Cloudflare accelerates its network with security, traffic optimizations

Currently, the Brotli compression format is among the most widely used. Cloudflare is now rolling out a new option based on Zstandard (zstd) compression that has only been supported in the Google Chrome and Mozilla Firefox web browsers since March of this year.

“Zstandard gives pretty much the same compression levels of Brotli, but is about 42% faster than Brotli, and so it actually makes it viable to be using it at quite a wide scale,” he said.

Hello (encrypted) world

Privacy enhancements are also a key focus for Cloudflare, and that’s where the new Encrypted Client Hello (ECH) specification fits in. This feature addresses a longstanding privacy concern in web browsing. ECH is a proposed IETF standard that is currently undergoing review.

“One of the ways in which web browsing isn’t private is that your web browser goes and connects to your website and announces what it’s looking for in what’s called the client hello,” Graham-Cumming explained. “The solution to that is a thing called Encrypted Client Hello.”

ECH encrypts the initial “Client Hello” packet in the TLS handshake, which reveals the domain the user is trying to connect to. Encrypting this packet hides the destination domain from anyone monitoring the connection. To be clear, Graham-Cumming noted that ECH is different from other privacy efforts like DNS over HTTPS/TLS, which encrypts the DNS lookup process, so that the DNS server cannot see which domains the user is looking up.

The key difference is that Encrypted Client Hello focuses on hiding the destination domain in the initial TLS connection, while DNS over HTTPS/TLS focuses on hiding the DNS lookups that precede the TLS connection. Both techniques aim to improve user privacy by encrypting different parts of the web browsing process.