Encrypted Client Hello (ECH) - Frequently asked questions

Firefox Firefox Naposledy aktualizovaný: 11/15/2023 77% používateľov považuje toto za užitočné
Tento článok zatiaľ nikto nepreložil. Ak máte s prekladmi na SUMO skúsenosti, môžete ho teraz preložiť. Ak by ste sa chceli dozvedieť, ako sa články na SUMO prekladajú, začnite prosím tu.

What is Encrypted Client Hello (ECH), and why is it important?

ECH is a security feature available in Firefox and other major web browsers that plugs a gap in existing online privacy and security infrastructure that allows the websites a user is visiting to be accessible to intermediaries on a network, such as ISPs or other unauthorized parties.

How do I enable ECH in Firefox?

To use ECH in Firefox, update Firefox if you are not using version 118 or above and enable DNS over HTTPS.

How do I know ECH is available for me?

ECH in Firefox was first made available in Firefox version 118 and is enabled by default in Firefox 119 and above. However, ECH is only active when DoH is enabled. Learn more about the DoH rollout schedule.

Does ECH affect my Internet speed?

No. ECH requires fetching a very small additional amount of data whilst connecting to a website. This data is only a few hundred bytes in size and too small to have any effect on your internet speed. Firefox retrieves this data simultaneously with performing a DNS lookup when connecting to a website, ensuring there's no extra delay during the connection.

Does ECH affect website compatibility?

ECH has been carefully designed to interoperate with existing websites and servers. Existing standards require servers to ignore ECH if they don’t understand it, and Firefox understands how to continue the connection without any interruption to your browsing. We have carried a number of studies and tests to ensure that websites will continue to operate correctly.

Can I use ECH alongside other security tools like ad blockers?

Yes, ECH can be used in conjunction with ad blockers. Ad blockers which are integrated with Firefox as an extension will work automatically with ECH and don’t require any changes. However, users using DNS-based filtering may need to tweak their configuration in order to make use of ECH. Firefox needs to be configured with a DNS-over-HTTPS server in order to make use of ECH. Depending on whether the DNS filter is locally hosted or hosted by an online provider, instructions for connecting to it over DoH will differ and users of these services will need to check their accompanying documentation.

Can I use ECH alongside other security tools like VPNs?

Yes, in fact, combining ECH with a VPN can provide an extra layer of privacy and security. To use ECH with a VPN, the DNS over HTTPS protection level should be Configure DNS over HTTPS protection levels in Firefox to Increased or Max Protection mode. This is because Default Protection mode uses the VPN provider’s DNS rather than DoH in order to ensure traffic is correctly routed. Please note that where VPNs are used in a corporate or self-hosted environment to connect to resources not available on the public internet, changing the DNS protection level may make those private resources unavailable in Firefox.

Are there any privacy concerns or drawbacks associated with ECH?

ECH is a valuable tool for bolstering your online privacy and security, as it encrypts your initial website connections. Nevertheless, it's important to note that many websites won’t support ECH right away, which means connections to those sites won’t benefit from the additional privacy ECH offers. To stay protected, ensure your Firefox browser stays up to date, receiving the latest security enhancements, including ECH. Unlike technologies like VPNs, ECH doesn't redirect your browser traffic or involve third parties; it simply adds an extra layer of encryption to your standard connections.

Will users notice any changes in their browsing experience as a result of this encryption?

Firefox users shouldn’t notice any difference to their usual browsing experience.

How will ECH impact parental controls?

If parental controls are applied, ECH encryption is disabled in order to avoid interfering with parental controls.

How will ECH impact Enterprises that use transparent proxies?

ECH encryption is automatically disabled when proxies or middleboxes which are trusted by the browser are detected, so they remain unaffected.

How will ECH interact with DoH’s opt-outs?

DoH opt-outs will disable ECH encryption by default in Firefox. These opt-outs can be configured by the user or software installed on their device, by signals from the network or by an administrator via group policy. If the user or administrator explicitly opt-ins to increased or maximum DoH protection, their choice overrides signals from the network.

Which websites can use ECH?

Any website can employ ECH, as long as it is equipped with the necessary server-side support. Its optimal privacy is often achieved when multiple websites are hosted by a single web server, a common configuration in today's Internet ecosystem.

Why can’t users directly control ECH?

In line with our commitment to privacy and security by default, we aim to ship Firefox with a comprehensive set of protections enabled by default. Consequently, ECH is enabled by default but won’t be used if family safety software is used or Firefox has been configured as part of an enterprise. This is similar to other security and privacy technologies used in Firefox like TLS 1.3, which also isn’t exposed as a user setting.

Can I use ECH with any DoH provider?

Yes! All DoH servers, whether locally hosted or via provided by online services, can be used to fetch ECH records.

Can I use ECH without DoH?

Using ECH without DoH is currently not possible in Firefox. ECH relies on DoH for its functionality, as it encrypts the initial connection to a website by leveraging the encryption keys provided by DNS over HTTPS. Therefore, to use ECH in Firefox, you must also have DoH enabled.

Keep in mind that without DoH in Firefox DNS queries are unencrypted on your local network, and increasingly subject to monitoring. If you prefer to use a local DNS server, you have the option of self-hosting DNS over HTTPS (DoH), ensuring the encryption of your DNS traffic extends to your local network.

Why does ECH depend on DoH?

ECH depends on a new type of DNS record called an HTTPS Resource Record which describes how to use ECH to connect to a website. In order for ECH to deliver effective privacy, these records need to be fetched over an encrypted connection and so Firefox uses DoH for this.

We know that some expert users prefer to host their own DNS resolvers locally. For this use case, we recommend self-hosting a DoH server and configuring Firefox to use it. This ensures that your local DNS traffic is encrypted between your client and your server, preventing other devices on your local network from observing it. Alternatively, if supported, you can configure Firefox to use the same upstream DNS provider as your local resolver via the DNS settings page.

As operating system support for DoH and other encrypted DNS transports continues to improve, we will investigate the engineering required to support fetching these records via the operating system.

How can I tell if ECH is working for me?

ECH isn’t visible in the browser UI, but you can check if it's working for you using Cloudflare’s Browser Security Check.

Learn more

Pomohol vám tento článok?

Čakajte prosím...

Títo dobrí ľudia pomohli napísať tento článok:

Illustration of hands

Zapojte sa

Rozvíjajte sa a zdieľajte svoje odborné znalosti s ostatnými. Odpovedzte na otázky a vylepšite našu vedomostnú základňu.

Ďalšie informácie