March 4, 2026

SNI and chill, or ops and spill?

Article URL →HN comments →

RFC 9849. TLS Encrypted Client Hello

IETF hides your web “hello”—privacy wins, ops sweat, Cloudflare rage on

TLDR: IETF approved Encrypted Client Hello, hiding the website name your browser sends at the start of a secure connection. The crowd cheers privacy and anti-censorship, while operators gripe about load balancers, Cloudflare’s default-on drama, and confusing rules—making it both a win and a headache.

Internet nerds just dropped RFC 9849, a new rulebook that lets your browser send a secret “hello” (Encrypted Client Hello) so nosy networks can’t see which site you’re visiting. That’s the part called SNI, and it’s now tucked under encryption. Privacy fans cheered, anti-censorship folks fist-bumped, and operators immediately reached for antacids.

The hottest take? Cloudflare drama. One user fumed that ECH is “on by default” and—on the free tier—you can’t turn it off, sparking cries of upsell and chaos for internal “intranet” setups. Meanwhile, another commenter celebrated that earlier versions (ESNI) helped dodge ISP blocks in India: SNI-based blocking? Deleted. Expect memes like “SNI-shaming is over” and “VPN who?” to start rolling. A puzzled onlooker flagged spec quirks around certificates and IP-like names—translation: more rules for browsers to follow, more headaches for ops.

In the trenches, load balancer anxiety popped up fast: does this mean client-side juggling like gRPC? The spec mentions different deployment modes (“shared” vs “split”), but the crowd’s real vibe is: great for privacy, tricky for real-world setups. For a plain-English tour, one commenter shared a helpful short read on ECH. Verdict: ECH is a win for hiding your destination, but expect weeks of “it broke our stuff” posts—and some spicy Cloudflare clapbacks.

Key Points

  • RFC 9849 introduces Encrypted Client Hello (ECH), a TLS extension that encrypts the ClientHello to protect SNI and ALPN.
  • ECH addresses privacy gaps in TLS 1.3, where SNI remains plaintext and can reveal target domains.
  • ECH operates in two deployment topologies: Shared Mode and Split Mode, with deployment implications discussed.
  • ECH is supported in TLS 1.3 and DTLS 1.3, and the document uses BCP 14 for normative language.
  • ECH alone does not fully hide server identity; encrypted DNS mechanisms (DoH, DoT/DTLS, DoQ) are recommended to conceal DNS lookups.

Hottest takes

“On Cloudflare it is on by default… you need a business plan for it. Which I think is stupid” — ferdzo
“Jio randomly blocked websites… ESNI made their SNI based blocking easy to bypass” — arch-choot
“Will this have an impact on Loadbalancers?” — weitzj

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.