2y ago

Say (an encrypted) hello to a more private internet.

blog.mozilla.org Say (an encrypted) hello to a more private internet. | The Mozilla Blog

As web users, what we say and do online is subject to pervasive surveillance. Although we typically associate online tracking with ad networks and other th

privacy @lemmy.ca

Say (an encrypted) hello to a more private internet | The Mozilla Blog

blog.mozilla.org /en/products/firefox/encrypted-hello/

148 10

Technology @lemmy.world

Firefox rolls out ECH enabled by default in 118

blog.mozilla.org /en/products/firefox/encrypted-hello/

232 18

47 comments

Does this mean your isp can't see the sites you visit anymore?
- Sort of. They can still see which IP address you're connecting to, which by itself or in combination with some minor traffic analysis is quite often enough to identify which website you've visited. Perhaps it isn't if the website puts absolutely everything through a giant CDN like Cloudflare, but in that case it's Cloudflare which gets to see all the sites you visit which isn't a whole lot better than the status quo.
  Still, it's a little less information given away at least some of the time. Better to do it than not do it.
  
  in that case it’s Cloudflare which gets to see all the sites you visit
  That's the status quo. CF holds the private keys to all reverse proxy'd sites hosted on it.
  
  Yes. Use a VPN. I recommend https://mullvad.net/en
  
  Well, for half of the internet they are going to see AWS ELBs addresses.
- Yes and no. If your isp is still providing unencrypted DNS for you, then they can still see the domain name you're visiting.
  
  What if you force a dns, like say cloudflare?

Cool. Nice work Mozilla.

When is this coming to ff mobile?
- Usually with these kind of engine-features, the rollout is simultaneous on desktop and Android.
  And it says it's rolling out with version 118 here: https://support.mozilla.org/en-US/kb/understand-encrypted-client-hello

Does anyone know how to enable this for nginx?
- It's been a couple years since I was involved with ECH, but the implementations at the time were:
  The one by the draft's authors in golang (Cloudflare). This is the actual test server. It uses Cloudflare's fork of golang with an enhanced crypto library. https://gist.github.com/cjpatton/da8814704b8daa48cb6c16eafdb8e402
  BoringSSL used for chrome. There are nginx builds with BoringSSL, but I don't know if the setting are exposed.
  https://boringssl.googlesource.com/boringssl/+/refs/heads/master/ssl/encrypted_client_hello.cc
  WolfSSL which I never got around to playing with.
  https://www.wolfssl.com/encrypted-client-hello-ech-now-supported-wolfssl/
  NSS which is Mozilla's TLS library. There is a test server buried in there some place for unit testing.
  https://firefox-source-docs.mozilla.org/security/nss/index.html
  With that, you ALSO need a DNS server that supports DNS over HTTP (DoH) and HTTPS service binding records (https://datatracker.ietf.org/doc/draft-ietf-dnsop-svcb-https/).
  Bind9 had branches for both and I was able merge the two to satisfy that requirement.
  When connecting to such a server, you MUST NOT use a DNS resolver hosted by any origination along the path from client to server as they can correlate the host from the DNS request with your encrypted client hello. You can actually man-in-the-middle ECH to decrypt the client hello by overriding the hosts record when controlling the DNS resolver. My project was testing this for parental controls.
  Keep in mind, ECH really only benefits users connecting to a CDN. That is, when multiple services are behind the same IP. It masks which host the user is going to for any hop between the client and server.
  Any data mining company worth their evils will have an IP to DNS index to figure out the host when only one is behind an IP.
  This marginally gives some privacy to users. It hides the host from your ISP. It REALLY benefits browser companies and CDN hosts. What hosts a user is visiting now becomes exclusive data for those companies thereby driving up the value of the data. Assuming you aren't being stupid with your addons.

https://support.mozilla.org/en-US/kb/faq-encrypted-client-hello#w_can-i-use-ech-alongside-other-security-tools-like-ad-blockers
Users using DNS-based filtering may need to tweak their configuration in order to make use of ECH. Firefox needs to be configured with a DNS-over-HTTPS server in order to make use of ECH. Depending on whether the DNS filter is locally hosted or hosted by an online provider, instructions for connecting to it over DoH will differ and users of these services will need to check their accompanying documentation.
Sooo, I'm a bit lost here. How do I ensure everything's working when I'm using a pihole? I don't think I'm understanding everything correctly
- It sounds like you'll have to set your Pihole as the DNS server in Firefox's settings, and then maybe from there it'll work itself out? Or maybe the Pihole documentation will be updated in the next few days with some instructions on enabling this. I'm unsure myself to be honest.
  
  That would make sense, wouldn't it? I think I'm going to wait for the pihole team to inform about this.

In my opinion, Firefox should give an option to enable ECH forcefully for users like me who has AdGuardHome/Pi-Hole running on Home Network. Currently, if DOH is disabled in Firefox setting, ECH won't work, as per Firefox. 😦

How about you first standardize it?
- It's being worked on. https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni
  
  I know, but it's a draft, so we have to disable it in our distro.

47 comments