The TLS Encrypted ClientHello (ECH) extension enables clients to encrypt ClientHello messages, which are normally sent in cleartext, under a server’s public key. This allows websites to opt-in to avoid leaking sensitive fields, like the server name, to the network by hosting a special HTTPS RR DNS record. (Earlier iterations of this extension were called Encrypted Server Name Indication, or ESNI.) If your organization’s infrastructure relies on the ability to inspect SNI, for example, filtering, logging, and so on, you should test it. You can enable the new behavior by navigating to chrome://flags and enabling the #encrypted-client-hello flag. If you notice any incompatibilities, you can use the EncryptedClientHelloEnabled enterprise policy to disable support for ECH.
HTTPS connections leak information in the TLS ClientHello to the network, notably the hostname of the website being accessed. When supported by the website, ECH allows encrypting this message with a key provided by the server.
Samples: https://tls-ech.dev
Explainers: https://www.ietf.org/archive/id/draft-ietf-tls-esni-16.html#section-1 https://www.ietf.org/archive/id/draft-ietf-tls-esni-16.html#section-3 https://github.com/dadrian/ech-chrome