Encrypted Client Hello (ECH)

[Sushubh]

draft-ietf-tls-esni-01 - Encrypted Server Name Indication for TLS 1.3

Encrypt it or lose it: how encrypted SNI works

Encrypting SNI: Fixing One of the Core Internet Bugs

 

[Sushubh]

ESNI: A Privacy-Protecting Upgrade to HTTPS | Electronic Frontier Foundation

 

[Sushubh]

Updating the status to acknowledge this.

There's work being done to support ESNI in BoringSSL/Chrome, though currently there are a number of things that need to get done before we can launch it. The ESNI spec in the IETF is still undergoing changes and updates, including fairly important robustness changes ( Improve ESNI robustness by davidben · Pull Request #124 · tlswg/draft-ietf-tls-esni ) before we'd feel comfortable with the spec being deployable, DoH support is still being sorted out/rolled out which is critical to get the ESNI records securely, and then we need to get ESNI support into BoringSSL and then Chrome.

We'll probably start having experiments/interop with others in the next quarter or so, and while we are planning/trying to get ESNI fully deployed this year in Chrome, we're prioritizing having a robust protocol for ESNI and then implementation instead of trying to rush it out.

To set expectations, most of our engagement on this topic will continue in the IETF TLS WG. For those curious about support for this feature, engaging in and participating in those highly technical discussions, is the best way to stay current.

Not coming to Chrome for a while.

908132 - chromium - An open-source project to help move the web forward. - Monorail

bugs.chromium.org

 

[Sushubh]

Good-bye ESNI, hello ECH!

A deep dive into the Encrypted Client Hello, a standard that encrypts privacy-sensitive parameters sent by the client, as part of the TLS handshake.

blog.cloudflare.com

 

[Adithya]

Standards

xkcd.com

not strictly applies but kinda similar

 

[vishalrao]

I'm using CF DNS and CF ESNI website says ESNI not enabled even though I have set the flags in FF about:config prefs.

I have also enabled ECH now in FF.

Are there any ways to check ECH is working and any websites that support it that I can try?

 

---

[vishalrao]

Might be because FF has removed ESNI feature in favour of ECH, and FF ESR is supposed to have ESNI but after installing and configuring that it still shows as ESNI test failed.

Any ideas?

Could it be that CF and Google DNS servers in India have ESNI disabled due to gormint mandate?

 

[Adithya]

This must be it
Encrypted Client Hello: the future of ESNI in Firefox – Mozilla Security Blog

 

[vishalrao]

Yeah saw that link, which is why I tries FF ESR but that didn't work either :-(

Maybe have to wait for ECH to be more widespread.

 

[Sushubh]

Handshake Encryption: Endgame (an ECH update)

In this post, we’ll dig into ECH details and describe what this protocol does to move the needle to help build a better Internet.

blog.cloudflare.com

 

[Sushubh]

Say (an encrypted) hello to a more private internet | The Mozilla Blog

As web users, what we say and do online is subject to pervasive surveillance. Although we typically associate online tracking with ad networks and other th

blog.mozilla.org