantime, our team will continue to do everything we can to maintain and restore access to Signal. We appreciate your patience and support.

@signalapp Signal Desktop desperately needs Signal Proxy support too as Signal proxies do seem to work in these situations.

@durumcrustulum @signalapp last autumn Cloudflare did roll out ECH basically for everyone. Here's the announcement: https://blog.cloudflare.com/announcing-encrypted-client-hello But quickly had to pull the plug: https://community.cloudflare.com/t/early-hints-and-encrypted-client-hello-ech-are-currently-disabled-globally/567730

@letoams @durumcrustulum @signalapp Yes, we only get one chance to deploy it correctly globally

@rsalz @letoams @durumcrustulum Ideal ECH should be indistinguishable from GREASE (so that anyone blocking ECH would block a lot of regular traffic as well); skimming the draft it appears like that's the case.

@chrysn @letoams @durumcrustulum It has a unique extension so is identifiable. We could not figure how how to make it indistinguishable. If the receiving server needs to know "oh this is ECH" than so can an on-path intermediate.

@rsalz @chrysn @letoams yeah Rich is correct

@rsalz @chrysn @letoams ECH is a privacy improvement but not censorship-resistant, nor designed to be

@durumcrustulum @rsalz @chrysn I somewhat disagree

@letoams @rsalz @chrysn i mean if it were designed for it it would look like elligator or other censorship-resistant designs out in the world - it doesn't

@durumcrustulum @letoams @chrysn It's anti-cencorship in that "they" can't see WHERE you are going, only that you ARE going somewhere else. If the cleartext destination is a major CDN, or a hyperscaler, then our thinking is that "they" will not risk filtering. We shall see. ECH is fraught, and must be globally rolled out with care, else "they" will just block it.

@network_is_reliable @signalapp Can an operator ban ECH?

@dinosm @signalapp It's already done in Russia using DPI for example.

@dalias @dinosm @signalapp As long as mainstream sites have to be back-compatible with previous TLS versions usage of ECH won't be practical at all as tool against censorship. And keep in mind that there are countries which already banned Google and Youtube. ECH will be just banned too.

@network_is_reliable @dinosm @signalapp Yes, for blocking it to become impractical, it may take client devices that refuse to connect without ECH - both to known C&C domains associated with the device/app, and, in browsers and such, to sites that have previously pinned that they support ECH.

I'm not sure if it's technically possible to deduce after the non-ECH handshake that an ECH-blocking downgrade attack was performed. If so, that makes it a lot easier to push ECH as "unblockable".

@ireneista @dalias @dinosm @network_is_reliable @signalapp the hard problem in that game is, unfortunately, the rollout. totalitarian censors will write their DPI rules as the spec is written, turning the new feature into "blocked in X country" from day 1

@valpackett @dalias @dinosm @network_is_reliable @signalapp yes absolutely, that's a real danger

@jpgoldberg @signalapp It works fine, it was designed to. See for example https://www.ietf.org/archive/id/draft-ietf-tls-wkech-05.html