Comparar edições
Understand Encrypted Client Hello (ECH)
Edição 283494:
Edição 283494 de lsiebert em
Edição 289767:
Edição 289767 de AliceWyman em
Palavras-chave:
Resumo em resultado de pesquisas:
Firefox version 118 introduced a security enhancement called Encrypted Client Hello (ECH), enabled by default in Firefox 119. Learn more.
Firefox version 118 introduced a security enhancement called Encrypted Client Hello (ECH), enabled by default in Firefox 119. Learn more.
Conteúdo:
[[Find what version of Firefox you are using|Firefox version]] 118 introduced a significant security enhancement called Encrypted Client Hello (ECH), which is enabled by default in Firefox 119 and above. When you browse the Internet, your data needs protection from prying eyes. Most online communication uses a security protocol called Transport Layer Security (TLS) to encrypt your information and keep it safe. However, there's a catch. This protection starts after an initial “hello” message, also known as a “handshake”. Unfortunately, this handshake happens in the open, exposing sensitive information like the name of the website that you are connecting to.
[[Image:ECH 1]]
ECH addresses this vulnerability in the TLS protocol. When you use ECH, your initial “hello” message to a website becomes securely encrypted. Only the website you're visiting can decrypt it, ensuring your message remains private throughout its journey. In simple terms, ECH acts as a guardian, making it much harder to identify which websites you are visiting, protecting your online activity, and improving your privacy.
[[Image:ECH 2]]
ECH relies on [[Firefox DNS-over-HTTPS|DNS over HTTPS (DoH)]] for its functionality, using it to fetch the key needed for encryption. Together, they form an even more robust privacy barrier as DoH focuses on encrypting DNS queries to protect the translation of website names to IP addresses, while ECH encrypts the initial communication between devices and websites to improve the security of the connection establishment process.
This collaboration addresses weaknesses present when technologies are used in isolation, ensuring comprehensive online privacy. In line with Mozilla's commitment to privacy and security in Firefox, ECH is enabled by default and used where available. {for not fx129}ECH relies on DNS records fetched via DoH, so make sure to [[Configure DNS over HTTPS protection levels in Firefox#w_configure-doh-protection-settings|enable DoH]]. Using an encrypted DNS transport like DoH is vital to ensure your browsing traffic isn’t leaked via the normally unencrypted DNS protocol.{/for}{for fx129}ECH delivers the most privacy benefit when DNS records are fetched via an encrypted transport like DoH, so we recommend [[Configure DNS over HTTPS protection levels in Firefox#w_configure-doh-protection-settings|enabling DoH]] in Firefox.{/for}
{for not fx129}If you’re using family safety software or have deployed Firefox in an enterprise environment, you shouldn’t need to make any changes to your configuration. Firefox won’t use ECH to encrypt traffic if any of the [[Configuring Networks to Disable DNS over HTTPS|DoH opt-outs]] have been configured. Similarly, if your family safety software or enterprise administrator have configured Firefox to use a transparent proxy, this will also disable ECH encryption.{/for} {for fx129}Most family safety software and enterprise solutions should work with ECH without any modifications, in particular, if they integrate directly into the browser via an extension, filter DNS records or act as a transparent proxy. Encrypted Client Hello can also be disabled via Enterprise policy or if family safety settings are enabled in the operating system.{/for}
Also, when you're online, your Internet Service Provider (ISP) might be [https://www.ftc.gov/system/files/documents/reports/look-what-isps-know-about-you-examining-privacy-practices-six-major-internet-service-providers/p195402_isp_6b_staff_report.pdf collecting information about what you do on the Internet], using invasive techniques like deep packet inspection. This is where ECH comes in as a game-changer. It addresses privacy worries by preventing ISPs from gathering your browsing data, creating profiles about you without asking, and selling this information. So with ECH, your data stays private, making it harder for them to build those profiles.
As a bonus, combining ECH with a VPN like [https://www.mozilla.org/en-US/products/vpn/?entrypoint_experiment=vpn-refresh-pricing&entrypoint_variation=1 Mozilla VPN] adds an extra layer of protection to your online privacy. The VPN acts as a secure tunnel, masking your identity, while ECH ensures that your initial “hello” message remains confidential from network monitors. For details on using a VPN with Firefox's ECH, see [[Encrypted Client Hello (ECH) - Frequently asked questions#w_can-i-use-ech-alongside-other-security-tools-like-vpns]].
