The TunnelBear team has announced the support of the ECH (Encrypted Client Hello) protocol in their Android app to empower the tool’s censorship circumvention performance.
ECH is a TLS protocol extension that encrypts the names of the websites users visit, protecting their connection from third parties like intermediaries or even internet service providers (ISPs).
It is a mechanism that encrypts the sensitive information in the TLS handshake that takes place when a browser visits a website, creating a secure message (ClientHelloInner) and hiding it inside another one (ClientHelloOuter) that appears normal.
The goal is to make TLS 1.3 connections within the same anonymity set indistinguishable from one another so all user connections to various sites appear identical to outside observers.
Client and server communication exchange
ECH is important for internet users because it enhances their privacy and security by making it more difficult for censors to detect and block VPN usage or monitor their browsing activities.
ECH on TunnelBear
The TunnelBear VPN team says it faced development challenges due to sparse documentation and poor support for the relatively new protocol but eventually managed to successfully integrate it into their Android networking library after integrating a fork of the OpenSSL into modified versions of the Google Conscrypt and BoringSLL libraries. Finally, the team used Cloudflare’s TLS terminating server with a special configuration on the client so that it could access and interpret the ECH settings from Cloudflare’s DNS records, allowing the client to establish a more secure and private connection