Manage Encrypted Client Hello (ECH)

This article is for IT Support. 

This article explains how affected schools can manage Encrypted Client Hello (ECH), which can interfere with filtering.

Is my school affected?

ECH affects only some schools. You only need to follow these instructions and manage ECH if your school uses:

  • Linewize Connect Windows/macOS agent in WEB mode OR
  • Linewize School Manager inline appliance to filter unmanaged Bring Your Own (BYO) devices

No other schools or configurations are affected or need to take any action.

What is Encrypted Client Hello?

ECH is a privacy feature for web browsers designed to encrypt Server Name Indication (SNI), making it harder to filter content based on domain names.

In certain configurations, School Manager can’t filter websites that send ECH traffic when ECH is turned on because the SNI header is encrypted. This means users can access content that should be blocked.

Before you begin

Block ports 80 and 443 (UDP) on your school’s firewall. This turns off Quick UDP Internet Connection (QUIC). QUIC can bypass filtering and allows access to undesirable websites and content.

Manage ECH for Windows/macOS agent in WEB mode

Managing ECH is a two-step process. First, use a browser policy to turn off ECH, then use MITM to inspect with the Encrypted Client Hello signature.

Warning: MITM Required

You need Man in the Middle (MITM) turned on for both on-network and off-network users. If your school has not turned on MITM, you should follow the instructions for the Inline Appliance. Contact our support team for help turning on MITM.

1. Turn off ECH using browser policies:

2. Inspect Encrypted Client Hello signature

  1. Sign in to School Manager as an owner/administrator.
  2. Go to Configuration > Mobile Agent > On School Manager Network > MITM Enabled
  3. Add the Encrypted Client Hello signature to Inspected domains.
  4. Repeat this for Off School Manager Network.

Important: Get Companion Mode

We recommend schools using Windows switch to Companion Mode filtering. Contact Linewize Support for help with the migration.

Manage ECH for Linewize School Manager Inline Appliance

While you can’t turn off ECH on unmanaged devices, you can create a Filter Policy to block sites that use ECH. This will stop users from accessing these sites.

Warning: Blocking Legitimate Sites

Blocking ECH with a Filter Policy will block some legitimate websites. We’re working on a better solution and expect to release it in our next firmware update, v267.

  1. In School Manager, go to Filtering > Content Filtering.
  2. Select + Create Policy.
  3. Give your Policy a memorable name.
  4. In Type, search for and select the Encrypted Client Hello signature
  5. If you have managed and unmanaged devices on your appliance, use Criteria to restrict this Policy to only unmanaged devices.
  6. Turn on Locked and then Save Policy.
  7. Place this Policy close to the top of your Policy list, below any Policies that allow critical services and infrastructure.
Was this article helpful?
0 out of 0 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.