Firefox 118 and Encrypted Client Hello security (ECH)

Topic

New Reply

[Tex265]

Refer to a previous discussion that I started at #2591358  under the Firefox basket that has been joined in on by @WCHS.

This appears to be an important enhanced privacy area for discussion, but seems to have been lost in the overall volume of posts within the Firefox basket.

If interested in whether you currently have this enhanced privacy feature activated or not beginning with FF118, start with the link above and work your way back here.

Below is a Wiki post that I just located discussing the FF Config Setting Preferences to utilize the ECH privacy and why.

Note: that even though I got ECH “to appear to function” with only 3 config changes, it appears from the article below that other settings are also important especially the settings pertaining to “grease”.

Again feedback from FF users would be helpful as to whether you received these settings automatically or whether not. Some seem to have, others not or not yet(?).  As well as those with expertise in this feature area.

https://wiki.mozilla.org/Security/Encrypted_Client_Hello

Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)

• This topic was modified 1 year, 7 months ago by Tex265.
• This topic was modified 1 year, 7 months ago by Tex265.

Reply | Quote

Replies

I’ve been using SNI/ ECH for years, what’s the problem?
It’s now a simple firefox settings click and set to use the ECH and DNS.
When it was the older SNI, that entailed about-config tweaks to manually introduce the settings and DNS links. It’s much easier to setup nowadays, even using alternate DNS providers (as long as they support ECH)

I’m using cloudflare, and I’m happy with their service:

Windows - commercial by definition and now function...

Reply | Quote

Microfix wrote:

I’ve been using SNI/ ECH for years, what’s the problem? It’s now a simple firefox settings click and set to use the ECH and DNS.

Maybe, but Maybe Not.

The potential problem is that FF advises that use of the newer ECH is “automatic” with version 118 and utilizing DNS over HTTPS options, but that does not appear to be true for everyone (me being one).

I have the required Preferences set, but none of the needed Config Settings were automatically configured per the ones shown in my attached wiki link. ECH was not functional.

Member @WCHS had a better result with their settings being changed.  A review of my previous links indicate that others out there also did not get automatic settings. Some suggesting that perhaps this is a rollout over time situation.

So trying to get a sense of what is going on via members feedback so we can be informed users.  Also to alert members that think they are using ECH they may not be – run the test sites/check  your Settings to confirm.

Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)

Reply | Quote

According to Mullvad VPN if you reside in the US, Canada, Russia or Ukraine Mozilla has configured DNS over HTTPS using Cloudflare DNS by default. https://mullvad.net/en/help/dns-leaks

Reply | Quote

Tex265 wrote:

The potential problem is that FF advises that use of the newer ECH is “automatic” with version 118 and utilizing DNS over HTTPS options, but that does not appear to be true for everyone (me being one).

UPDATE: The above is/was true that version 118 did not envoke the reported ECH implementation automatically.  However, installing FF version 119 DID make the referrenced and required Settings changes to activate ECH.

Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)

Reply | Quote