Reasons for Cloudflare’s ECH Disabling (Oct 2023)

Determine the exact reasons that led to Cloudflare’s sudden disabling of TLS Encrypted Client Hello (ECH) features for Cloudflare-hosted domains on October 5, 2023.

Background

The paper measures HTTPS DNS record and ECH deployment across Tranco Top 1M domains and observes that, prior to October 2023, Cloudflare’s default configuration resulted in widespread ECH adoption (about 70% of apex domains with HTTPS records). On October 5, 2023, ECH support dropped to zero among Cloudflare-hosted domains because Cloudflare disabled ECH globally for its zones.

The authors confirm the disabling event via Cloudflare’s announcement but state they cannot directly confirm the reasons driving the decision. They discuss potential operational complexities, such as frequent ECH key rotation via HTTPS DNS records and client-side behaviors, which may contribute to difficulties, and they investigate these issues from both server and browser perspectives.

References

A notable drop in the number of domains with ECH is observed on October 5th, 2023, resulting in zero domains with ECH. We can confirm that Cloudflare disabled ECH features for the domains under its hosting, as stated in their announcement. While we cannot directly confirm the exact reasons that lead to Cloudflare's sudden disabling of ECH, we investigate potential challenges and issues in ECH usage— from both server-side (Section 4.4.2) and client-side (Section 5.3)— that can shed light on the future of ECH deployment.

Exploring the Ecosystem of DNS HTTPS Resource Records: An End-to-End Perspective  (2403.15672 - Dong et al., 2024) in Subsubsection “ECH support” (Section “ECH Deployment”)