Request for Encrypted Client Hello (ECH) Support in Nginx #266
Description
Describe the feature you'd like to add to nginx
I would like to request the addition of Encrypted Client Hello (ECH) support in Nginx. ECH enhances privacy by encrypting the Server Name Indication (SNI) during the TLS handshake, preventing third parties from intercepting the destination server's hostname. This feature is crucial for privacy and censorship circumvention in modern web environments.
Describe the problem this feature solves
Currently, Nginx does not support ECH, which limits the ability of websites to fully protect user privacy during the TLS handshake. Without ECH, the Server Name Indication (SNI) is transmitted in plaintext, allowing third parties, such as ISPs or network-level monitors, to intercept and identify which websites users are visiting. This creates potential privacy vulnerabilities and allows for censorship based on the observed SNI. By supporting ECH, Nginx would help mitigate these privacy risks and enable websites to provide a more secure and private browsing experience for their users.
Additional context
Major browsers like Google Chrome (v117+) and Firefox (v118+) have already implemented support for ECH, enabling it by default when the server is configured to use it. Cloudflare, as an example, has integrated ECH in their CDN services, helping to protect users' privacy. Adding support for ECH in Nginx will align it with these browsers and improve its utility for privacy-conscious users and organizations.
It would be beneficial to implement ECH by utilizing the latest versions of OpenSSL, which already have support for this feature. This could be integrated through new configuration options for handling ECH keys and certificates.
Thank you for considering this request. Implementing ECH would greatly contribute to enhancing user privacy and security in the modern web environment.