Firefox 118 boosts security with Encrypted Client Hello support
Mozilla released Firefox 118 Stable in late September 2023 to the public. It was a major release, as it introduced the long awaited native translate feature in the browser.
Privacy friendly translations of websites was not the only privacy feature that Mozilla integrated into the browser. Firefox 118 Stable is also supporting Encrypted Client Hello, which many may see as even more important. The main purpose of the security feature is to protect data from network spies. A spy can be the Internet Service Provider or anyone listening in on the traffic in the network.
Here is an example to better illustrate the feature. A regular connection to a website uses HTTPS usually. This means that traffic data is encrypted and therefore protected against traffic monitoring. The address of the website, say ghacks.net, is not encrypted, however. This means that it will leak when someone monitors traffic. Encrypted Client Hello resolves this by encrypting the address of the site as well, so that the visited sites are no longer revealed.
Encrypted Client Hello relies on the Domain Name System, and here in particular on DNS over HTTPS. DNS over HTTPS encrypts domain lookups and is used to fetch a key from the web server that Encrypted Client Hello uses to encrypt all traffic to the server and site in question.
Firefox users need to make sure that DNS over HTTPS is used in the browser to utilize Encrypted Client Hello. This is done in the following way:
- Load about:preferences#privacy in the Firefox address bar to open the Privacy and Security settings.
- Scroll all the way down to the DNS over HTTPS section on the page.
- Firefox controls DNS over HTTPS by default. You may want to switch to Increased or Max Protection instead, as it ensures that the feature is used all the time. The difference between Increased and Max protection is that Increased includes a fallback to regular DNS whereas Max protection will not load sites if secure DNS is not available.
- Select one of the available providers or add a custom provider to Firefox so that it is used.
With DNS over HTTPS enabled, Firefox will use Encrypted Client Hello automatically, provided that the web server of the site supports it. Users who want to know for sure can check out these two test sites to find out.
Mozilla announced support for Encrypted Client Hello on the official blog. A support page on the Mozilla website provides additional information and resource links.
Chromium-based web browsers support Encrypted Client Hello as well. The most recent version of Google Chrome, version 117, supports the feature.
Now You: what is your take on this privacy feature?
So, this will force DNS lookups to happen outside of my VPN?
No, it won’t change any of that.