Zero Trust meets with Client Rebellion

Before a browser establish secure SSL with a website, there are a few handshaking steps that send the hostname in plaintext. The network administrator or owner can know which website the users is assessing without much effort. The hostname is also give blue team or Zero Trust network a way to monitor the network for malicious outbound connections. BUT things is changing.

Cheers to Browsers

Chrome, Firefox, Edge all implemented Encrypted ClientHello (ECH) !! Users are now beginning to conceal their website activity! The Blue Team has lost one of their tools for network monitoring. Firefox enabled ECH last year and on 25 Nov 2022 Chrome Dev edition started to support also.Google Chrome Canary gets experimental Encrypted Client Hello (ECH) support РgHacks Tech NewsCheckpoint, Fortinet and major firewalls are using SNI Hello message to do web filtering. They cannot rely on DNS since people are using encrypted DNS already.

ECH, an extension to TLS, is designed to encrypt metadata in the ClientHello handshake messages, like the Server Name Indication (SNI) and Application-Layer Protocol Negotiation (ALPN). The intention behind ECH is to enhance privacy by preventing unauthorized access to these metadata, which could potentially be used to track or interfere with the client’s connections. The encryption key for this process is obtained through DNS over HTTPS (DoH) using SerViCe Binding (SVCB) or HTTPS RR records.

Firewalls are blinded

However, concerns were raised about ECH’s integration with network security, with emphasis on the Zero Trust model. With ECH + DNS over HTTPS, firewalls are totally blinded.It is a good news for user privacy and working in cafe/public WIFI. But it is a nightmare for schools IT administrators, librarians and even companies with BYOD policy! Web Filtering will not work unless it is 100% proxied ( high server costs, slow and also extremely invading user privacy ) Although ECH aims to improve transport layer security, it might unintentionally complicate network layer security and introduce vulnerabilities. Network security team be cautioned that the ECH, being part of TLS at the transport layer, interacts with technologies like DoH and SVCB, which operate at the network layer, potentially introducing additional complexity and vulnerabilities to an already vulnerable TLS protocol.

Some experts discussions can be found at

https://circle.cloudsecurityalliance.org/discussion/is-encrypted-client-hello-a-challenge-for-zero-trust-implementation

Leave a Reply