Firefox 85 will switch to ECH to hide domain in HTTPS traffic

Mozilla announced to add support for the Encrypted Client Hello (ECH) mechanism in Firefox 85’s January 26 release to encrypt TLS session parameter information such as the requested domain name. To enable ECH in about: config, enable the network.dns.echconfig.enabled and network.dns.use_https_rr_as_altsvc settings. Support for the Encrypted Server Name Indication (ESNI) mechanism, which has been tested over the past two years, will be discontinued in Firefox 85, but will remain for some time in ESR releases of Firefox.

The ECH specification continues to evolve ESNI and is at a draft claiming to be an IETF standard. To organize work on one IP address of several HTTPS sites, a TLS SNI extension was developed at one time, which transfers the host name in clear text in the ClientHello message, transmitted before the encrypted communication channel was installed. This feature makes it possible on the ISP side to selectively filter HTTPS traffic and analyze which sites the user opens, which does not allow achieving complete confidentiality when using HTTPS.

To prevent leakage of information about the requested site, several years ago it was developed ESNI extension, which implements data encryption with a domain name (DNS over HTTPS and DNS over TLS technologies are being developed in parallel to combat information leaks through DNS). In the course of attempts to implement ESNI, it was found that the proposed mechanism was not enough to ensure complete confidentiality of HTTPS sessions. In particular, when the previously established session is resumed, the domain name in clear text appears among the parameters of the TLS extension PSK (Pre-Shared Key), i.e. encryption of SNI fields was not enough, and it was required to create an ESNI analog for PSK, and possibly for other fields in the future. In addition, attempts to implement ESNI revealed compatibility and scalability issues that prevented the ubiquity of ESNI.

In response to the need to encrypt the parameters of any TSL extensions, a universal ECH mechanism was proposed, the main difference between which from ESNI is that instead of a separate field, the entire ClientHello message is encrypted. ECH implies two types of ClientHello messages – the encrypted ClientHelloInner message and the unencrypted base ClientHelloOuter message. If the server supports ECH and was able to decrypt the ClientHelloInner, then it continues to use this type for the TLS session. Otherwise, data is taken from the ClientHelloOuter.

ECH also uses a different key distribution scheme for encryption – information about the public key is transferred to DNS records HTTPSSVC