Turn off Encrypted Client Hello (ECH)

This article is for IT Support. 

This article explains how affected schools can turn off Encrypted Client Hello (ECH), which can interfere with filtering.

Is my school affected?

ECH affects only some schools. You only need to follow these instructions and turn off ECH if your school uses:

  • Linewize Connect Windows/MacOS agent in WEB mode OR
  • Linewize School Manager inline appliance to filter unmanaged BYO devices

No other schools or configurations are affected or need to take any action.

What is Encrypted Client Hello?

ECH is a privacy feature for web browsers designed to encrypt Server Name Indication (SNI), making it harder to filter content based on domain names.

In certain configurations, School Manager can’t filter websites that send ECH traffic when ECH is turned on because the SNI header is encrypted. This means users can access content that should be blocked.

Before you begin

Block ports 80 and 443 (UDP) on your school’s firewall. This turns off Quick UDP Internet Connection (QUIC). QUIC can bypass filtering and allows access to undesirable websites and content.

Turn off ECH for Windows/MacOS agent in WEB mode

Turning off ECH is a two-step process. First, use a browser policy to turn off ECH, then use MITM to inspect cloudflare-ech.com. 

Caution: MITM Required

You need Man in the Middle (MITM) turned on for both on-network and off-network users. If your school has not turned on MITM, you should follow the instructions for the Inline Appliance instead, or contact our support team for help turning on MITM.

1. Turn off ECH using browser policies:

  1. Google Chrome - Set the EncryptedClientHelloEnabled policy to false.
  2. Microsoft Edge - Set the TlsEncryptedClientHelloEnabled policy to false.
  3. Mozilla Firefox - Use the DisableEncryptedClientHello policy.

2. Inspect cloudflare-ech.com

  1. Sign in to School Manager as an owner/administrator.
  2. Go to Configuration > Mobile Agent > On School Manager Network > MITM Enabled
  3. Add cloudflare-ech.com to Inspected domains.
  4. Repeat this for Off School Manager Network.

Tip: Get Companion Mode

We recommend Windows schools switch to Companion Mode filtering. Contact Linewize Support for help with the migration.

Turn off ECH for Linewize School Manager Inline Appliance 

While you can’t turn off ECH on unmanaged devices, you can create a Filter Policy to block sites that use ECH. This will stop users from accessing them.

Caution: Blocking Legitimate Sites

Blocking ECH with a Policy may block some legitimate websites. We’re working on a better solution and expect to release it in our next firmware update, v267.

  1. In School Manager, select Filtering > Content Filtering.
  2. Select + Create Policy.
  3. Give your Policy a memorable name.
  4. In Type, search for and select the Encrypted Client Hello signature
  5. If you have both managed and unmanaged devices on your appliance, use Criteria to restrict this Policy to unmanaged devices only. 
  6. Turn on Locked and then Save Policy.
  7. Place this Policy close to the top of your Policy list, below any Policies that allow critical services and infrastructure.
Was this article helpful?
0 out of 0 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.