The TunnelBear team has announced the support of the ECH (Encrypted Client Hello) protocol in their Android app to empower the tool’s censorship circumvention performance.
ECH is a TLS protocol extension that encrypts the names of the websites users visit, protecting their connection from third parties like intermediaries or even internet service providers (ISPs).
It is a mechanism that encrypts the sensitive information in the TLS handshake that takes place when a browser visits a website, creating a secure message (ClientHelloInner) and hiding it inside another one (ClientHelloOuter) that appears normal.
The goal is to make TLS 1.3 connections within the same anonymity set indistinguishable from one another so all user connections to various sites appear identical to outside observers.
ECH is important for internet users because it enhances their privacy and security by making it more difficult for censors to detect and block VPN usage or monitor their browsing activities.
ECH on TunnelBear
The TunnelBear VPN team says it faced development challenges due to sparse documentation and poor support for the relatively new protocol but eventually managed to successfully integrate it into their Android networking library after integrating a fork of the OpenSSL into modified versions of the Google Conscrypt and BoringSLL libraries. Finally, the team used Cloudflare’s TLS terminating server with a special configuration on the client so that it could access and interpret the ECH settings from Cloudflare’s DNS records, allowing the client to establish a more secure and private connection during the browsing session.
Next, the TunnelBear engineers tested the effectiveness of the new mechanism using a three-step process:
• making an ECH request
• validating the SNI encryption
• comparing ECH’s success rate against other anti-censorship technologies
“Since adding support for ECH to our Android client, we have achieved approximately 100,000 daily requests that are successfully made to our backend (using ECH),” explained TunnelBear in the blog post.
“We have found that in countries where ECH is enabled for users, it increases the likelihood that these API requests are successfully made by approximately 20%.”
These requests concern user login attempts, credential updates, obtaining VPN bandwidth, and more. The API call numbers measured by the team indicate that support for ECH has already enabled many users to bypass censorship in certain countries.
TunnelBear highlights the importance of widespread ECH adoption to make the new technology more effective, so it recommends that all users enable ECH on their browsers, even though, in some cases, support is experimental.
Firefox users can follow these instructions on enabling ECH, and Edge users can consult this guide. Unfortunately, at this time, support for the protocol on Chrome is in development, so it is unavailable.
TunnelBear says the initial support of ECH for its Android client is only the beginning. The team plans to make further improvements to the system and introduce ECH to the product’s Windows, macOS, and iOS apps in the near future.
I used to use Tunnel Bear VPN previously and it was my first paid VPN after which I switched to Surfshark and Nord VPN. In my opinion Tunnel Bear though trustworthy is not a good VPN as I do not like its interface and most importantly it is not reliable as it often disconnected and lost connection thereby exposing the traffic. It also lacked features and was not very fast and did not allow custom DNS on Android. It has many more drawbacks. Best VPN are Nord and Surfshark. Better than TunnelBear is Atlas VPN and even Avast VPN.
Initially I liked using Tunnel Bear but as I gradually learned more and more about VPNs and used better products like Surfshark and Nord VPN Tunnel Bear became very frustrating to use. It might be a good product for a less technology savvy aged citizen but it is definitely not for me or many others. It tries to be unnecessary cute, and is just very average and falls behind in many areas, that too after improving in recent years, previously it was even more basic. On a positive note, its IPs are not blacklisted and it unblocks well though again it is not a VPN for streaming or Torrenting though there are a few locations which can be used for Torrenting of you ask the support. Not a good VPN for a more technologically through power user.