Say (an encrypted) hello to a more private internet. : firefox

[+] [email protected] 96 points 9 months ago* (last edited 6 months ago)

[deleted]

[-] [email protected] 135 points 9 months ago

And HTTPS relies on hosts managing SSL certificates. Web services don't use them until it hits a critical mass, then it becomes weird and broken when you aren't using it.

This just needs some time to settle in.

[-] [email protected] 76 points 9 months ago

I remember when absolutely no one used https and then in a matter of a couple years things got really fast. Now you can easily browse with https required and only occasionally find the odd website that doesn't use it (mostly some internet relic). That was such a great transition when it happened though.

[-] [email protected] 44 points 9 months ago* (last edited 9 months ago)

It felt like it happened practically overnight when Let's Encrypt released.

[-] [email protected] 35 points 9 months ago

Let's Encrypt was a godsend. Getting a TLS certificate before sucked.

[-] [email protected] 26 points 9 months ago

Yes. Thank these folks:

Mozilla employees Josh Aas and Eric Rescorla, together with Peter Eckersley at the Electronic Frontier Foundation and J. Alex Halderman at the University of Michigan. Internet Security Research Group, the company behind Let's Encrypt, was incorporated in May 2013.

They created the ACME standard, the open source community got on board, and soon enough everyone bought in, a massive step forward for Internet security and the benefit of open source.

[-] [email protected] 13 points 9 months ago

So Firefox is basically the GOAT when it comes to internet security and privacy? They should team up with the signal guys.

[-] [email protected] 28 points 9 months ago

Google preferring https sites was the motivator I saw for client demands.

SEO scores feed into the PPC cost in AdWords so all of a sudden people were crying out for their sites to “have the padlock icon” because what’s 20 bucks for a cert when you’re spending thousands of dollars a month

[-] [email protected] 11 points 9 months ago

And now it's free with stuff like Let's Encrypt.

load more comments (1 replies)

[-] dependencyInjection 11 points 9 months ago* (last edited 9 months ago)

Even with tools like Let’s Encrypt, people are still not ~~implanting~~ implementing HTTPS?

[-] [email protected] 11 points 9 months ago

HTTPS is pretty much ubiquitous these days. It's mostly an issue on a few smaller websites and blogs that people haven't cared enough about to bother getting a cert for... But even that is rapidly going away. Even if a website has HTTPS, it's not entirely uncommon for some resources to be loaded over regular HTTP, and sometimes websites don't properly redirect you to the HTTPS version, making it possible to end up on the unencrypted version by accident.

HTTPS is great, and Let's Encrypt has been such a godsend for it... That said it's not perfect, and also has some limitations on its own, and not every website implements all of the mitigations that help HTTPS do its job, so HTTPS adoption is a bit of a mixed bag. A big issue is that when you try to secure a previously insecure protocol this often makes downgrade attacks possible. For instance, if you just type "lemmy.world" into your web browser, and if somebody is able to intercept those packets, they could just reply "hey, I'm the lemmy.world, I don't do HTTPS, let's talk unencrypted" and your browser would have no idea that it should be talking HTTPS instead of HTTP. One way to avoid this problem is just by explicitly telling your browser to use HTTPS by going to "https://lemmy.world", which tells it to talk over HTTPS, and in that case the man-in-the-middle wouldn't be able to tell you to use HTTP instead and won't be able to provide a valid certificate for lemmy.world (hopefully, anyway :P). This is also what HSTS is used for... It's a header that the webserver sends to your browser saying "only talk to me with HTTPS", so once you've visited a site your browser will remember that it should only use HTTPS with it in the future. This only applies to websites which you've visited before, though... To improve the protections a little bit there's HSTS preload lists (basically your browser can have a list of HTTPS websites baked into it, so it knows when to only use HTTPS before you even do), https://hstspreload.org/... Or we could just solve this problem with DNSSEC and DANE, which allows you to look up the TLS certificates that should be used for the domain in DNS.

That's probably more of a rant than you wanted 😅... But basically, HTTPS adoption is really good these days in the sense that most websites will have a TLS certificate available (probably from Let's Encrypt!), and will speak HTTPS. But, there's still areas where we can improve internet security. I'm not sure how the adoption of HSTS is going, but I think it's pretty low. DNSSEC adoption is abysmal and we should probably fix that.

[-] [email protected] 6 points 9 months ago

HTTPS is pretty much ubiquitous these days.

It never used to be, though. The same will happen with ECH/ESNI eventually, especially if browsers push for it like they did with TLS.

