TCP SYN is not encrypted, and neither is Client Hello. Even with TCP cookies and TLS session resumption, the initial packet is still unencrypted, and can be intercepted.
Client Hello can be encrypted: https://support.mozilla.org/en-US/kb/understand-encrypted-cl...
Oh, right, thanks for the correction!
However, ECH relies on a trusted 3rd party to provide the key of the server you are intending to talk to. So, it won't work if you have no way of authenticating the server beforehand the way GP was thinking about.
Yes but this still depends on identity. It's not unauthenticated.
The situation is actually somewhat more complicated than this.
ECH gets the key from the DNS, and there's no real authentication for this data (DNSSEC is rare and is not checked by the browser). See S 10.2 [0] for why this is reasonable.
[0] https://tlswg.org/draft-ietf-tls-esni/draft-ietf-tls-esni.ht...