If you have upgraded your stable version of the Firefox web browser to version 85.0, released in January, you may have noticed that it no longer supports ESNI.
ESNI, which stands for Encrypted Server Name Indication, is a security and privacy feature designed to protect against network eavesdropping.
Mozilla introduced support for ESNI two years ago and the feature has been available as an advanced option in Firefox for some time. Users had to configure several advanced parameters to make use of ESNI in Firefox.
Mozilla published a post on its Mozilla Security Blog in January that informed readers that Firefox would drop support for ESNI in favor of ECH, or Encrypted Client Hello.
The new TLS extension was designed to eliminate the shortcomings of ESNI. Researchers discovered that ESNI provided incomplete protection and that it had "interoperability and deployment challenges that prevented it from being enabled at a wider scale".
ECH addresses these shortcomings. Mozilla did remove ESNI support from Firefox 85 in favor of ECH support.
Firefox users may turn it on in the following way:
While Firefox does support ECH, it is just one side of the coin as servers are needed for the feature to work. Cloudflare's test reveals that the SNI is not encrypted currently even while the feature is enabled in Firefox, and that indicates that the default provider, which is Cloudflare, has not enabled it yet.
Firefox users who used the feature prior to version 85.0 Stable found themselves in a precarious situation: Mozilla did remove the feature from the browser, but there was no option to use ECH yet; this in turn meant that privacy could be impacted. Users reported the issue on Mozilla's bug tracking site, some stating that dropped support would allow censorship mechanics to work again. All these reports appear to have received the "won't fix" status.
Mozilla suggests that users use Firefox ESR for the time being, as support for ESNI is still available in that browser. It is an option, but users would have to be aware of the change first to make the switch.
It is unclear why Mozilla removed support for ESNI early. It would have been better from a user point of view if Mozilla would have waited until servers would be available that support ECH. Cloudflare, being the default provider in Firefox, being a prime choice for that.
Firefox users who require it may switch to ESR for the time being. ECH looks more promising than ESNI, but Mozilla's timing could have been better.
Now You: Have you used ESNI in Firefox?Advertisement
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.