Enabling Encrypted SNI

[Techguyprivate]

https://en.wikipedia.org/wiki/Server_Name_Indication

https://news.ycombinator.com/item?id=18250151

https://www.eff.org/deeplinks/2018/09/esni-privacy-protecting-upgrade-https

https://blog.cloudflare.com/esni/

https://blog.mozilla.org/security/2018/10/18/encrypted-sni-comes-to-firefox-nightly/

https://blog.cloudflare.com/encrypted-sni/

[Atavic]

See: https://github.com/ghacksuserjs/ghacks-user.js/issues/612

Librefox is based on: gHacks-user.js, pyllyukko-user.js and privaconf

[intika]

Short answer, it's too soon for this... now enabling it or not, it depend you will need DNSoverHTTPS as @Atavic mentioned... using cloudflare is great but it may not comply with the privacy... at the end of the day i think the user need to have the choice and the choice need to be easy to do not over complicated config fire or so... any way i am adding this to https://github.com/intika/Librefox/issues/3 as a reminder

Thanks you for reporting it back tho :)

[intika]

Don't hesitate to post back or comment ;)

[Atavic]

I'm totally against ESNI and DNS over HTTPS. ESNI is experimental, but it is heavily pushed by Cloudflare. At current state, it seems that Cloudflare will be the main provider for it, while Mac will have its own service by Apple. These are assumptions based on the authors of this draft.

I'm for decentralization, alternatives in every layer of the net, while here we have big corporations promoting their own solutions:

This puts everyone behind the same provider in the same anonymity set

But also puts everyone open to a single bug (0-day, undisclosed or potential).

[Techguyprivate]

I was on the same boat few days ago. . Cloudflare's privacy policy was crappy for me. But a recent trip to China, India & Australia changed my view. We have to very careful & smart. There is nothing as perfect privacy.

The most important thing to keep in mind :

1. what is the alternative?
   2. If we don't do that, what we are ending up with ?
   3. Something(security) is better than nothing.
   4. There is no perfect ,but better.
   5. Just because a big corporation involved, it is not bad per se. We have to look at it very skeptically & positively. I was using various other dns which blocks ads , malwares, trackers, supports dnssec ,doh & dot like blahdns, adguard , keweon & some others too.They don't log anything even for 1 hours. But these are very slow. But , ISP & some other third parties still can see what site you are visiting.

Using cloudflare dns and ESNI in firefox , I was able to visit blocked websites in CHINA & India. They are using deep packet inspection . ISP & any other third parties finally can't truely see what I am doing , what sites I am visiting. Cloudflare is fast too. The fastest . A mixture of dot, doh , esni,, dnssec, cloudflare's own security is a lot better.

Cons:

1. You have to use cloudflare's dns. Log is kept for 24 hours.
2. ESNI works on some sites.
3. It is experimental.

Pros :

1. Cloudflare promised to delete log, not to use for identifying, selling etc. I think that it is a pretty good privacy policy. 2.Actual no. of websites are huge though .
2. It is working with no problem.

EFF supports it. Supports for more websites are coming. It is the last nail on coffin in regards to 3rd parties knowing what websites , someone visits.

[intika]

DNS over HTTPS is a hack, a workaround, i don't know why it is getting so popular; DNS over TLS is much better, faster and have a better implementation... under Linux this can be setup locally and easily with unbound... i guess DOH have the advantage of working on port 443... at the end of the day we will always need a DNS server whether DOT or DOH... Cloudflare/Google/Blahdns/Adguard... if it's used over a VPN provider it could become interesting regarding privacy

[dimqua]

It's getting so popular because it works in web browser. For DoT and DNSCrypt v2 you need an additional client to use them.

[Atavic]

@Techguyprivate :+1: for your report. I'm in europe, so DPI isn't involved here, allegedly... interesting info, I'm trying to follow https://github.com/ValdikSS/GoodbyeDPI and I see that there are some VPN that use advanced PAC Files, like: http://antizapret.prostovpn.org/

^A related comment: https://github.com/ghacksuserjs/ghacks-user.js/issues/619#issuecomment-457766022)

i don't know why it is getting so popular

Promoting articles popping up everywhere, that's it. Like Cloud and VPN previous cases IMHO

[Techguyprivate]

DoT is the future though . One good feature of DoH with ESNI is Circumventing censorship, preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks, hiding it under normal https. DoT stands out in the crowd for now. DoH have little bit better performance too.

But, yes, DoT is much better and the future too, it seems.

[James-E-A]

Preemptive counterargument to the only other anti-ESNI argument I've heard:

it would interfere with Café and University deep-packet-inspection (dpi) content monitoring systems

The browser's duty is to protect the user from attackers. TLS "interferes" with 90% of dpi, ESNI shores that up by another 5% or so.

If it becomes common practice for cafes to terminate all ESNI connections, I'm sure it would be straightforward enough to pop up some info (either in the style of TLS-error or captive-hotspot-notification) with something like

This network appears to be blocking ESNI. You will not be able to access the internet unless you disable ESNI. Click here to temporarily disable ESNI and access the network.

clicking on which yields something like

Warning: This will allow the network administrator to see the domain names of all websites you visit while connected! Do you wish to continue?