Malfunction of Cloudflare's service Browsing Experience Security Check in regard to Secure SNI test

Tested on: Linux (kernel 5.18) and Windows 11

In client Mozilla Firefox 104 | in about:config:

  • network.dns.echconfig.enabled | true
  • network.dns.use_https_rr_as_altsvc | true
  • network.trr.mode | 2
  • network.trr.uri | https://mozilla.cloudflare-dns.com/dns-query
  • network.security.esni.enabled | false

Hello. In the report of the analyse at Browsing Experience Security Check (https://www.cloudflare.com/ssl/encrypted-sni/#results), via a TLSv1.3 connection, the test covering Secure SNI does mention as follows: “Anybody listening on the wire can see the exact website you made a TLS connection to.” while it is dully expected that the exact website that TLS connection was made to can not be seen. Nevertheless at page https://crypto.cloudflare.com/cdn-cgi/trace, sni=encrypted is reported, which thus indicates

  • a malfunction of Cloudflare’s service Browsing Experience Security Check
  • the obsolescence of network.security.esni.enabled