Disabling Encrypted ClientHello in Google Chrome, and Why (opens in new tab)

(chasersystems.com)

4 pointsnew23d2y ago5 comments

5 comments

Google Chrome v117 turned on TLS Encrypted ClientHello by default (on 27 Sep?) This will impact the effectiveness and accuracy of outbound traffic filtering* - for those who've implemented it (regardless of vendor.) We've written a short blog post on disabling it with PowerShell, Windows Registry and Google Chrome UI for those who may need to roll this out ASAP and regain visibility. (Disclosure: we are a vendor of an outbound filtering solution and this has impacted our customers already.)

*for many websites, the domain name visibility during an HTTPS handshake will no longer be available to firewalls/proxies (unless they were terminating.)

B0DYSPLAY2y ago

>This will impact the effectiveness and accuracy of outbound traffic filtering

Can you prove this is bad? Not trolling, sincerely concerned we're renavigating discussions that date back to when Ethereal became Wireshark and folks got grumpy they'd have to plug a PSK in to look at things -- often because they were looking at things they had no warrant or cause to examine, paired with inept analysts who'd be stymied by something as simple as Asking Jeeves how to plug said password in to view the traffic as if it was clear.

LinuxBender2y ago

Not speaking for new23d but many corporations are required per their own compliance documentation to make a best effort to block access to known malware and sanctioned sites. If they are unable to do so via their corporate firewalls such as PAN and Fortigate and the like, then they will have to disable ECH and possibly DoH in their networks until other options are in place such as MiTM proxies and those are not always an option due to cost or other compliance conundrums. Intercepting personal traffic to banks, etc... varies by AUP and company/employee agreements, corporate risk acceptance, requirements.

Now speaking just for myself, the moment OpenSSL, HAProxy, NGinx and Apache support ECH I am turning it on everywhere. I have been waiting a long time for it.

evanjrowley2y ago

DiscrimiNAT Firewall seems like a useful product: https://chasersystems.com/

Reminds me somewhat of Zscaler.

josephcsible2y ago

The fact that it's possible for a middlebox to detect ECH at all is a flaw in the protocol, IMO.

j / k navigate · click thread line to collapse