IT Brief Asia - Technology news for CIOs & IT decision-makers
Asia
Guides
#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things
Search
Story image
#
Network Security
#
Privacy
#
Websites

Report finds low ECH use but risks from malicious actors grow

Today
Author image
By Catherine Knowles, Journalist

Corrata has published a report examining the impact of the Encrypted Client Hello (ECH) privacy protocol on enterprise security and the adoption of the protocol by malicious actors.

The Living With ECH Report analysed billions of connections made by enterprise employee mobile devices over a three-month period to assess the practical deployment and security implications of the latest privacy technology in internet communications. ECH, an extension to the most recent version of the Transport Layer Security (TLS 1.3) standard, encrypts information exchanged between devices and Content Delivery Networks, preventing network providers from being able to identify which websites users are trying to access.

According to Corrata's findings, actual usage of ECH by enterprise mobile devices remains infrequent, with less than 0.01% of TLS connections employing the protocol. Nonetheless, more than 9% of the top one million domains are ECH-enabled, demonstrating some groundwork for future adoption.

The report identified a notable risk associated with ECH adoption. Corrata's analysis revealed that 17% of ECH-enabled sites are classified as risky, indicating that malicious actors are already making use of the increased anonymity provided by the protocol. The risk is particularly acute for Chrome users who have encrypted DNS enabled.

Corrata stated, "ECH could degrade, not improve, privacy: Banks and other regulated entities are often required to monitor the internet traffic going into and out of their organisation. To date, these enterprises have been able to selectively decrypt traffic without looking at sensitive data like employees' health records. But with ECH blocking their filtering, enterprises would have little choice but to decrypt all internet traffic for inspection, drastically degrading employees' privacy."

The analysis highlighted the significant role played by Cloudflare in enabling ECH. Cloudflare is the only major Content Delivery Network supporting ECH, and almost all of the sites that have ECH enabled use its infrastructure. The report also noted that large website owners appear reluctant to adopt the protocol due to concerns that users may face blocks from security systems in enterprises or by public authorities. While internet service providers and enterprise security teams have reduced visibility under ECH, the protocol still allows CDNs like Cloudflare to access certain data.

Malicious actors are leveraging this infrastructure to support phishing attacks, Corrata said. "Over 90% of phishing detections use Cloudflare infrastructure, according to Corrata's analysis. In addition to the anonymity provided by ECH, these sites take advantage of other Cloudflare features. For example, the "captcha" page can be used to direct desktop traffic to the legitimate site while mobile traffic is sent to the fake one. Alternatively, traffic not coming from the targeted country may be redirected to the legitimate site. These are deliberate tactics to avoid detection by security providers."

The report also identified several barriers to widespread adoption of ECH. While 20% of devices are configured to use encrypted DNS and DNS resolvers that support ECH, the absence of support from browsers such as Safari and operating systems like Android hampers wider implementation. The adoption of ECH requires the participation of multiple industry stakeholders, each with different priorities.

Matthieu Bentot, Chief Technology Officer of Corrata, commented on the current state of adoption. "The extremely low level of ECH adoption suggests that the security community's fears that enterprise internet traffic would go dark are not yet being realised. While the potential certainly exists for ECH to become a thorn in the side of defenders, the early signs are that this is the time to prepare rather than panic."

The findings from the Living With ECH Report are based on Corrata's analysis of billions of connections made by devices running the company's mobile threat detection and response solution. The data reflects traffic from both iOS and Android devices, with Corrata tracking successful ECH connections between January and March 2025 by analysing DNS queries and TLS connection metadata.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Google launches Jules globally, an AI coding agent for GitHub
Gemma 3n AI model brings real-time multimodal power to mobiles
IP Fabric unveils upgrade to boost firewall visibility & compliance
SEO poisoning attack diverts wages using fake payroll websites
Survey reveals gap between threat intelligence & execution
Top stories
Google announces major Gemini AI upgrades & new dev tools
Google unveils SynthID Detector to verify AI-generated content
Gemini Code Assist launches for all, delivers 2.5x boost
Google boosts education with Gemini 2.5 & LearnLM updates
Google unveils AI-driven shopping with virtual try-on feature