Now all servers can participate in Encrypted Client Hello for enhanced user privacy: if clients open TLS connections with ECH where the server IP is used in the ClientHelloOuter and the target SNI domain is in the encrypted ClientHelloInner, then eavesdroppers won't be able to read which domain the user is connecting to.

This vision still needs a several more developments to land before it actually results in an increment in user privacy, but they are possible:

    1. User agents can somehow know they can connect to a host with IP SNI and ECH (a DNS record?)
    2. User agents are modified to actually do this
    3. User agents use encrypted DNS to look up the domain
    4. Server does not combine its IP cert with it's other domain certs (SAN)