Is a new privacy protocol helping malicious actors more than Internet users?

Encrypted Client Hello (ECH) is a security protocol designed to increase user privacy by encrypting the content exchanged between clients and servers when they are establishing a connection. Increased user privacy — what’s not to like?

Unfortunately, in the view of many enterprise security professionals, the increased privacy promised by ECH could simultaneously reduce their ability to detect and respond to threats. Widespread adoption of the security protocol would severely curtail the ability of enterprises to identify and block connections to malicious domains.

Late last year, our team at Corrata noticed an uptick in detections of an ECH domain. The numbers were small — low thousands among hundreds of millions of domain scans — but nonetheless intriguing. Did this herald the primetime arrival of ECH? Would widely-used security tools soon be blind to large swaths of internet traffic?