[-] [email protected] 3 points 9 months ago

Yeah, especially before Let's Encrypt recently it was a complete disaster. Definitely will be better support for ECH soon.

load more comments (1 replies)

[-] [email protected] 3 points 9 months ago

Even if a website has HTTPS, it's not entirely uncommon for some resources to be loaded over regular HTTP

I think all browsers will refuse to load a resource over HTTP if the website is served over HTTPS.

[-] [email protected] 4 points 9 months ago

This is not true. Browsers will happily use http even if https is available, and without other mitigations like HSTS or DANE there is no way for your browser to even know that a site supports https. Many websites will forcibly redirect you to https, but this is the server telling you “hey connect with https instead”. A man-in-the-middle can simply not tell you to use https. Browsers have started marking http sites as insecure and will warn you about sending passwords, however.

[-] [email protected] 4 points 9 months ago

I think I phrased it wrong, or there is a confusion with terms.
If a page is loaded with HTTPS, then images/CSS/JS/iFrames (resources) will not load over HTTP. The resources also have to be served via HTTPS.
If a page is loaded over HTTP, then resources (images/CSS/JS/iFrames) can be loaded over HTTPS.

My objection was to the "even if a server has HTTPS, some resources will still load over HTTP"

[-] [email protected] 4 points 9 months ago

As far as I know, this is not strictly true either. I believe most browsers currently block mixed active content like JavaScript or iframes, but will happily load images and such over HTTP (although I would not be surprised if this is changing).

[-] [email protected] 6 points 9 months ago

The only place (other than old unmaintained sites) I’ve seen no TLS has been promotional sites for video games. Possibly something hastily thrown together?

[-] [email protected] 8 points 9 months ago

Apparently, Cloudflare already supports ECH, and a not-insignificant number of websites use them.

load more comments (4 replies)

load more comments (2 replies)

[-] [email protected] 46 points 9 months ago

Does this mean your isp can't see the sites you visit anymore?

[-] [email protected] 80 points 9 months ago

Sort of. They can still see which IP address you're connecting to, which by itself or in combination with some minor traffic analysis is quite often enough to identify which website you've visited. Perhaps it isn't if the website puts absolutely everything through a giant CDN like Cloudflare, but in that case it's Cloudflare which gets to see all the sites you visit which isn't a whole lot better than the status quo.

Still, it's a little less information given away at least some of the time. Better to do it than not do it.

[-] [email protected] 23 points 9 months ago

in that case it’s Cloudflare which gets to see all the sites you visit

That's the status quo. CF holds the private keys to all reverse proxy'd sites hosted on it.

[-] [email protected] 4 points 9 months ago* (last edited 9 months ago)

To be more precise, my belief is that the main thing ECH does is make it more difficult some of the time (depending on the details of how the site works) for observers of network traffic to directly see which website you've visited if it's one of those that have chosen to give all that data to Cloudflare or some similar system instead.

There also do still exist some simple web hosting setups that share many independent domain names on the same IP, but I think it's not as common as it probably was when they first came up with the idea of encrypting the tls server name many years ago. Maybe it'll make a comeback for sites whose users need to avoid censorship in this way if it's true that domain fronting has generally become more difficult.

[-] [email protected] 11 points 9 months ago

Yes. Use a VPN. I recommend https://mullvad.net/en

[-] [email protected] 4 points 9 months ago

Using a VPN just hands all of this information to them instead. That could be an improvement, but how do you know?

[-] [email protected] 3 points 9 months ago* (last edited 9 months ago)

Well they can see your browsing history, sure. But HTTPS will stop them from seeing the content you actually see on the web. At this point we are just getting into discussions of layers of trust, which are generally impossible to solve if you don’t trust anyone. If you don’t trust anyone don’t use the internet, ever. I do trust mullvad. They’re explicit about who is involved, I have the name of every team member, and through peer review I consider them trustworthy.

https://mullvad.net/en/about

For more info about how they are transparent, you can read their article about how they responded to a search warrant earlier this year:

https://mullvad.net/en/blog/2023/4/20/mullvad-vpn-was-subject-to-a-search-warrant-customer-data-not-compromised/

In line with our policies such customer data did not exist. We argued they had no reason to expect to find what they were looking for and any seizures would therefore be illegal under Swedish law. After demonstrating that this is indeed how our service works and them consulting the prosecutor they left without taking anything and without any customer information.

load more comments (1 replies)

[-] [email protected] 9 points 9 months ago

Well, for half of the internet they are going to see AWS ELBs addresses.

