How To

How to make MS Edge safer by turning on Encrypted Client Hello

How to make MS Edge safer by turning on Encrypted Client Hello
Joseph Johnston

Joseph Johnston

  • Updated:

Most information you send or receive on today’s internet passes through a layer of encryption to make sure it can only be read by the sender and receiver. This task is generally done via an automatic encryption key exchange through a cryptographic protocol in your browser.

The current most popular key exchange protocol is a handshake called Transport Layer Security (TLS). By following just a few steps, you can enable the latest TLS extension — known as Encrypted Client Hello (ECH) — in your Microsoft Edge browser to make your information even safer.

Microsoft Edge Download
  1. Open MS Edge properties

    Microsoft Edge Properties

    Find the shortcut you use to access MS Edge in your Start menu, taskbar, or desktop. Right-click on the shortcut, and select Properties from the popup menu.

    Go to the Shortcut tab in the Properties box. In the Target text box, third from the top, you’ll see the path to the location of your msedge.exe file. It should look something like “C:\..\msedge.exe.”

  2. Update path location and launch

    The Target text box in MS Edge’s Properties dialogue

    Don’t change the path itself. Directly after it, add a space followed by –enable-features=EncryptedClientHello.

    Click OK at the bottom of the Properties box.

    Use the shortcut you just modified to launch MS Edge.

  3. Enable support for HTTPS records in DNS

    Enable the first flag

    Before you start browsing, click on Edge’s address bar, and paste edge://flags/#dns-https-svcb.

    Edge will display a list of services you can turn on or off. The first one is titled Support for HTTPS records in DNS. Click on the drop-down list to the right of that service, and select Enabled.

  4. Enable use DNS https alpn

    Enable the second flag

    Click on the address bar again, and type in edge://flags/#use-dns-https-svcb-alpn. Select Enabled next to the option labeled Use DNS https alpn.

    Next, press Alt + F to open Edge’s menu. Click on Settings and then Privacy, search, and services.

    Under the Security subheading, find the option labeled Use secure DNS to specify how to lookup the network address for websites. Click on the toggle switch on the right to enable this. The switch will turn blue.

  5. Select Cloudfare as service provider and relaunch Edge

    Enable secure DNS

    Directly below, click the option labeled Choose a service provider. In the list of available providers below that, choose Cloudflare.

    Restart the Edge browser. The ECH update is now enabled.

  6. Use an Encrypted Client Hello checker

    You can check that ECH is working properly in your Edge browser by visiting the ECH check page at: Check the status of the SSL ECH parameter. It should read success!

Why should you enable ECH in Microsoft Edge?

The TLS protocol was designed to protect data streams flowing between a web app like your browser and an external server. Since it was first created in 1999, TLS developers have released various updates to the protocol, the latest of which is TLS 1.3. Encrypted Client Hello is an add-on to TLS 1.3, extending its protection to include the full handshake between the sender and the receiver. This includes the initial introduction between endpoints, finally closing a privacy leak that had persisted since the beginning of the protocol.

Online servers often use the same IP address to host a number of websites, such as in shared and virtual hosting services. Server Name Indication (SNI) is a previous TLS extension released in 2003 to fix common name mismatch errors caused by multiple websites using duplicate IP addresses. These used to result in browser error messages that read Your connection is not private. SNI allows the handshake process to specify a website’s exact domain name in the certificate.

SNI data is sent in what used to be an unencrypted client hello message, in which your browser initiates contact with a server, requesting its security certificate. Before this ECH update, the SNI data was not included in the encryption protocol. That meant eavesdroppers could see which servers and websites your network had requested access to. ECH prevents server name interception by using a public key to encrypt the entire payload, including the client hello.

Using ECH in other browsers

Encrypted Client Hello is currently in the process of being standardized for the final release to the wider browser ecosystem. You can also enable the experimental version in Firefox as well as the developer versions of various Chromium browsers.

If you’re interested in keeping your web browsing as safe as possible, check out our list of the most secure browsers for Windows and Android.

Joseph Johnston

Joseph Johnston

Latest from Joseph Johnston