moz_distilled_firefox-ECH_browser-lock-shield-1000x563.png

Say (an encrypted) hello to a more private internet

October 3, 2023

As web users, what we say and do online is subject to pervasive surveillance. Although we typically associate online tracking with ad networks and other third-party sites, our online communications travel across commercial telecommunication networks, allowing these privileged entities to siphon the names of the websites we visit and monetize our browsing history for their own gain.

Enter Encrypted Client Hello (ECH) – by encrypting that first “hello” between your device and a website’s server, sensitive information, like the name of the website you’re visiting, is protected against interception from unauthorized parties. ECH is now rolling out to Firefox users worldwide, allowing for a more secure and private browsing experience.

What is Encrypted Client Hello?

ECH is the most recent step in our mission to build a better internet, one where privacy is the industry standard. Mozilla has been developing this new internet privacy technology for nearly a half-decade in collaboration with other browsers, infrastructure providers, academic researchers, and standards bodies like the Internet Engineering Task Force (IETF).

Much of our data shared through websites, such as our passwords, credit card numbers and cookies, are protected with cryptographic protocols like Transport Layer Security (TLS). ECH is a new TLS extension that also protects the identity of the websites we’re visiting – filling the privacy gap in our existing online security infrastructure.

Usually, when a browser connects to a site, it transmits the site’s name in its unencrypted initial message, allowing network operators or observers on the network to monitor the websites visited by each user.

This diagram shows how a browser usually establishes a secure connection with a web server. The initial message is unencrypted and identifies the website the message is intended for in the Server Name Indicator (SNI). The subsequent messages are encrypted with Transport Layer Security (TLS).

ECH uses a public key fetched over the Domain Name System (DNS) to encrypt the first message between a browser and a website, protecting the name of the visited website from prying eyes and dramatically improving user privacy.

This diagram shows how a browser establishes a secure connection with a web server using ECH. The initial message is encrypted using a public key fetched via DoH which prevents observers from seeing the name of the website that the connection is intended for.

Privacy as a default.

With ECH on Firefox, users can be assured that their browsing patterns are more private. But Firefox’s support for ECH is only one half of the story – web servers also need to implement ECH. Fortunately, ECH is an open standard which any website operator can deploy. Cloudflare has already rolled out support for ECH and we look forward to other providers launching their deployments in the near future.

It’s also important to understand that no one technology can be a panacea. ECH works alongside other security and privacy features in Firefox, including DNS-over-HTTPS (DoH). DoH encrypts DNS queries to protect the translation of website names to IP addresses, which ensures that website names aren’t visible to the network in DNS traffic and is essential for ECH to be effective. DoH and ECH can also be combined with a virtual private network (VPN) to provide an additional layer of privacy and security where the VPN masks a user’s IP address and encrypts data traffic, while ECH protects the identities of the websites a user visits from the VPN provider.

While Mozilla believes that privacy and security technologies should be available by default for all users, we also recognize that in certain circumstances, users may have alternative preferences, for example, if they are relying on family safety software at home, are using network-based ad blocking or are in an enterprise environment. ECH is designed to interoperate with these practices and respect the existing DoH opt-outs in Firefox, so these users won’t need to make any changes to continue enjoying a smooth and safe Firefox experience. Similarly, if users or administrators have opted-in to the increased or maximum levels of DoH protection, their decision will likewise be respected.

A culmination of years of privacy-minded research, experimentation and testing.

Half a decade ago, Mozilla began the work needed to modernize and safeguard the Domain Name System (DNS), closing long-standing data leaks in one of the internet’s oldest and first components. Around the same time, we also began work on the protocol which became the forerunner to ECH. Developing these complex systems safely and responsibly takes time, experience and collaboration with the community.

Over the course of our long history of building technology to counter online tracking and surveillance, our contributions to standards bodies like the IETF have played a pivotal role in the development of DoH, TLS1.3, QUIC and many more crucial technologies, shaping the landscape of online privacy and encryption.

Mozilla has long invested in technologies to protect the privacy of Firefox users and ECH gives users an even higher level of privacy by safeguarding their browsing history from unsavory network practices. We stand by our ongoing commitment to ensure privacy, security and user choice are non-negotiable. Take back your privacy by downloading Firefox today.

Say (an encrypted) hello to a more private internet

Say (an encrypted) hello to a more private internet

What is Encrypted Client Hello?

Privacy as a default.

A culmination of years of privacy-minded research, experimentation and testing.

Recommend

Say Hello to Android Things 1.0

Go小课：第一次Say Hello

Snowflake: Say Hello to the Data Cloud!

Say Hello to Smore Academy

Say Hello To CSS Container Queries

Say Hello (Again) To Your Existing Customers

Say Hello to Jekyll

Say hello to the new Starter Asset packages

Say Hello to the unofficial Kyma Update Twitter Bot

Say Hello to Eddy 🌀

About Joyk