[-] [email protected] 10 points 9 months ago

Yes and no. If your isp is still providing unencrypted DNS for you, then they can still see the domain name you're visiting.

[-] [email protected] 8 points 9 months ago

What if you force a dns, like say cloudflare?

[-] [email protected] 8 points 9 months ago

Ordinary DNS requests are always plaintext and readable to anyone between you and the DNS server. So regardless of which DNS server you use, your ISP can see all your DNS lookups. For any amount of privacy for DNS, the minimum is something like DNS-over-TLS or DNS-over-HTTPS, the latter of which Firefox uses by default in some countries and supports everywhere.

[-] [email protected] 6 points 9 months ago

I mean with this + DNS over HTTPS can we guarantee the isp can no longer see anything?

load more comments (1 replies)

[-] [email protected] 5 points 9 months ago

Ordinary DNS requests are always plaintext and readable to anyone between you and the DNS server.

Not just readable... The ISP can inject their own responses too. Regular DNS is both unencrypted and unauthenticated, with most clients not enforcing DNSSEC.

[-] [email protected] 3 points 9 months ago

so you're saying self host an authoritative DNS server

[-] [email protected] 4 points 9 months ago

It's easy to setup something like AdGuard Home that provides malware blocking, ad blocking if you're interested in that, and supports DNS-over-HTTPS out of the box (unlike PiHole, which needs a bunch of manual setup)

[-] [email protected] 5 points 9 months ago

That's how I understood it. With regular https your doing on those websites is already encrypted, but your ISP or whoever sits in between can still se which sites you're visiting. As far as I understand this standard would encrypt this step too.

[-] [email protected] 42 points 9 months ago

Cool. Nice work Mozilla.

[-] [email protected] 22 points 9 months ago

When is this coming to ff mobile?

[-] [email protected] 12 points 9 months ago

Usually with these kind of engine-features, the rollout is simultaneous on desktop and Android.

And it says it's rolling out with version 118 here: https://support.mozilla.org/en-US/kb/understand-encrypted-client-hello

[-] [email protected] 16 points 9 months ago

Does anyone know how to enable this for nginx?

load more comments (1 replies)

[-] [email protected] 13 points 9 months ago

https://support.mozilla.org/en-US/kb/faq-encrypted-client-hello#w_can-i-use-ech-alongside-other-security-tools-like-ad-blockers

Users using DNS-based filtering may need to tweak their configuration in order to make use of ECH. Firefox needs to be configured with a DNS-over-HTTPS server in order to make use of ECH. Depending on whether the DNS filter is locally hosted or hosted by an online provider, instructions for connecting to it over DoH will differ and users of these services will need to check their accompanying documentation.

Sooo, I'm a bit lost here. How do I ensure everything's working when I'm using a pihole? I don't think I'm understanding everything correctly

[-] [email protected] 10 points 9 months ago

I think it requires you shut your pihole. Um. sorry. Ill let myself out.

[-] [email protected] 6 points 9 months ago

It sounds like you'll have to set your Pihole as the DNS server in Firefox's settings, and then maybe from there it'll work itself out? Or maybe the Pihole documentation will be updated in the next few days with some instructions on enabling this. I'm unsure myself to be honest.

load more comments (1 replies)

[-] [email protected] 8 points 9 months ago

So with this the ISP, or someone else sitting in the middle, would not even know the URL you're accessing?

[-] [email protected] 4 points 9 months ago

I don't think so, that'd be straight up impossible unless you're behind a VPN. Your ISP can see every connection made between you and any other server, but a VPN uses encrypted payloads between their servers and you, and they make the requests using their servers, and pass the results to you. That way, your ISP only sees that you're using a VPN, but can't see anything else.

As far as I understand it, ECH uses DoH (DNS Over HTTPS) to encrypt the domain name of your connections, but a direct IP address is always required, and most of the times, it's enough to determine the website, as the ISPs can locate just about anything easily. However, the ISP won't be able to (easily) know anything else about the connection, which remains unbroken between you and the server you're connecting with.

But still a very good feature nonetheless.

[-] [email protected] 2 points 9 months ago

IPs of websites are fine to expose in this day and age, in my opinion and threat model.

Most sites being hosted in the cloud, with rotating IPs give you obscurity there.

load more comments (1 replies)

[-] [email protected] 5 points 9 months ago* (last edited 9 months ago)

In my opinion, Firefox should give an option to enable ECH forcefully for users like me who has AdGuardHome/Pi-Hole running on Home Network. Currently, if DOH is disabled in Firefox setting, ECH won't work, as per Firefox. 😦