TWO RFCs published last week—RFC 9848 (Bootstrapping TLS Encrypted ClientHello with DNS Service Bindings) and RFC 9849 (TLS Encrypted Client Hello)—are discussed as part of the Encrypted Client Hello movement, with Cloudflare cited as an early implementer and proponent. Encrypted client hellos aim to protect the Client Hello, including the Server Name Indication, by leveraging the HTTPS DNS record to transmit the keys needed for ECH, though the article notes that exchanging key material remains a basic challenge.
It explains that enabling ECH is straightforward for Cloudflare users, but may not be available on the free plan. To test domain support, the piece recommends using dig to fetch the HTTPS record and highlights that the ech= parameter in the base64 string reveals the public encryption key used to encrypt the client hello; Cloudflare-ech[.]com can be used to verify whether your browser is using ECH. It also warns that older versions of dig may not support HTTPS records, potentially returning A records with a warning. Published on 9 March 2026, according to SANS ISC.