Understanding Encrypted Client Hello (ECH): Key Insights from RFC 9849

Why ECH Matters for Modern Security Professionals

Network engineers, software developers, and security analysts are constantly battling passive and active attackers who exploit the plaintext SNI to infer which services a client is contacting. RFC 9849, published in March 2026, introduces Encrypted Client Hello (ECH) as a privacy‑enhancing mechanism that fits seamlessly into the existing TLS 1.3 handshake. By moving the SNI and other extensions into an encrypted envelope, ECH thwarts traffic‑analysis attacks, reduces fingerprinting surface, and aligns TLS with the broader goal of “encrypted everything.”

For teams building AI‑driven SaaS platforms, the ability to hide service identifiers is especially valuable when integrating third‑party AI APIs (e.g., OpenAI ChatGPT integration) or when exposing custom AI agents through edge proxies.

Purpose of RFC 9849: Privacy‑First TLS Handshakes

RFC 9849 was authored to address two core problems:

• Leakage of the SNI. In TLS 1.3 the ServerHello and certificate are encrypted, but the ClientHello—including the SNI—remains in clear text.
• Correlation attacks across services. Observers can link multiple connections to the same domain by matching SNI values, ALPN lists, or early‑data flags.

The specification defines a new TLS extension (encrypted_client_hello, type 0xfe0d) that carries an encrypted ClientHelloInner. The outer handshake (ClientHelloOuter) contains only innocuous values, making the entire exchange indistinguishable from a regular TLS 1.3 handshake to passive on‑path devices.

For organizations that already use Enterprise AI platform by UBOS to process sensitive data, ECH adds a layer of network‑level confidentiality that complements application‑level encryption.

Technical Details: How ECH Works

1. Protocol Flow Overview

The ECH handshake can be visualized in three stages:

1. Configuration Retrieval. The client obtains an ECHConfig via DNS SVCB/HTTPS records (see TLS security resources for DNS best practices).
2. ClientHello Construction. The client builds a ClientHelloInner (containing the real SNI, ALPN, early‑data, etc.) and encrypts it with HPKE using the server’s public key. The encrypted blob is placed inside the encrypted_client_hello extension of the ClientHelloOuter.
3. Server Processing. The server (or a client‑facing proxy) attempts to decrypt the extension. If successful, it forwards the inner hello to the backend; otherwise, it proceeds with the outer hello, optionally returning retry_configs for a second attempt.

2. ECH Configuration Format

An ECHConfig is a binary structure that includes:

• version – currently 0xfe0d.
• key_config – HPKE public key, KEM, KDF, and AEAD identifiers.
• maximum_name_length – used for padding calculations.
• public_name – the DNS name of the client‑facing server (e.g., ech.example.com).
• extensions – optional future‑proof fields.

The configuration is signed by the server’s private key and published in DNS. Clients cache the config for the TTL, allowing rapid reuse across connections.

3. Client‑Side Behavior

When a client supports ECH, it follows these steps:

1. Select a compatible ECHConfig (matching KEM, KDF, AEAD).
2. Generate a fresh HPKE context and encrypt the ClientHelloInner.
3. Apply the recommended padding scheme (round up to the nearest 32‑byte boundary) to hide the inner length.
4. Insert the encrypted payload into the encrypted_client_hello extension of the outer hello.
5. Send the ClientHelloOuter and await the server’s response.

If the server rejects ECH, the client can retry with updated configurations without exposing the original inner hello.

4. Server‑Side Processing

Servers operate in either shared mode (client‑facing and backend combined) or split mode (separate TLS terminator). In both cases:

• Attempt decryption of the encrypted_client_hello using each known ECHConfig.
• If decryption succeeds, forward the inner hello to the backend and embed an accept_confirmation in ServerHello.random.
• If decryption fails, respond with a normal ServerHello (ECH rejected) or include retry_configs for a second attempt.

Servers must also enforce the “no duplicate references” rule for the ech_outer_extensions list to prevent amplification attacks (see Appendix A of the RFC).

