Technology

59421 readers

3364 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related content.
Be excellent to each another!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, to ask if your bot can be added please contact us.
Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago

MODERATORS

[email protected]

241

Firefox rolls out ECH enabled by default in 118 (blog.mozilla.org)

submitted 1 year ago by [email protected] to c/[email protected]

18 comments fedilink hide all child comments

ECH (encrypted client hello) is going or get enabled by default (already existed in a hidden setting) with version 118.

This page about the version explains a bit better ECH https://support.mozilla.org/fr/kb/understand-encrypted-client-hello

Tho it is still a bit confusing.

From what I understand there is the DNS query > the dns servers sends back an IP. This DNS query can be encrypted with DoH (or DoT?, it seems only DoH from the post).

Then there is a handshake with the website where the website informations can be leaked, and that can be encrypted by ECH (if the website supports it).

Then after that there is a tls connexion established between the website and the user.

The part where I'm confused is : can ECH be used without DoH? If yes that would mean that I can use a DoH capable software and not have to configure it into Firefox? (ex: Nextdns + yogadns)

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 10 points 1 year ago* (last edited 1 year ago) (4 children)

ECH relies on DNS over HTTPS (DoH) for its functionality, using it to fetch the key needed for encryption.

Seems like it's only DoH. Which is kinda lame in a situation like mine where I'm running a DoH proxy (cloudflared), using a PiHole behind that, and pointing my LAN clients at the PiHole using unencrypted DNS. So everything leaving my network is DoH but it's not done directly in the browser, so I can't take advantage of ECH.

[–] [email protected] 9 points 1 year ago

Probably because DNS is unencrypted and would allow tampering of the key needed for ECH to work

[–] [email protected] 3 points 1 year ago (1 children)

PiHole doesn't support DoH? I mean as a server? Is there a feature request open for that?

[–] [email protected] 3 points 1 year ago

If pihole is still using dnsmasq then I have no idea if DoH will be supported tbh...

[–] [email protected] 2 points 1 year ago (1 children)

TIL about cloudflared being a DoH proxy. Nice, will be looking into this later...

[–] [email protected] 1 points 1 year ago

It works well, and it's easy to set up. Previously I had used dnscrypt-proxy since it supports DoH as well.

[–] [email protected] 1 points 1 year ago (1 children)

You mean, you're running a DoT proxy?

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

No, DoH (DNS-over-HTTPS). I'd also previously set up a DoT proxy for use on my phone (since Android only supports DoT) but I decided to do something else for that.