The case of missing ESNI support in Firefox 85
If you have upgraded your stable version of the Firefox web browser to version 85.0, released in January, you may have noticed that it no longer supports ESNI.
ESNI, which stands for Encrypted Server Name Indication, is a security and privacy feature designed to protect against network eavesdropping.
Mozilla introduced support for ESNI two years ago and the feature has been available as an advanced option in Firefox for some time. Users had to configure several advanced parameters to make use of ESNI in Firefox.
Tip: Check if your browser uses Secure DNS, DNSSEC, TLS 1.3, and Encrypted SNI
Mozilla published a post on its Mozilla Security Blog in January that informed readers that Firefox would drop support for ESNI in favor of ECH, or Encrypted Client Hello.
The new TLS extension was designed to eliminate the shortcomings of ESNI. Researchers discovered that ESNI provided incomplete protection and that it had "interoperability and deployment challenges that prevented it from being enabled at a wider scale".
ECH addresses these shortcomings. Mozilla did remove ESNI support from Firefox 85 in favor of ECH support.
Enable ECH in Firefox
Firefox users may turn it on in the following way:
- Load about:config in the Firefox address bar.
- Confirm that you will be careful.
- Search for network.dns.echconfig.enabled.
- Set the preference to TRUE to enable it.
- Search for network.dns.use_https_rr_as_altsvc.
- Set the preference to TRUE to enable it.
- Restart the Firefox web browser.
Problem: ECH needs servers
While Firefox does support ECH, it is just one side of the coin as servers are needed for the feature to work. Cloudflare's test reveals that the SNI is not encrypted currently even while the feature is enabled in Firefox, and that indicates that the default provider, which is Cloudflare, has not enabled it yet.
Firefox users who used the feature prior to version 85.0 Stable found themselves in a precarious situation: Mozilla did remove the feature from the browser, but there was no option to use ECH yet; this in turn meant that privacy could be impacted. Users reported the issue on Mozilla's bug tracking site, some stating that dropped support would allow censorship mechanics to work again. All these reports appear to have received the "won't fix" status.
Mozilla suggests that users use Firefox ESR for the time being, as support for ESNI is still available in that browser. It is an option, but users would have to be aware of the change first to make the switch.
It is unclear why Mozilla removed support for ESNI early. It would have been better from a user point of view if Mozilla would have waited until servers would be available that support ECH. Cloudflare, being the default provider in Firefox, being a prime choice for that.
Firefox users who require it may switch to ESR for the time being. ECH looks more promising than ESNI, but Mozilla's timing could have been better.
Now You: Have you used ESNI in Firefox?
Interesting that they released ESNI without talking at all about all its internal privacy flaws that ECH solves now, that they could not ignore at that time. ESNI was itself released before to plug one of several privacy leaks in DNS-over-HTTPS that they similarly forgot to talk about most of the time when selling it initially, and that made it actually worse for privacy than not using it when used with alternative DNS providers, but they wanted to grab control over DNS data at any cost.
And ECH like ESNI requires more than switching it on in a browser, it works only with servers supporting it. Today most of sites do not even support TLS 1.3, and those that support ESNI/ECH are even a subset of those. Even for those supporting it, there are other known leak vectors. All this meaning that if you are using it with an alternative DNS provider you have worse than a false-sense-of-privacy problem, you actually have strictly less privacy than before. But it’s not their concern, they just want ownership of the DNS system to switch to their hands.
DNS-over-HTTPS have no more leaks, than HTTPS itself.
And you don’t get less privacy than with DOH: with DOH off, all MITMs can read and modify your DNS-traffic. Like, for example, my government-owned ISP does it.
“DNS-over-HTTPS have no more leaks, than HTTPS itself.”
“And you donâ€™t get less privacy than with DOH”
You did not understand.
“You did not understand.”
Actually, It’s you did not understand.
“You who”. Who you? You, or him?
You don’t understand.
Anonymous is right
I use my own unbound server with DoT which I configured myself. So no, I can afford to not use yet another half-backed crutch by ham-fisted clowns.
The Great Firewall of China bans TLS 1.3 & ESNI, because it’s the only thing they can’t spy on. It works!
A Bugzilla was filed immediately & 3 developers were responsible for shutting down the conversation, even when people mentioned that people would DIE, because Firefox removed ESNI without mentioning it in the changelog or anywhere else.
These 3 developers would rather let the NSA/FBI spy on “Trump supporters” than protect users in Hong Kong & China from being arrested & then having their organs harvested in prison.
Firefox SJW leadership is immoral & flat out liars, pretending to support a free & open internet, while calling for censorship of “wrongthink”.
Mozilla was the first to ban the dissenter webextension, NOT Google.
There’s definitely a disconnect between Mozilla’s stated mission & the morons currently running the company.
All that said, Firefox is still the best browser (not including Tor, which is rather restrictive) on the planet today.
Props to Martin for writing this article, I’ve been waiting for someone to say something for weeks.
ECH is a joke. No one uses it, so it can’t be implemented by anyone right now.
Cloudflare won’t commit to ECH. Cloudflare spent alot of money implementing ESNI on their servers, only to have Mozilla stab them in the back & deprecate ESNI.
ECH is like a city’s mayor saying that stop lights are flawed, because some people have red/green color blindness, so you’re going to support “blue” stoplights instead of red & green AND deprecate red & green stoplights by turning OFF all red & green lights at every stoplight in the city. Now you only have the yellow light and no one can reliably drive on any road in the city anymore.
The 3 developers in the Bugzilla are either really stupid or they INTENTIONALLY deactivated ESNI without telling anyone to further their political agenda.
Without ESNI anyone along the server path knows where your going, so there’s no privacy. ECH cannot work, since no one supports it, and there’s no servers supporting it.
I still believe Firefox is the best browser, but I can’t recommend it to anyone, because of this BS. I would just tell anyone who asked me, just use whatever browser you like, unless you NEED to stay anonymous, in which case you should use Tor.
We have a couple months of Firefox 78 ESR, then no more ESNI support.
China’s celebrating, the NSA is celebrating, Big Brother is celebrating, etc.
The wheel is still crushing everyone, with no hope in sight.
“Mozilla was the first to ban the dissenter webextension, NOT Google.” Somewhat perhaps ironically, Mozilla receives a lot of income from Google.
“More than 90 per cent of Mozilla’s funding comes from web search providers that pay for the right to be the default search engine in Firefox in their regions. According to the organization’s latest financial figures [PDF], $430m of its 2018 total revenue of $451m came from those internet giants â€“ primarily Google, we understand. These deals were due to be renewed or renegotiated by November this year .”
Based on a audit circa 2017-2018,
“Mozilla’s primary source of revenue is royalty income from contracts with various search engine and information providers.”
Notanon thinks that FBI/NSA is on the side of China. Soon he is going to say that they are SJW or communists.
That’s how retarded the political debate is in USA today.
You don’t understand.
Thanks Martin, this is a very important subject.
I just want my address bar to stop expanding like a crazy monkey every time I type something in it!
Yes, it’s terrible that ESNI was removed when the alternative didn’t have any server support.
Hi, Firefox 78.9 ESNI not work :(
Just use dnscrypt-proxy, it does what ESNI was supposed to.
DNS-over-HTTPS allows Firefox to censor the internet by blocking domains it does not like politically. Dump firefox they support censorship.