Implications for Deployment, Compatibility, and Security

Deployment Considerations

Adopting ECH requires coordination across DNS, edge proxies, and backend services. Key practical points include:

• DNS Publication. Publish ECHConfig in SVCB/HTTPS records. Use DNSSEC or DoH/DoT to protect against tampering (privacy in TLS insights).
• Key Rotation. Rotate HPKE keys regularly (recommended ≤ 30 days) to limit forward‑secrecy exposure.
• Middlebox Compatibility. Most modern middleboxes ignore unknown extensions, but legacy devices may drop connections. GREASE ECH (ChatGPT and Telegram integration) can be used to test deployability without breaking traffic.
• Monitoring. Track ech_required alerts (IANA‑registered) to detect misconfigurations.

Compatibility Issues

Because the SNI is no longer visible, load balancers that rely on plaintext SNI for routing must be updated to use the public_name field or TLS‑ALPN routing. Services that perform TLS‑based traffic shaping may need to inspect the outer hello instead.

For SaaS providers that expose AI endpoints (e.g., Telegram integration on UBOS), ensuring that the edge proxy can forward the encrypted inner hello to the correct backend is essential.

Security Impact

ECH dramatically reduces the attack surface for:

• Passive SNI sniffing.
• Correlation attacks that link multiple connections to the same domain.
• Cut‑and‑paste attacks on the ClientHello (thanks to HPKE authentication).

However, ECH does not protect against compromised DNS without encryption. Pairing ECH with AI marketing agents that use DoH can provide end‑to‑end privacy.

Illustration: ECH Handshake Flow

The diagram below (generated by UBOS) visualizes the three‑step ECH exchange, highlighting the encrypted inner hello and the outer hello that traverses the network.

Notice how the ClientHelloInner never leaves the client‑facing server in clear text, while the ClientHelloOuter appears identical to a standard TLS 1.3 hello to any observer.

Read the Full Specification

For a complete technical description, consult the official document: RFC 9849 – Encrypted Client Hello. The RFC includes formal security proofs, IANA considerations, and a full list of extension registries.

Related UBOS Resources

Understanding ECH in the context of modern AI‑driven platforms can be enriched by exploring these UBOS pages:

• UBOS platform overview – how the low‑code environment integrates TLS extensions.
• UBOS templates for quick start – pre‑built templates like AI SEO Analyzer that can benefit from encrypted handshakes.
• Workflow automation studio – automate DNS record updates for ECH configurations.
• UBOS pricing plans – compare tiers that include enterprise‑grade TLS features.
• UBOS portfolio examples – real‑world deployments that already use encrypted traffic.
• UBOS for startups – why early‑stage companies should adopt ECH to protect brand privacy.
• UBOS solutions for SMBs – cost‑effective ways to enable ECH without dedicated security staff.
• About UBOS – our mission to democratize secure AI infrastructure.
• UBOS partner program – collaborate on privacy‑first networking solutions.
• AI Video Generator – a use case where ECH hides the origin of large media uploads.
• AI Article Copywriter – protect the content‑generation pipeline from traffic analysis.
• Talk with Claude AI app – an example of a privacy‑sensitive chatbot that benefits from ECH.

Conclusion: Embrace Encrypted Client Hello Today

RFC 9849 delivers a pragmatic, standards‑based answer to the long‑standing SNI privacy problem. By encrypting the ClientHello, ECH shields critical metadata from eavesdroppers, strengthens anonymity sets, and future‑proofs TLS deployments against emerging traffic‑analysis techniques.

For organizations building AI‑centric SaaS products, integrating ECH is a natural extension of existing security practices. Pair it with ElevenLabs AI voice integration or Chroma DB integration to ensure that both data at rest and data in transit remain confidential.

Take the next step: Review your DNS configuration, enable HPKE key generation, and deploy the encrypted_client_hello extension on your edge servers. Need hands‑on assistance? Contact UBOS for a guided implementation and start protecting your clients’ privacy with ECH.