Mozilla has announced that it will include support for the Encrypted Client Hello (ECH) mechanism in its stable branch of Firefox. This feature builds upon the development of the Encrypted Server Name Indication (ESNI) technology and is designed to encrypt information about TLS settings, such as the requested domain name. The code for ECH was initially added to the Firefox 85 release but was disabled by default. In Chrome, ECH support has been gradually enabled starting with the release of Chrome 115.
To ensure full protection, it is necessary to use DNS Over HTTPS or DNS Over TLS technology in addition to ECH. This is because, in addition to leaking information through DNS, a connection with the server is also established. Firefox will only utilize ECH if DNS over HTTPS is enabled in settings. To check ECH support in the browser, users can visit this page.
One of the main factors for ECH support in Firefox was the need to address vulnerabilities in Content Delivery Network (CDN) Cloudflare. By hiding the data on requested hosts, ECH made it challenging to filter and block objectionable sites using Cloudflare’s CDN. This would require blocking the entire Cloudflare network in order to prevent requests with ECH, which is not ideal. Previously, the SNITLS expanding method was used to organize work at one IP address for multiple HTTPS sites. However, this method allowed Internet service providers to select and analyze HTTPS traffic, compromising privacy. Therefore, the adoption of ECH in Firefox aims to provide complete confidentiality when using HTTPS.