4

I'm using Firefox Beta 103 (tried with stable and nightly too), enabled Cloudflare DNS over HTTPS in settings: enter image description here

then enabled these:

network.dns.echconfig.enabled

and

network.dns.http3_echconfig.enabled

enter image description here in about:config

but when visiting this website https://www.cloudflare.com/ssl/encrypted-sni/#results

I get this result

enter image description here

so what am I missing here?

  • Last time I looked into this, it was only in nightly that the `about:config` settings involving ECH would have any effect. And even then, the default was to fall back in case of failure, so downgrading is easy for anyone tampering in the wire (I saw in your other question that you are worried about this being the case). – Hermógenes Oliveira Jul 12 '22 at 12:48
  • Encrypted SNI has nothing to do with secure DNS. So I am not sure why you expect a change by configuring DNS over HTTPS. – Robert Jul 12 '22 at 13:05
  • @HermógenesOliveira Hi, I disabled the `network.dns.echconfig.fallback_to_origin_when_all_failed` in `about:config` so the downgrading shouldn't happen, but still as you can see I couldn't get the Cloudflare website to confirm i'm using ECH. can you try with Firefox nightly now that it's version 105 and see if it works for you? –  Jul 12 '22 at 19:02
  • @Robert if i remember correctly, from the guides I read on Cloudflare's blog, they said first you need to set DoH in Firefox network settings to Cloudflare and only then ECH flag in config will have effect. –  Jul 12 '22 at 19:03
  • I would assume this is more a security recommendation because encrypted SNI would be useless if you would use plain text DNS at the same time. – Robert Jul 12 '22 at 19:06
  • There are [other settings that would trigger a fallback](https://searchfox.org/mozilla-central/rev/0d7e190891e62276cf934cc0b96b22e8e086ddb9/modules/libpref/init/StaticPrefList.yaml#11307-11313). Anyway, I think it probably falls back no matter the settings (one has to dig into the source to confirm it), because no browser would expose a setting that would break the internet for every domain except maybe one. Furthermore, Firefox seems to be implementing [draft-13](https://datatracker.ietf.org/doc/draft-ietf-tls-esni/13/), which is deprecated, but can be [tested](https://defo.ie/ech-check.php). – Hermógenes Oliveira Jul 13 '22 at 13:31
  • @HermógenesOliveira Thank you, seems like we have to wait for ECH to be finalized and more web servers start supporting it. so for now I will be using Cloudflare Warp+ as it uses Wireguard protocol and apparently it's the most secure protocol for VPNs so far. –  Jul 13 '22 at 18:24

0 Answers0