Encrypted Client Hello (ECH) has been behind a pref in Firefox for over a year, enabled only in Nightly. Over the coming releases, we plan to continue experimentation and proceed to a roll out with the final schedule depending on whether we run into any issues with network incompatibility.
Summary: ECH enhances the privacy of TLS connections made by the browser by encrypting the initial packet sent at the start of the TLS connection which contains sensitive information. ECH requires server-side support in order to be effective. If ECH support is not available, then a GREASE extension containing random data is added to the TLS Client Hello which is ignored by the server. Bug: https://bugzil.la/1725938 Specification: https://datatracker.ietf.org/doc/draft-ietf-tls-esni/16/ Standards Body: IETF, TLS WG Platform Coverage: All Preferences: network.dns.echconfig.enabled - True network.dns.http3_echconfig.enable - True network.dns.force_waiting_https_rr - True security.tls.ech.grease_probability - 100 security.tls.ech.grease_http3 - True ECH support also requires a DoH server to be configured in Firefox (either from the default list or a custom self-hosted server). This is because ECH depends on a special type of DNS record and is only effective if these DNS records are fetched over an encrypted connection. ECH respects all existing DoH opt outs (canary, pref, enterprise policy) and ECH will not be used to encrypt any ClientHellos if DoH is disabled or opted out. DevTools bug: None Standards position: Positive - https://github.com/mozilla/standards-positions/issues/139 Web platform tests: None (TLS Feature) Test Sites: https://www.cloudflare.com/ssl/encrypted-sni/ https://tls-ech.dev/ https://defo.ie/ech-check.php Other Browsers: Blink - Experimental Support - https://groups.google.com/a/chromium.org/g/blink-dev/c/KrPqrd-pO2M/m/wqVwcQ6tBgAJ Webkit - Unknown / Presume Not Implemented -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CAON8YFOgHisQcce4b%2BDh%3DQTRJdKtKBBDF_-ifrk-CGf_s3mE5g%40mail.gmail.com.
