This article is for organisations that use an On-Premise Appliance to filter unmanaged BYO devices but don’t use HTTP inspection. It explains how to stop browsers with Encrypted Client Hello (ECH) enabled from bypassing filtering.
You should follow the best practice instructions in the Before you begin section to ensure that web filtering will work as expected when ECH is turned off.
What is ECH?
Encrypted Client Hello is a privacy feature for web browsers designed to encrypt the Server Name Indication (SNI), making it harder to filter content based on the domain name.
Smoothwall can’t filter websites when ECH is turned on and HTTPS Inspection is off because the SNI header is encrypted. This means users can access content that should be blocked.
Note
You can turn off ECH in Chrome or Edge browsers by setting the TlsEncryptedClientHelloEnabled policy to false. However, you would need to configure the setting on each individual device. You can use a Group Policy to change this setting, but unmanaged device users can switch ECH back on at will.
Ensure BYO devices with ECH are filtered
Before you begin
- Prevent QUIC on your devices. Quick UDP Internet Connection (QUIC) can prevent filtering from applying.
- (Recommended) Block DNS over HTTPS by creating a Web Filter Policy with DNS over HTTPS in the What field, with Block as the Action. DNS over HTTPS (DoH) is a privacy feature that encrypts DNS traffic through HTTPS, making it harder to inspect domains and filter content.
Best practice: Use HTTPS Inspection
HTTPS Inspection stops ECH from bypassing web filtering for all websites by revealing the domain headers that ECH encrypted.
Step 1: Apply HTTPS Inspection
Ensure you have HTTPS Inspection policies to Decrypt and Inspect all user traffic everywhere. Smoothwall can then analyse the content, categorise it and take the appropriate filtering action.
Step 2: Install the HTTPS Inspection Certificate on each device
Users must download and install the Certificate from the getmitm page. The Certificate ensures they won’t get a HTTPS Certificate warning or error when browsing the web.
If HTTPS Inspection is not possible: Block the ECH category
Warning
Only use this option if you can’t use HTTPS Inspection.
ECH protects a wide range of websites, from educational applications you may normally allow, to content that would usually be blocked, such as pornography. When you block the ECH category, you block legitimate traffic to any site using ECH protocols.
You will no longer be able to access sites using ECH, such as those using cloudflare-ech.com on your network. Users will see a ‘This site can’t be reached’ message. The only way to unblock the website is by moving to using HTTPS Inspection.
Tip
Let us know about any ECH sites we should add to the list through our Blocklist Feedback Form.
Create a Web Filter Policy with Encrypted Client Hello in the What field, with Block as the Action.