The LaLiga fight against illegal soccer broadcasts It has encountered an unexpected obstacle: Ech (Encrypted Client Hello), an encryption protocol that stars in the great conflict and the collateral damage of this battle, which splashes thousands of companies.
Turning point. It all started when Cloudflare implemented in October 2023 (Encrypted Client Hello), an extension of TLS that prevents operators from identifying which specific domain is requesting the user.
This protocol makes it technically impossible for operators to see which specific domain requests a user.
The contrast. ECH works as an additional encryption layer that completely hides the final destination of a connection:
- When a user tries to access a website, his browser initiates an encrypted “negotiation” (Handshake TLS) With the server.
- Before ECH, although this connection was encrypted, the name of the domain was traveling “in clear” so that the intermediate servers could enrut the traffic.
- With ECH, the name of the domain is also encrypted, making it impossible for the operators to know which concrete website the user is accessing.
The system is even more complicated because Cloudflare uses shared IPS:
- The same IP address can house hundreds or thousands of different websites.
- Without ECH, the operators could see what domain each user requested and block selectively.
- With ATU activated, they only see an encrypted IP that could be serving both legal and illegal content.
- This leaves two options to the operators: block all the IP (affecting hundreds or thousands of sites) or not blocking anything. When they choose the first thing the Blocked legitimate websites.
To avoid blockages, which also translate into a reputational crisis, some operators are resorting to alternative techniques such as:
- Traffic patterns analysis.
- Deep inspection of packages (DPI).
- BLOCK BY SNI (Indication of the server name) when ECH is not active.
But these solutions are complex, expensive and not always effective. The conflict has climbed, Movistar has softened his blockages, Digi has hardened them and Vodafone says to have a more precise solution although it has not revealed details yet (since Xataka We have asked them for this without having received an answer at the time of publishing this article). They possibly use one of the last points.
The next. Ech has supposed a huge change in Internet architecture. The precedent of Austria, where IPS blockades were prohibited To protect the neutrality of the network, it suggests that the current regulation model needs to adapt to this new reality.
Meanwhile, the pulse between LaLiga and Cloudflare persists, and thousands of Spanish companies also remain trapped in the midst of the conflict.
Outstanding image | Cloudflare
In Xataka | What is cloudflare, how it works and why a fall or block makes half the Internet fail
GIPHY App Key not set. Please check settings