Encrypted Client Hello (ECH / ESNI)

Encrypted Client Hello (ECH), formerly known as Encrypted SNI (ESNI), is a TLS extension that encrypts the Server Name Indication (SNI) field in a TLS handshake. The SNI field traditionally reveals which domain a client is connecting to even when the traffic itself is encrypted. ECH closes this privacy gap by using a public key published in the domain's [[dns|DNS]] (as an HTTPS or SVCB record) to encrypt the SNI, preventing ISPs and network observers from knowing which specific hostname on a shared IP is being visited. ECH requires [[dns-privacy|DNS privacy]] (e.g., [[dns-over-https-browser|DoH]]) to be fully effective.