Filip's Blog

Home

Cloudflare with the ECH again

Published

Three months ago, I promised to let you know if anything ever changed about the Cloudflare and ECH situation - and here we are. As of at least a couple of weeks back, Cloudflare has been re-enabling ECH on all free-tier websites. Just. Lovely.

It looks like I was also right in my guesses around the reasoning behind the initial disabling of ECH - Cloudflare’s official docs now have an entire section called “Enterprise network applicability”, aiming to document what companies can do to disable ECH on their networks (the tl;dr is that you just drop the HTTPS DNS record types from your corporate DNS resolver1).

So, after nearly one year of my initial ECH and ML-KEM blog, here is the updated table of adoption of some arbitrarily chosen domains:

Domain Protocol Key exchange ECH support Cloudflare?
tiktok.com TLS 1.3 X25519 No
twitter.com TLS 1.3 X25519 No
github.com TLS 1.3 X25519 No
npmjs.com TLS 1.3 X25519Kyber768Draft00 No
cloudflare.com QUIC X25519Kyber768Draft00 No
apple.com TLS 1.3 X25519 No
netflix.com TLS 1.3 X25519 No
vercel.com TLS 1.3 X25519 No
google.com QUIC X25519Kyber768Draft00 No
instagram.com QUIC X25519 No
shopify.com TLS 1.3 X25519Kyber768Draft00 No
drive.google.com QUIC X25519Kyber768Draft00 No
youtube.com TLS 1.3 X25519Kyber768Draft00 No
interclip.app QUIC X25519Kyber768Draft00 Yes

Damn, besides Shopify and YouTube defaulting to TLS 1.3 instead of QUIC on Chrome now for some reason, literally nothing has changed when compared to the table from October 2023 - no big domain I visit daily supports the Encrypted Client. Hello goodness. We’re still far from ECH being standard, so I guess, see you in 2025?

If we analyze the top 10,000 requested domains on Cloudflare, many have ECH configured in their DNS. To my surprise, this included the very popular torrent trackers 1337x, KickassTorrents, and BadassTorrents (although on second thought, these websites tend to be on Cloudflare’s free tier, so it makes sense). Some other notable adopters include:

Of the 10,000, 349 domains have ECH enabled, which is a ~3.5% starting adoption rate. Let’s see if Cloudflare continues the rollout as promised and if we see adoption among the giants.

Footnotes

  1. Of course, if you as an employee have access to the browser settings, you can change your DNS resolver to a public one like Cloudflare’s 1.1.1.1 or Google’s 8.8.8.8 to skip these restrictions.