Technology

57472 readers

3757 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related content.
Be excellent to each another!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, to ask if your bot can be added please contact us.
Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago

MODERATORS

[email protected]

241

Firefox rolls out ECH enabled by default in 118 (blog.mozilla.org)

submitted 10 months ago by [email protected] to c/[email protected]

18 comments fedilink hide all child comments

ECH (encrypted client hello) is going or get enabled by default (already existed in a hidden setting) with version 118.

This page about the version explains a bit better ECH https://support.mozilla.org/fr/kb/understand-encrypted-client-hello

Tho it is still a bit confusing.

From what I understand there is the DNS query > the dns servers sends back an IP. This DNS query can be encrypted with DoH (or DoT?, it seems only DoH from the post).

Then there is a handshake with the website where the website informations can be leaked, and that can be encrypted by ECH (if the website supports it).

Then after that there is a tls connexion established between the website and the user.

The part where I'm confused is : can ECH be used without DoH? If yes that would mean that I can use a DoH capable software and not have to configure it into Firefox? (ex: Nextdns + yogadns)

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 7 points 10 months ago* (last edited 10 months ago) (1 children)

Hold on, these are orthogonal technologies.

DNSSEC signs DNS records so you know they're genuine and come straight from the authoritative nameservers for the domain.

DoH encrypts DNS traffic so nobody can eavesdrop on what domains you connect to, and masks it as HTTPS traffic so providers can't block it to force you to use their nameservers.

Regarding adoption: you can give a user DoH in the browser without them having to know about it, but you can't enable DNSSEC for a domain owner or nameserver admin without their explicit approval. This will naturally lead to some adoption disparity.

[–] [email protected] 5 points 10 months ago

Actually, that's a pretty decent explanation of why they only want to use DoH. Makes sense to me now, cheers.