- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
ECH (encrypted client hello) is going or get enabled by default (already existed in a hidden setting) with version 118.
This page about the version explains a bit better ECH https://support.mozilla.org/fr/kb/understand-encrypted-client-hello
Tho it is still a bit confusing.
From what I understand there is the DNS query > the dns servers sends back an IP. This DNS query can be encrypted with DoH (or DoT?, it seems only DoH from the post).
Then there is a handshake with the website where the website informations can be leaked, and that can be encrypted by ECH (if the website supports it).
Then after that there is a tls connexion established between the website and the user.
The part where I’m confused is : can ECH be used without DoH? If yes that would mean that I can use a DoH capable software and not have to configure it into Firefox? (ex: Nextdns + yogadns)
It is encrypted, just not all of it. Back upon a time all of it was encrypted but it created a problem. It was impossible to host multiple different domains on the same IP over HTTPS because chicken and egg: couldn’t get the domain from the host header without completing the encryption handshake, but to do that you had to know which domain’s certificate to use.
To solve the problem they came up with a TLS extension called SNI that indicates the certificate during handshake, but does so by pulling the domain name out in the clear.
ECH aims to encrypt these parts left in the clear, but can’t do it with the TLS certificate (chicken and egg above). So they resorted to the encryption used by DoH instead.