free-the-internet
commented
8 months ago Firefox 119.0, released yesterday (2023-10-24) has ECH support.
https://www.mozilla.org/en-US/firefox/119.0/releasenotes/#note-789800
Encrypted Client Hello (ECH) is now available to Firefox users, delivering a more private browsing experience. ECH extends the encryption used in TLS connections to cover more of the handshake and better protect sensitive fields. Read more about the launch of ECH on Mozilla Distilled.
It doesn't say directly whether it's enabled by default, but the linked blog post seems to suggest so.
Privacy as a default.
While Mozilla believes that privacy and security technologies should be available by default for all users, we also recognize that in certain circumstances, users may have alternative preferences, for example, if they are relying on family safety software at home, are using network-based ad blocking or are in an enterprise environment. ECH is designed to interoperate with these practices and respect the existing DoH opt-outs in Firefox, so these users won’t need to make any changes to continue enjoying a smooth and safe Firefox experience. Similarly, if users or administrators have opted-in to the increased or maximum levels of DoH protection, their decision will likewise be respected.
They say in FAQ:
How do I enable ECH in Firefox? To use ECH in Firefox, update your browser to version 118 or later and enable DNS over HTTPS.
and
How do I know ECH is available for me? Currently, ECH in Firefox is available by default but only active when DoH is enabled. Learn more about the DoH rollout schedule.
https://groups.google.com/a/mozilla.org/g/dev-platform/c/uv7PNrHUagA/m/BNA4G8fOAAAJ
this encrypts the SNI assuming DoH is working. but ECH is not stealthy and to my knowledge is blocked in many countries
it's not clear to me whether there is a fallback to plaintext SNI in situations where the site and its DNS support ECH but the network interferes with in