Skip to main content

The case of missing ESNI support in Firefox 85

If you have upgraded your stable version of the Firefox web browser to version 85.0, released in January, you may have noticed that it no longer supports ESNI.

ESNI, which stands for Encrypted Server Name Indication, is a security and privacy feature designed to protect against network eavesdropping.

Mozilla introduced support for ESNI two years ago and the feature has been available as an advanced option in Firefox for some time. Users had to configure several advanced parameters to make use of ESNI in Firefox.

Tip: Check if your browser uses Secure DNS, DNSSEC, TLS 1.3, and Encrypted SNI

Mozilla published a post on its Mozilla Security Blog in January that informed readers that Firefox would drop support for ESNI in favor of ECH, or Encrypted Client Hello.

The new TLS extension was designed to eliminate the shortcomings of ESNI. Researchers discovered that ESNI provided incomplete protection and that it had "interoperability and deployment challenges that prevented it from being enabled at a wider scale".

ECH addresses these shortcomings. Mozilla did remove ESNI support from Firefox 85 in favor of ECH support.

Enable ECH in Firefox

firefox ech

Firefox users may turn it on in the following way:

  1. Load about:config in the Firefox address bar.
  2. Confirm that you will be careful.
  3. Search for network.dns.echconfig.enabled.
  4. Set the preference to TRUE to enable it.
  5. Search for network.dns.use_https_rr_as_altsvc.
  6. Set the preference to TRUE to enable it.
  7. Restart the Firefox web browser.

Problem: ECH needs servers

While Firefox does support ECH, it is just one side of the coin as servers are needed for the feature to work. Cloudflare's test reveals that the SNI is not encrypted currently even while the feature is enabled in Firefox, and that indicates that the default provider, which is Cloudflare, has not enabled it yet.

Firefox users who used the feature prior to version 85.0 Stable found themselves in a precarious situation: Mozilla did remove the feature from the browser, but there was no option to use ECH yet; this in turn meant that privacy could be impacted. Users reported the issue on Mozilla's bug tracking site, some stating that dropped support would allow censorship mechanics to work again. All these reports appear to have received the "won't fix" status.

Mozilla suggests that users use Firefox ESR for the time being, as support for ESNI is still available in that browser. It is an option, but users would have to be aware of the change first to make the switch.

It is unclear why Mozilla removed support for ESNI early. It would have been better from a user point of view if Mozilla would have waited until servers would be available that support ECH. Cloudflare, being the default provider in Firefox, being a prime choice for that.

Firefox users who require it may switch to ESR for the time being. ECH looks more promising than ESNI, but Mozilla's timing could have been better.

Now You: Have you used ESNI in Firefox?

 

 

This article was first seen on ComTek's "TekBits" Technology News

 

HOME