Three months ago, I promised to let you know if anything ever changed about the Cloudflare and ECH situation - and here we are. As of at least a couple of weeks back, Cloudflare has been re-enabling ECH on all free-tier websites. Just. Lovely.
It looks like I was also right in my guesses around the reasoning behind the initial disabling of ECH - Cloudflare’s official docs now have an entire section called “Enterprise network applicability”, aiming to document what companies can do to disable ECH on their networks (the tl;dr is that you just drop the HTTPS DNS record types from your corporate DNS resolver1).
So, after nearly one year of my initial ECH and ML-KEM blog, here is the updated table of adoption of some arbitrarily chosen domains:
| Domain | Protocol | Key exchange | ECH support | Cloudflare? |
|---|---|---|---|---|
tiktok.com |
TLS 1.3 | X25519 | No | ❌ |
twitter.com |
TLS 1.3 | X25519 | No | ❌ |
github.com |
TLS 1.3 | X25519 | No | ❌ |
npmjs.com |
TLS 1.3 | X25519Kyber768Draft00 | No | ✅ |
cloudflare.com |
QUIC | X25519Kyber768Draft00 | No | ✅ |
apple.com |
TLS 1.3 | X25519 | No | ❌ |
netflix.com |
TLS 1.3 | X25519 | No | ❌ |
vercel.com |
TLS 1.3 | X25519 | No | ❌ |
google.com |
QUIC | X25519Kyber768Draft00 | No | ❌ |
instagram.com |
QUIC | X25519 | No | ❌ |
shopify.com |
TLS 1.3 | X25519Kyber768Draft00 | No | ✅ |
drive.google.com |
QUIC | X25519Kyber768Draft00 | No | ❌ |
youtube.com |
TLS 1.3 | X25519Kyber768Draft00 | No | ❌ |
interclip.app |
QUIC | X25519Kyber768Draft00 | Yes | ✅ |
Damn, besides Shopify and YouTube defaulting to TLS 1.3 instead of QUIC on Chrome now for some reason, literally nothing has changed when compared to the table from October 2023 - no big domain I visit daily supports the Encrypted Client. Hello goodness. We’re still far from ECH being standard, so I guess, see you in 2025?
If we analyze the top 10,000 requested domains on Cloudflare, many have ECH configured in their DNS. To my surprise, this included the very popular torrent trackers 1337x, KickassTorrents, and BadassTorrents (although on second thought, these websites tend to be on Cloudflare’s free tier, so it makes sense). Some other notable adopters include:
- curseforge.com
- gitlab.io
- jsdelivr.com
- returnyoutubedislikeapi.com
Of the 10,000, 349 domains have ECH enabled, which is a ~3.5% starting adoption rate. Let’s see if Cloudflare continues the rollout as promised and if we see adoption among the giants.