DWAs schools continue to integrate technology in classrooms, ensuring online safety remains a priority. This task has become more complex with the introduction of Encrypted Client Hello (ECH), the latest encryption standard aimed at improving user privacy. ECH is designed to mask website information, making it more difficult for external systems to see which websites users are accessing, even if those websites are blocked or restricted by school policies. While this is a positive development for privacy, it raises important questions about how school filtering systems—essential tools for safeguarding children online—will cope with these changes.
A Simple Overview
Encrypted Client Hello (ECH) is a new privacy feature being added to the web. It makes it harder for some school filtering systems to see which websites students are trying to access, potentially allowing harmful content to slip through.
However, many schools use filtering systems that run directly on devices, which aren't typically affected by ECH. The issue mainly arises for schools using filtering systems that specifically rely on seeing web traffic across the network.
For schools with personal or unmanaged devices, ECH may cause problems in blocking inappropriate content. If reports from your filter show a sudden drop in blocked websites, it might mean ECH is affecting your system. We're developing a tool to help schools understand if they are affected by ECH and what they can do about it.
In short, it's important for schools to check if their filtering systems are ready for these changes, especially those with Bring Your Own Device (BYOD) policies or those relying on simpler, network-level filters. Schools should stay in touch with their filtering providers to ensure student safety remains strong in this evolving landscape.
What is ECH and Why Does It Matter?
ECH is part of the ongoing evolution in web encryption standards. Traditionally, when a device connects to a website, information about that website, such as the domain name, is exposed during the initial connection process. This allows filters, like those used in schools, to detect and block access to inappropriate websites. With ECH, this process is encrypted, making it harder for third-party filters to see which websites are being accessed. This poses a challenge to the content filtering systems relied upon by schools to protect students from harmful or inappropriate content online.
Are School Filters Affected?
The potential impact of ECH depends heavily on how a school’s filtering system is implemented. From our conversations with leading filtering providers, it seems that schools utilising on-device filtering systems, where content is monitored directly on the user’s device or browser, are less likely to experience significant issues with ECH. These systems don’t rely on seeing the initial website connection (known as the "client hello" stage) and therefore continue to function effectively, even when ECH is in place.
Schools that rely on packet filtering (the process of monitoring and collecting data packets that pass through a network, with the goal of analysing them for sensitive information) will be affected. Therefore services that rely on this will need to be in control of the DNS to prevent ECH from being available in the first place
Packet filters work by monitoring the domain names a user tries to visit and blocking access to certain sites. With ECH hiding this information, systems may not be able to effectively block harmful or inappropriate websites.
In other words, for schools that use filters to block inappropriate websites, ECH makes it harder. Packet filters check the names of websites people try to visit and block the ones we don’t want our children and young people to see. But with ECH hiding this information, the filters might not be able to block these websites anymore.
Signs of a Problem
One indication that ECH might be affecting your school's filtering system is if there is a sudden drop in the number of websites being blocked. Schools that receive regular reports from their filtering system should keep an eye on these numbers. If the frequency of blocked webpages reduces significantly without a clear reason (such as changes to filtering policies), it could be a sign that the filter is not seeing all the traffic due to ECH.
It is a further reason to check that your filtering and monitoring systems are working as you anticipate.
How Are Filtering Providers Adapting?
While ECH is a relatively new standard, some filtering providers have already developed strategies to address the potential issues it presents. Here’s what we understand:
Fallback to TLS 1.2: Some providers are able to force browsers to fall back to an older encryption standard (TLS 1.2) when they detect ECH, allowing the filtering system to continue monitoring website traffic as usual. However, relying on older encryption standards introduces security risks and is not a sustainable long-term solution.
Controlling DNS Records: By filtering out the DNS records that contain the ECH public key before sending DNS requests to the client, the client will be unaware that the target website supports ECH, and will send the domain name in plain text, enabling the filtering system to filter it. By removing the ECH key from the DNS records before sending them to the user, the user will make the request without ECH. This means the website’s name will be visible, allowing the filter system to block it if needed.
Disable DNS-over-HTTPS (DoH) through Group Policy: For managed devices, DoH can be disabled through your deployment settings which will prevent encrypted DNS from being used. You can then route all DNS traffic through a DNS service you control, enabling you to strip results of ECH information
Blocking access to a canary domain: Applications that have DNS-over-HTTPS (DoH) enabled can be prevented from being enabled by default by returning “no error no answer” or an NXDOMAIN response to queries made to the use-application-dns.net domain. This is only a short term measure and may only apply to certain browsers such as Firefox
On-device solutions: Many filtering systems are integrated directly into the browser or the device itself, where they can continue to see website requests regardless of ECH or other encryption standards. These systems seem to be largely unaffected by ECH.
Unmanaged Devices and BYOD Networks
Where ECH may have the most significant impact is on unmanaged devices—those that are not centrally controlled by the school’s IT department—and BYOD networks. In these cases, the school may rely solely on Packet filtering systems, which could be rendered less effective by ECH. Students using personal devices that are not subject to on-device filtering could bypass school filters entirely if their web traffic is encrypted with ECH.
This raises important considerations for schools that allow students to bring their own devices or use school Wi-Fi on personal devices. As ECH becomes more widely adopted, these schools may need to consider alternative filtering strategies or implement stricter device management policies to ensure that all students are protected, regardless of the device they are using.
Reporting Inappropriate Content: A Key Component of Online Safety
While filtering systems are crucial, they are not 100% foolproof. It is essential for schools to encourage a culture where students and staff feel comfortable reporting any inappropriate content they encounter. If a student accesses harmful material, whether through managed or unmanaged devices, they should be able to report it immediately so that the issue can be investigated. This reporting process is especially important in light of ECH, as certain harmful content might bypass traditional filters.
By maintaining clear reporting guidelines and ensuring all users know how and where to report inappropriate content, schools can take swift action to review and adjust their filters or investigate the root of the issue. Reports from students or staff can serve as an early warning system, flagging potential problems with the filter setup or highlighting specific concerns around ECH’s impact. Equally, it is therefore essential that the school’s reporting processes and pathways are robust and effective and clearly understood by both students and staff.
The Path Forward
As the adoption of ECH continues, it’s important for schools to understand and check whether their current filtering systems are equipped to handle this new standard. From our conversations with providers, we understand that many systems are adapting, but gaps remain, particularly for schools relying on network-based filters or BYOD.
To support schools in navigating these changes, we are currently exploring the development of an ECH test within our freely-available TestFiltering.com: Verify your Internet is Filtered | Test Filtering utility. This tool will allow schools to quickly assess whether ECH is affecting their filtering systems and provide insights into what steps they can take to address any issues.
In the meantime, schools should work closely with their filtering providers to ensure they are prepared for the potential impact of ECH. We anticipate that most systems will continue to evolve, but understanding these changes and taking proactive steps will be essential in maintaining the high standards of online safety expected in schools.
