The TunnelBear team has announced the support of the ECH (Encrypted Client Hello) protocol in their Android app to empower the tool’s censorship circumvention performance.
ECH is a TLS protocol extension that encrypts the names of the websites users visit, protecting their connection from third parties like intermediaries or even internet service providers (ISPs).
It is a mechanism that encrypts the sensitive information in the TLS handshake that takes place when a browser visits a website, creating a secure message (ClientHelloInner) and hiding it inside another one (ClientHelloOuter) that appears normal.
The goal is to make TLS 1.3 connections within the same anonymity set indistinguishable from one another so all user connections to various sites appear identical to outside observers.
ECH is important for internet users because it enhances their privacy and security by making it more difficult for censors to detect and block VPN usage or monitor their browsing activities.
ECH on TunnelBear
The TunnelBear VPN team says it faced development challenges due to sparse documentation and poor support for the relatively new protocol but eventually managed to successfully integrate it into their Android networking library after integrating a fork of the OpenSSL into modified versions of the Google Conscrypt and BoringSLL libraries. Finally, the team used Cloudflare’s TLS terminating server with a special configuration on the client so that it could access and interpret the ECH settings from Cloudflare’s DNS records, allowing the client to establish a more secure and private connection during the browsing session.
Next, the TunnelBear engineers tested the effectiveness of the new mechanism using a three-step process:
• making an ECH request
• validating the SNI encryption
• comparing ECH’s success rate against other anti-censorship technologies
“Since adding support for ECH to our Android client, we have achieved approximately 100,000 daily requests that are successfully made to our backend (using ECH),” explained TunnelBear in the blog post.
“We have found that in countries where ECH is enabled for users, it increases the likelihood that these API requests are successfully made by approximately 20%.”
These requests concern user login attempts, credential updates, obtaining VPN bandwidth, and more. The API call numbers measured by the team indicate that support for ECH has already enabled many users to bypass censorship in certain countries.
TunnelBear highlights the importance of widespread ECH adoption to make the new technology more effective, so it recommends that all users enable ECH on their browsers, even though, in some cases, support is experimental.
Firefox users can follow these instructions on enabling ECH, and Edge users can consult this guide. Unfortunately, at this time, support for the protocol on Chrome is in development, so it is unavailable.
TunnelBear says the initial support of ECH for its Android client is only the beginning. The team plans to make further improvements to the system and introduce ECH to the product’s Windows, macOS, and iOS apps in the near future.