DISABLE ENCRYPTED CLIENT HELLO (ECH) IN COMMON WEB BROWSERS

1. Disable Encrypted Client Hello - Google Chrome

NOTE: The below steps should be taken as a guide only. Talk Straight & Schools Broadband have looked at common browsers and methods to disable specific features. The software vendor of these web browsers may change how you access these settings at any point and therefore this information may not always be up to date.

Encrypted Client Hello (ECH) is a security feature designed to encrypt the "Client Hello" portion of the TLS handshake, improving privacy by preventing interception of certain metadata (e.g., hostname). However, if you need to disable it in Chrome or Edge for specific reasons, follow these steps:

For Google Chrome (Standalone)

(Update - the chrome://flags method is no longer supported)

• Open Chrome settings:
  
  • In the address bar, type chrome://flags and press Enter.
• Search for "Encrypted ClientHello":
  
  • Use the search box at the top of the Flags page to search for Encrypted Client Hello.
• Disable the feature:
  
  • If the "Encrypted ClientHello" option appears, set it to Disabled using the dropdown menu next to it.
• Restart Chrome:
  
  • Click the Relaunch button at the bottom of the page to apply the changes.

For Google Chrome via Group Policy

To manage Chrome settings via Group Policy, you'll need the Google Chrome ADMX templates.

The following steps have been adapted from this Google learning article on configuring Google Chrome policy settings - https://support.google.com/chrome/a/answer/187202

Steps:

• Download and Install Chrome ADMX Templates:
  
  • Download the Chrome policy templates from the Google Admin Templates page.
  • Extract the .zip file and copy the .admx files to the appropriate C:\Windows\PolicyDefinitions directory.
• Open Group Policy Management Editor:
  
  • Press Win + R, type gpedit.msc, and press Enter.
• Navigate to Chrome Policies:
  
  • Go to Administrative Templates > Google > Google Chrome.
• Search for the ECH Setting:
  
  • Look for a policy related to "Encrypted ClientHello" or TLS settings.
  • If available, disable it.

• Apply and Deploy:
  
  • Click OK to save changes and apply the policy.
• Ensure Policy Deployment: 
  
  • Use gpupdate /force to refresh policies on the client system.

If ECH is not explicitly mentioned:

Chrome-specific settings for advanced features like ECH may require registry tweaks if there isn't a visible policy template for it.

Using Registry Settings

If the Group Policy templates don't have explicit settings for ECH, you can try modifying registry settings directly.

• Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome
  
• Key: If there’s a specific key for ECH (e.g., EncryptedClientHelloEnabled), set it to 0 to disable.
  

For large-scale environments

• Use tools like Microsoft Endpoint Manager (Intune) or Active Directory Group Policy to deploy the changes across multiple systems.
• Create a custom .adm template if specific ECH settings are not readily available in the ADMX templates.

Important Notes

• As ECH is a relatively new feature, explicit policies for enabling/disabling it might not yet exist in some versions of the browser templates.
• Ensure that your browser versions and ADMX templates are up-to-date to access the latest settings.

2. Disable Encrypted Client Hello - Microsoft Edge

NOTE: The below steps should be taken as a guide only. Talk Straight & Schools Broadband have looked at common browsers and methods to disable specific features. The software vendor of these web browsers may change how you access these settings at any point and therefore this information may not always be up to date.

Encrypted Client Hello (ECH) is a security feature designed to encrypt the "Client Hello" portion of the TLS handshake, improving privacy by preventing interception of certain metadata (e.g., hostname). However, if you need to disable it in Chrome or Edge for specific reasons, follow these steps:

For Microsoft Edge (Standalone)

(UPDATE - The edge://flags method is no longer supported)

Edge is based on Chromium, so the process is similar to Chrome:

• Open Edge settings:
  
  • In the address bar, type edge://flags and press Enter.
• Search for "Encrypted ClientHello":
  
  • Use the search bar to find the Encrypted Client Hello option.
• Disable the feature:
  
  • If the option is present, set it to Disabled using the dropdown menu.
• Restart Edge:
  
  • Click Relaunch to apply the changes.

Microsoft Edge via Group Policy (standalone)

The following steps have been adapted from this Microsoft learning article on configuring Microsoft Edge policy settings on Windows - https://learn.microsoft.com/en-us/deployedge/configure-microsoft-edge

Steps:

• Download and Install Edge ADMX Templates:
  
  • Download from the Microsoft Edge Enterprise site.
  • Extract and copy the .admx files to C:\Windows\PolicyDefinitions.
• Open Group Policy Management Editor:
  
  • Press Win + R, type gpedit.msc, and press Enter.
• Navigate to Edge Policies:
  
  • Go to Administrative Templates > Microsoft Edge.
• Search for the ECH Setting:
  
  • Look for a policy related to "Encrypted ClientHello" or TLS features.
• • If available, disable it.
    

• Apply and Deploy:
  
  • Save changes and update policies with gpupdate /force.

Using Registry Settings

If the Group Policy templates don't have explicit settings for ECH, you can try modifying registry settings directly.

For Edge:

• Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge
• Key: Similar to Chrome, look for a key like EncryptedClientHelloEnabled and set it to 0.

Centralised Deployment

For large-scale environments:

• Use tools like Microsoft Endpoint Manager (Intune) or Active Directory Group Policy to deploy the changes across multiple systems.
• Create a custom .adm template if specific ECH settings are not readily available in the ADMX templates.

IMPORTANT NOTES

• As ECH is a relatively new feature, explicit policies for enabling/disabling it might not yet exist in some versions of the browser templates.
• Ensure that your browser versions and ADMX templates are up-to-date to access the latest settings.