Manage Encrypted Client Hello (ECH) – Linewize Filter

This article explains how affected schools can manage Encrypted Client Hello (ECH), which can interfere with filtering.

Is my school affected?

ECH affects only some schools. You only need to follow these instructions and manage ECH if your school uses:

Linewize Connect Windows/macOS agent in WEB mode OR
Inline Linewize Filter Appliance to filter unmanaged Bring Your Own (BYO) devices

No other schools or configurations are affected or need to take any action.

What is Encrypted Client Hello?

ECH is a privacy feature for web browsers designed to encrypt Server Name Indication (SNI), making it harder to filter content based on domain names.

In certain configurations, Linewize Filter can’t filter websites that send ECH traffic when ECH is turned on because the SNI header is encrypted. This means users can access content that should be blocked.

Before you begin

Block ports 80 and 443 (UDP) on your school’s firewall. This turns off Quick UDP Internet Connection (QUIC). QUIC can bypass filtering and allows access to undesirable websites and content.

Manage ECH for Windows/macOS agent in WEB mode

Managing ECH is a two-step process. First, use a browser policy to turn off ECH, then use MITM to inspect with the Encrypted Client Hello signature.

Warning: MITM Required

You need Man in the Middle (MITM) turned on for both on-network and off-network users. If your school has not turned on MITM, you should follow the instructions for the Inline Lineiwze Filter Appliance. Contact our support team for help turning on MITM.

1. Turn off ECH using browser policies:

Google Chrome - Set the EncryptedClientHelloEnabled policy to false.
Microsoft Edge - Set the TlsEncryptedClientHelloEnabled policy to false.
Mozilla Firefox - Use the DisableEncryptedClientHello policy.

2. Inspect Encrypted Client Hello signature

Sign in to Linewize Filter as an owner/administrator.
Go to Configuration > Mobile Agent > On Linewize Filter Network > MITM Enabled
Add the Encrypted Client Hello signature to Inspected domains.
Repeat this for Off Linewize Filter Network.

Important: Get Companion Mode

We recommend schools using Windows switch to Companion Mode filtering. Contact Linewize Support for help with the migration.

Manage ECH for Inline Linewize Filter Appliance

While you can’t turn off ECH on unmanaged devices, you can create a Filter Policy to block sites that use ECH. This will stop users from accessing these sites.

Warning: Blocking Legitimate Sites

Blocking ECH with a Filter Policy will block some legitimate websites. We’re working on a better solution and expect to release it in our next firmware update, v267.

In Linewize Filter, go to Filtering > Content Filtering.
Select + Create Policy.
Give your Policy a memorable name.
In Type, search for and select the Encrypted Client Hello signature
If you have managed and unmanaged devices on your appliance, use Criteria to restrict this Policy to only unmanaged devices.
Turn on Locked and then Save Policy.
Place this Policy close to the top of your Policy list, below any Policies that allow critical services and infrastructure.