In the context of website TLS and security, a “private hello” refers to Encrypted Client Hello (ECH), an advanced TLS 1.3 extension that encrypts the initial greeting message sent by a browser to a server. By securing this phase, ECH eliminates the final plaintext metadata leak in modern HTTPS connections.
The Security Blind Spot: Cleartext SNI
When you visit an HTTPS website, your browser starts with an unencrypted Client Hello handshake message. Inside this message is the Server Name Indication (SNI) field, which states the exact domain name you want to visit.
- The Vulnerability: Because the SNI is sent before encryption begins, network observers (like ISPs, Wi-Fi eavesdroppers, or government censors) can see precisely what website you are accessing, even though the subsequent web traffic is fully encrypted.
- The Solution: ECH fixes this metadata gap by splitting the handshake greeting into two distinct components.
How Encrypted Client Hello (ECH) Works
ECH protects your metadata by creating a dual-layered greeting:
- Outer Client Hello: This layer is entirely public and contains a generic, non-sensitive server name (such as a Content Delivery Network like Cloudflare).
- Inner Client Hello: This layer contains the real website domain you want to visit (e.g.,
privatebank.com) and is securely encrypted using the provider’s public key.
When an eavesdropper intercepts the traffic, they only see a connection to the generic outer provider, effectively masking your true destination within an anonymity set of thousands of other websites sharing that same infrastructure.
To see a quick visual breakdown of how ECH solves the SNI privacy flaw, watch this video:
Key Security Benefits
- Prevents Traffic Profiling: Network surveillance tools cannot log your browsing history based on TLS handshake data.
- Bypasses Censorship: Network firewalls cannot selectively block specific websites based on SNI inspection.
- Replaces Insecure ESNI: It resolves the cryptographic and architectural weaknesses found in the older Encrypted SNI (ESNI) draft protocol.
Current Deployment Status
For a “private hello” to function properly, it requires co-ordinated ecosystem support:
- Browsers: Modern web browsers like Mozilla Firefox and Google Chrome have built-in ECH capabilities.
- DNS Infrastructure: The network must support Secure DNS (DNS-over-HTTPS or DNS-over-TLS) to securely retrieve the public keys needed to encrypt the inner hello.
- Web Hosting: Major server networks and reverse proxies must implement ECH on their load balancers.
Are you planning to enable ECH for your clients? Buy PrivateHello.com