ECH (encrypted client hello) is going or get enabled by default (already existed in a hidden setting) with version 118.

This page about the version explains a bit better ECH https://support.mozilla.org/fr/kb/understand-encrypted-client-hello

Tho it is still a bit confusing.

From what I understand there is the DNS query > the dns servers sends back an IP. This DNS query can be encrypted with DoH (or DoT?, it seems only DoH from the post).

Then there is a handshake with the website where the website informations can be leaked, and that can be encrypted by ECH (if the website supports it).

Then after that there is a tls connexion established between the website and the user.

The part where I’m confused is : can ECH be used without DoH? If yes that would mean that I can use a DoH capable software and not have to configure it into Firefox? (ex: Nextdns + yogadns)

  • 🇰 🌀 🇱 🇦 🇳 🇦 🇰 ℹ️
    link
    fedilink
    English
    3
    edit-2
    1 year ago

    It’s already on. The problem is going to a HTTPS site gives the “this site isn’t actually secure, would you like to open it in HTTP instead?” And doesn’t actually load the sites, which I know work, in HTTPS.

    Like this:

    This site (SNAP homepage) works in HTTPS just fine on Chrome.

    • 𝒍𝒆𝒎𝒂𝒏𝒏
      link
      fedilink
      English
      71 year ago

      Their webserver is probably misconfigured I think?

      Chrome does a bunch of stuff in the background (trying no www, with www, etc) to try and get you to the https website, which firefox doesn’t. It’s a reason I like firefox as a developer, makes it super obvious when you’ve messed something up

    • @[email protected]OP
      link
      fedilink
      English
      1
      edit-2
      1 year ago

      I sometimes get this too. It’s a bit annoying on mobile (not happening on desktop), but I often just need to reload the page.