ECH replacing ESNI fails the Browsing Experience Security Check

So I know recently ESNI has evolved into ECH. Firefox’s new build (Firefox 85) allows this feature to be enabled by using these steps: This can be done in about:config by setting network.dns.echconfig.enabled and network.dns.use_https_rr_as_altsvc to true, which will allow Firefox to use ECH with servers that support it.

The problem is, when I try and test the browser security check found here: Cloudflare ESNI Checker | Cloudflare

It shows a big RED X next to “Encrypted SNI”, and states “Your browser did not encrypt the SNI when visiting this page.

As a side note, I did just setup ipv6 on my router. Not sure if this matters at all? I did verify I’m on Firefox 85, but maybe that’s part of the issue? Does Firefox 85 no longer support this Cloudflare ESNI Checker to pass with all green checkmarks? Thanks for the help.

1 Like

hello! @jbehrmusic

is this regarding the issue here: 1689249 - Esni does not apply in firefox. ?

Seems like in this thread mentioned

ESNI is superseded by ECH.

?

Could you send the exact steps here how did you set up FX ?

also check:

3 Likes

@amayorga can jump in here since he is the expert in cases like that!

¡Hola @jbehrmusic!

From the blog post that @stefano1 linked here:

Firefox 85 replaces ESNI with ECH draft-08, and another update to draft-09 (which is targeted for wider interoperability testing and deployment) is forthcoming.

Cloudflare ESNI Checker | Cloudflare is specific to ESNI so it is expected that Firefox 85 and newer with ECH instead of ESNI would fail this test.

Hope this clarifies.

¡Gracias!

2 Likes

Hello. I’m using firefox 85.0.2. The esni property has been removed. after network.dns.echconfig.enabled and network.dns.use_https_rr_as_altsvc enabled. but Cloudflare ESNI Checker | Cloudflare Encrypted SNI appears passive at this address. not working.

This topic was automatically closed after 30 days. New replies are no longer allowed.