Making TLS Handshake more Secure - The New Encrypted Client Hello TLS Extension (ECH)
In this video, I will discuss the new TLS extension Encrypted Client Hello which is a new mechanism to encrypt the entire client hello, very interesting and elegantly design but I have my few reservations and criticisms. Let us discuss.
Intro 0:00
Classic TLS with SNI 7:00
ESNI 9:30
ECH 12:30
Limitations and Problems 21:00
Let's say the backend server hosts example.com with the cert of example.com and let us call this the “real” SNI. To support ECH, the same server should also host a client facing cert, lets call it server-ech.com with corresponding server-ech.com cert. So your server IP address is hosting two domains. example.com and ( server-ech.com just to support ech)
So when you perform an oDoH/DoH query looking for example.com you will get back the IP address of example.com, (which is the same ip address as server-ech.com), you will also get the ephemeral public key of example.com from the HTTPSSVC DNS record. This will be used to encrypt the inner client hello, and finally, you will get a record of the front-facing server domain name which is server-ech.com.
The client prepares the TLS ECH, it builds the outer client hello with the SNI value as server-ech.com, and the inner client hello with the real SNI (example.com) along side ALPN and other stuff..
It then uses the public key of example.com retrieved from the HTTPS DNS record to encrypt the inner client hello. The client sends the ECH.
Server receives the ECH, and attempts to decrypt the inner client hello with the corresponding ephemeral private key, if it succeeds it then completes the server hello and key exchange as normal.
if it fails to decrypt the inner client hello with its own private key that means the public key used, was stale, outdated, bad etc.. . The client then uses the outer client hello and it checks, do I have server-ech.com, yes I do have a cert for that, let me just finish the key exchange and server hello with that instead, and btw, here is my REAL public key for exampl
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from Hussein Nasser · Hussein Nasser · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Extending ArcObjects (IGeometry) - 01 - Getting Started
Hussein Nasser
Extending ArcObjects (IGeometry) - 02 - The Document, The Map and The Layers
Hussein Nasser
Channel Update - New Book, New Job, New Videos
Hussein Nasser
Learn Programming with VB.NET - 01 - Getting Started
Hussein Nasser
Learn Programming with VB.NET - 02 - Classes and Objects (Part 1)
Hussein Nasser
Learn Programming with VB.NET - 03 - Classes and Objects (Part 2)
Hussein Nasser
Learn Programming with VB.NET - 04 - User Interface
Hussein Nasser
Learn Programming with VB.NET - 05 - By Value v. By Reference
Hussein Nasser
Learn Programming with VB.NET - 06 - Variable size, 32 bit vs 64 bit
Hussein Nasser
Learn Programming with VB.NET - 07 - Conditional Statements
Hussein Nasser
Learn Programming with VB.NET - 08 - Inheritance
Hussein Nasser
Learn Programming with VB.NET - 09 - Strategy Design Pattern
Hussein Nasser
Learn Programming with VB.NET - 10 - How did I learn programming
Hussein Nasser
IGeometry 2016 Retrospective - Channel Update
Hussein Nasser
Javascript by Example - The Vook
Hussein Nasser
Vlog - Keep your servers close and your database closer
Hussein Nasser
Vlog - Client/Server Programming Languages
Hussein Nasser
Javascript By Example L1E01 - Getting Started
Hussein Nasser
Persistent Connections (Pros and Cons)
Hussein Nasser
Javascript By Example L1E02 - Building the Calculator Interface
Hussein Nasser
Happy new Year from IGeometry!
Hussein Nasser
Synchronous v. Asynchronous
Hussein Nasser
Javascript By Example L1E03 - Displaying the Digits on Calculator Screen
Hussein Nasser
Show Your Work. Blog, Vlog, Write, Create and Develop!
Hussein Nasser
Relational Database Atomicity Explained By Example
Hussein Nasser
Javascript By Example L1E04 - Operators, All Clear with Arrow Functions
Hussein Nasser
What Comes First, User Experience or Software Architecture?
Hussein Nasser
Javascript By Example L1E05 - Evaluate the Calculator Expressions with eval
Hussein Nasser
Fastest Way to Learn Programming Language or Technology
Hussein Nasser
Javascript By Example L1E06 - Fix Leading Zero Bug with Conditions
Hussein Nasser
Stateful vs Stateless Applications (Explained by Example)
Hussein Nasser
Javascript By Example L1E07 - Running our Calculator on the Mobile Phone
Hussein Nasser
Advice for New Software Engineers and Developers
Hussein Nasser
Why JSON is so Popular?
Hussein Nasser
Building Scalable Software - SLA, HS, VS
Hussein Nasser
Vlog (Istanbul) - Datacenter Proximity
Hussein Nasser
Should Software Engineers Learn Bleeding-Edge Technologies?
Hussein Nasser
Do Developers Build Bad User Interfaces/Experience?
Hussein Nasser
Learn By Doing.
Hussein Nasser
I Wrote Bad Front-End Code That Broke Chrome
Hussein Nasser
My Story
Hussein Nasser
Vlog - Horizontal vs Vertical Scaling
Hussein Nasser
Can User Experience Help Build Better Rest API?
Hussein Nasser
Reverse engineering Instagram in flight mode
Hussein Nasser
The Benefits of the 3-Tier Architecture (e.g. REST API)
Hussein Nasser
Stateless v. Stateful Architecture (Podcast)
Hussein Nasser
The evolution from virtual machines to containers
Hussein Nasser
Proxy vs. Reverse Proxy (Explained by Example)
Hussein Nasser
Canary Deployment (Explained by Example)
Hussein Nasser
No Excuses
Hussein Nasser
Synchronous vs Asynchronous Applications (Explained by Example)
Hussein Nasser
What is an Asynchronous service?
Hussein Nasser
Difference between Client Polling vs Server Push in Notifications
Hussein Nasser
Software vs. Hardware AdBlockers (Explained by Example)
Hussein Nasser
HTTP Caching with E-Tags - (Explained by Example)
Hussein Nasser
Simple Object Access Protocol Pros and Cons (Explained by Example)
Hussein Nasser
Nodejs Express "Hello, World"
Hussein Nasser
Reverse Engineering Instagram feed
Hussein Nasser
Popup Modal Dialog with Javascript and HTML
Hussein Nasser
MIME and Media Type sniffing explained and the type of attacks it leads to
Hussein Nasser
More on: Security Basics
View skill →
Related AI Lessons
⚡
⚡
⚡
⚡
AI is slowly destroying open source and its not even done yet
Dev.to · Bridget Amana
NEES Core Engine: An Appeal to Builders, Companies, and Researchers Who Believe AI Needs Governance
Medium · Startup
MYTHOS ERA
Medium · AI
AI + Formal Verification: The Final Form of Secure Software Development – Lessons from Vitalik Buterin
Dev.to AI
🎓
Tutor Explanation
DeepCamp AI