'''Learn more'''
*[[Encrypted Client Hello (ECH) - Frequently asked questions]]
*[https://wiki.mozilla.org/Security/Encrypted_Client_Hello ECH Technical Article on Mozilla's Wiki (for expert users)]
*[[Firefox DNS-over-HTTPS]]
*[[Configure DNS over HTTPS protection levels in Firefox]]
[[Find what version of Firefox you are using|Firefox version]] 118 introduced a significant security enhancement called Encrypted Client Hello (ECH), which is enabled by default in Firefox 119 and above. When you browse the Internet, your data needs protection from prying eyes. Most online communication uses a security protocol called [https://wikipedia.org/wiki/Transport_Layer_Security Transport Layer Security] (TLS) to encrypt your information and keep it safe. However, there's a catch. This protection starts after an initial “hello” message, also known as a “handshake”. Unfortunately, this handshake happens in the open, exposing sensitive information like the name of the website that you are connecting to.
[[Image:ECH 1]]
ECH addresses this vulnerability in the TLS protocol. When you use ECH, your initial “hello” message to a website becomes securely encrypted. Only the website you're visiting can decrypt it, ensuring your message remains private throughout its journey. In simple terms, ECH acts as a guardian, making it much harder to identify which websites you are visiting, protecting your online activity, and improving your privacy.
[[Image:ECH 2]]
ECH relies on [[Firefox DNS-over-HTTPS|DNS over HTTPS (DoH)]] for its functionality, using it to fetch the key needed for encryption. Together, they form an even more robust privacy barrier as DoH focuses on encrypting DNS queries to protect the translation of website names to IP addresses, while ECH encrypts the initial communication between devices and websites to improve the security of the connection establishment process.
This collaboration addresses weaknesses present when technologies are used in isolation, ensuring comprehensive online privacy. In line with Mozilla's commitment to privacy and security in Firefox, ECH is enabled by default and used where available. {for not fx129}ECH relies on DNS records fetched via DoH, so make sure to [[Configure DNS over HTTPS protection levels in Firefox#w_configure-doh-protection-settings|enable DoH]]. Using an encrypted DNS transport like DoH is vital to ensure your browsing traffic isn’t leaked via the normally unencrypted DNS protocol.{/for}{for fx129}ECH delivers the most privacy benefit when DNS records are fetched via an encrypted transport like DoH, so we recommend [[Configure DNS over HTTPS protection levels in Firefox#w_configure-doh-protection-settings|enabling DoH]] in Firefox.{/for}
{for not fx129}If you’re using family safety software or have deployed Firefox in an enterprise environment, you shouldn’t need to make any changes to your configuration. Firefox won’t use ECH to encrypt traffic if any of the [[Configuring Networks to Disable DNS over HTTPS|DoH opt-outs]] have been configured. Similarly, if your family safety software or enterprise administrator have configured Firefox to use a transparent proxy, this will also disable ECH encryption.{/for} {for fx129}Most family safety software and enterprise solutions should work with ECH without any modifications, in particular, if they integrate directly into the browser via an extension, filter DNS records or act as a transparent proxy. Encrypted Client Hello can also be disabled via Enterprise policy or if family safety settings are enabled in the operating system.{/for}
Also, when you're online, your Internet Service Provider (ISP) might be [https://www.ftc.gov/system/files/documents/reports/look-what-isps-know-about-you-examining-privacy-practices-six-major-internet-service-providers/p195402_isp_6b_staff_report.pdf collecting information about what you do on the Internet], using invasive techniques like deep packet inspection. This is where ECH comes in as a game-changer. It addresses privacy worries by preventing ISPs from gathering your browsing data, creating profiles about you without asking, and selling this information. So with ECH, your data stays private, making it harder for them to build those profiles.
As a bonus, combining ECH with a VPN like [https://www.mozilla.org/en-US/products/vpn/?entrypoint_experiment=vpn-refresh-pricing&entrypoint_variation=1 Mozilla VPN] adds an extra layer of protection to your online privacy. The VPN acts as a secure tunnel, masking your identity, while ECH ensures that your initial “hello” message remains confidential from network monitors. For details on using a VPN with Firefox's ECH, see [[Encrypted Client Hello (ECH) - Frequently asked questions#w_can-i-use-ech-alongside-other-security-tools-like-vpns]].
'''Learn more'''
*[[Encrypted Client Hello (ECH) - Frequently asked questions]]
*[https://wiki.mozilla.org/Security/Encrypted_Client_Hello ECH Technical Article on Mozilla's Wiki (for expert users)]
*[[Firefox DNS-over-HTTPS]]
*[[Configure DNS over HTTPS protection levels in Firefox]]