trnck.dev
blog.trnck.dev
[post] Cloudflare re-enables ECH
+42
+42
_posts/2024-09-29-cloudflare-with-ech-again.md
+42
_posts/2024-09-29-cloudflare-with-ech-again.md
···
1
+
---
2
+
title: "Cloudflare with the ECH again"
3
+
image: "cloudflare-with-ech-again.png"
4
+
---
5
+
6
+
Three months ago, I promised to _let you know_ if anything ever changes about the Cloudflare and <abbr title="Encrypted Client Hello">ECH</abbr> situation - and here we are. As of at least a couple weeks back, Cloudflare has been re-enabling ECH on all free tier websites. Just. Lovely.
7
+
8
+
It looks like I was also right in my guesses around the reasoning behind the initial disabling of ECH - [Cloudflare's official docs](https://developers.cloudflare.com/ssl/edge-certificates/ech/) now have an entire section called "Enterprise network applicability", aiming to document what companies can do to disable ECH on their networks (the tl;dr is that you just drop the `HTTPS` DNS record types from your corporate DNS resolver[^1]).
9
+
10
+
So, after nearly one year of my [initial ECH and ML-KEM blog](/hello-internet/), here is the updated table of adoption some arbitrarily chosen domains:
11
+
12
+
| Domain | Protocol | Key exchange | ECH support | Cloudflare? |
13
+
| ------------------ | -------- | --------------------- | ----------- | ----------- |
14
+
| `tiktok.com` | TLS 1.3 | X25519 | No | ❌ |
15
+
| `twitter.com` | TLS 1.3 | X25519 | No | ❌ |
16
+
| `github.com` | TLS 1.3 | X25519 | No | ❌ |
17
+
| `npmjs.com` | TLS 1.3 | X25519Kyber768Draft00 | No | ✅ |
18
+
| `cloudflare.com` | QUIC | X25519Kyber768Draft00 | No | ✅ |
19
+
| `apple.com` | TLS 1.3 | X25519 | No | ❌ |
20
+
| `netflix.com` | TLS 1.3 | X25519 | No | ❌ |
21
+
| `vercel.com` | TLS 1.3 | X25519 | No | ❌ |
22
+
| `google.com` | QUIC | X25519Kyber768Draft00 | No | ❌ |
23
+
| `instagram.com` | QUIC | X25519 | No | ❌ |
24
+
| `shopify.com` | TLS 1.3 | X25519Kyber768Draft00 | No | ✅ |
25
+
| `drive.google.com` | QUIC | X25519Kyber768Draft00 | No | ❌ |
26
+
| `youtube.com` | TLS 1.3 | X25519Kyber768Draft00 | No | ❌ |
27
+
| `interclip.app` | QUIC | X25519Kyber768Draft00 | Yes | ✅ |
28
+
29
+
Damn, besides Shopify and YouTube defaulting to TLS 1.3 instead of QUIC on Chrome now for some reason, literally nothing has changed when comparing to the table from October 2023 - no big domain I visit daily supports the Encrypted Client Hello goodness. We're still a long way from ECH being standard, so I guess, see you in 2025?
30
+
31
+
If we analyze the top 10 000 requested domains on Cloudflare, there is a significant number of them with ECH configured in their DNS. To my surprise, this included the very popular torrent trackers 1337x, KickassTorrents and BadassTorrents (although on second thought, these websites tend to be on Cloudflare's free tier, so it kind of makes sense). Some other notable adopters include:
32
+
33
+
- [curseforge.com](https://www.curseforge.com/)
34
+
- gitlab.io
35
+
- [jsdelivr.com](https://www.jsdelivr.com/)
36
+
- returnyoutubedislikeapi.com
37
+
38
+
Out of the 10 000, 349 domains have ECH enabled, which is a pretty ~3.5% starting adoption rate. Let's see if Cloudflare continues the rollout as promised and we begin to see adoption among the giants.
39
+
40
+
## Footnotes
41
+
42
+
[^1]: Of course, if you as an employee have access to the browser settings, you can just change your DNS resolver to a public one like Cloudflare's [1.1.1.1](https://one.one.one.one/) or Google's [8.8.8.8](https://developers.google.com/speed/public-dns/) to skip these restrictions.
img/thumbnail/cloudflare-with-ech-again.png
img/thumbnail/cloudflare-with-ech-again.png
This is a binary file and will not be displayed.