From 9045778499b65554dde8a34fceccd6bf3849992b Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Thu, 21 May 2020 22:22:05 +0200 Subject: [PATCH] ECHO is now ECH --- Local-DoH.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Local-DoH.md b/Local-DoH.md index fe6c4f5..903868f 100644 --- a/Local-DoH.md +++ b/Local-DoH.md @@ -1,4 +1,4 @@ -# Built-in DoH server / Firefox ESNI (ECHO) +# Built-in DoH server / Firefox ESNI (Encrypted ClientHello) In addition to responding to standard DNS queries, `dnscrypt-proxy` can also act as a DoH server, and respond to local queries sent over that protocol. @@ -40,7 +40,7 @@ cert_key_file = "privkey.pem" ## How to enable ESNI in Firefox -Firefox and Cloudflare are currently running an experiment called ESNI. ESNI is the old name of ECHO, a TLS extension to hide the server name in TLS (including HTTPS) connections. +Firefox and Cloudflare are running an experiment called ESNI. ESNI is the name of an obsolete version of ECH (Encrypted ClientHello), a TLS extension to hide the server name in TLS (including HTTPS) connections. While this may eventually be a significant privacy improvement, it current has some caveats to be aware of: @@ -49,7 +49,7 @@ While this may eventually be a significant privacy improvement, it current has s - What has been deployed is still missing an important part to protect against censorship (`GREASE`) - Enabling ESNI will trigger an extra DNS query for every single new hostname, even for hosts that don't support ESNI. Every time a query for a host that doesn't support is made, an error will be returned (`NXDOMAIN`). - Enabling ESNI in Firefox breaks some websites ("Secure connection failed - `SSL_ERROR_NO_CYPHER_OVERLAP`" or "[SSL_ERROR_MISSING_ESNI_EXTENSION](https://www.google.com/search?q=%22SSL_ERROR_MISSING_ESNI_EXTENSION%22)"). -- Keep in mind that ECHO doesn't exist yet. What is available is only an experiment run by two companies. +- Keep in mind that ECH doesn't exist yet. What is available is only an experiment run by two companies. Firefox has a setting to enable ESNI, but for some reason, the web browser ignores it unless it was also configured to bypass your DNS settings.