Upcoming Firefox 57 ("Quantum") is twice as fast as Firefox 52

opethdisciple said:
Perhaps this feature isn't ready yet.
Click to expand...

Unless I misunderstood you, that last link (quoted) simply confirms that encrypted SNI works (i.e. regular SNI leaks even with DoH, so you need eSNI on top to truly be anonymous and uncensored).

While the relevant parts of the draft TLS 1.3 standard haven't been fully ratified yet, Cloudlfare and Mozilla decided it was important enough to jump ahead and enable them anyway. That's why other browsers and DNS don't have it yet - they're waiting for the standard to be formalised. When you get it set up, with all four sections showing green, you are effectively hiding any website you visit that has eSNI available (i.e. anything behind Cloudflare atm). For example, 99% of those naughty pirate sites that are blocked in the UK use Cloudflare, and with DoH+eSNI you can connect to them perfectly fine even without a VPN. The combination of encrypted DNS and encrypted SNI means your ISP can't see what site you're connecting to.

To enable it, you need to go to about:config and set network.security.esni.enabled to true. You also need to have a compatible upstream DoH provider (which, atm, is just Cloudflare). Then you'll get all four going green like this:

fWP0E8X.png


I actually run my own DoH and DoT server from home, using my domain (dns.mydomain.com). It proxies the queries through AdGuard Home to kill any advertisements or trackers, and then forwards on any legitimate queries to encrypted Cloudflare DNS to keep DNSSEC and eSNI enabled.

It's worth learning a little about Firefox and setting up a user.js from ghacks if you haven't already, to properly harden your installation. Be warned it's only a template however, not a recipe - don't just copy and paste it in. You need to go through the file section by section, read the notes, and only enable what you want/tweak as needed.
 
Rainmaker said:
Unless I misunderstood you, that last link (quoted) simply confirms that encrypted SNI works (i.e. regular SNI leaks even with DoH, so you need eSNI on top to truly be anonymous and uncensored).

While the relevant parts of the draft TLS 1.3 standard haven't been fully ratified yet, Cloudlfare and Mozilla decided it was important enough to jump ahead and enable them anyway. That's why other browsers and DNS don't have it yet - they're waiting for the standard to be formalised. When you get it set up, with all four sections showing green, you are effectively hiding any website you visit that has eSNI available (i.e. anything behind Cloudflare atm). For example, 99% of those naughty pirate sites that are blocked in the UK use Cloudflare, and with DoH+eSNI you can connect to them perfectly fine even without a VPN. The combination of encrypted DNS and encrypted SNI means your ISP can't see what site you're connecting to.

To enable it, you need to go to about:config and set network.security.esni.enabled to true. You also need to have a compatible upstream DoH provider (which, atm, is just Cloudflare). Then you'll get all four going green like this:

fWP0E8X.png


I actually run my own DoH and DoT server from home, using my domain (dns.mydomain.com). It proxies the queries through AdGuard Home to kill any advertisements or trackers, and then forwards on any legitimate queries to encrypted Cloudflare DNS to keep DNSSEC and eSNI enabled.

It's worth learning a little about Firefox and setting up a user.js from ghacks if you haven't already, to properly harden your installation. Be warned it's only a template however, not a recipe - don't just copy and paste it in. You need to go through the file section by section, read the notes, and only enable what you want/tweak as needed.
Click to expand...

But enabling this: network.security.esni.enabled does it break anything? I.e any website that wont work?
 
opethdisciple said:
But enabling this: network.security.esni.enabled does it break anything? I.e any website that wont work?
Click to expand...

Nope. It only adds, it doesn't take away. On any Cloudflare site (or any other site that happens to have enabled it) you'll get eSNI working and have an extra layer of security. On any other site, it just loads the 'old' way with cleartext SNI. No penalties involved.
 
@Rainmaker

Cooled turned it on and all green now. :D

Don't get why this isn't turned on by default tho. They are starting to role out dns over https in FF and Chrome now by default but this will only get a user so far. Things like this also need to be turned on.
 
opethdisciple said:
@Rainmaker

Cooled turned it on and all green now. :D

Don't get why this isn't turned on by default tho. They are starting to role out dns over https in FF and Chrome now by default but this will only get a user so far. Things like this also need to be turned on.
Click to expand...

Glad you got it sorted! And yeah, I think they're heading that way but again, I think they're being cautious and waiting for the standard to ratify. There's also a lot of pushback on this from big ISPs and corporations... can't think why. :D The UK's ISP Awards even went as far as to nominate Mozilla/Firefox as Internet Villain of the Year for doing this(!!), until public backlash hit so hard they cancelled it... lol.

Edit: Don't forget to set your Tracking Protection to Strict and run uBO, at least.
 
FredFlint said:
DNSSEC is still red for me, do i need to create an account for that?
Click to expand...

The only two things you need for this to work is:

1. Use cloudflare or NextDNS for DNS over HTTPS: settings - preferences - Scroll down to Network Settings - settings - tick "Enable DNS over HTTPS" and choose Cloudflare.

2. about:config and enable this: network.security.esni.enabled

You should now have all greens. When you go back to this page.

Probably not necessary but I use cloudflare dns locally on the PC's network connection.
 
darael said:
Firefox v77 just installed and given me the new address bar again, despite browser.urlbar.update1 being set to false.
Click to expand...

Mozilla disabled that option in v77, just as they disabled about:config for mobile users. They're heading in a crappy direction lately imo. I moved over to Waterfox, which doesn't (yet) have the new URL bar, but it's only a matter of time. Once Ungoogled Chromium can support eSNI I think I'll be leaving Mozilla behind, after... well, whenever Netscape Navigator and the first Firefox was. :(
 
opethdisciple said:
The only two things you need for this to work is:

1. Use cloudflare or NextDNS for DNS over HTTPS: settings - preferences - Scroll down to Network Settings - settings - tick "Enable DNS over HTTPS" and choose Cloudflare.

2. about:config and enable this: network.security.esni.enabled

You should now have all greens. When you go back to this page.

Probably not necessary but I use cloudflare dns locally on the PC's network connection.
Click to expand...
Done that but DNSSEC is still red?
 
I guess a custom userchrome.css can fix the "megabar" but I really don't like the direction they've been recently going. I've not been that happy with Firefox Preview on Android either. I'm tempted to give either Edge or Vivaldi a spin for a bit as their Android apps have improved quite a bit in terms of features and UI but I still feel Firefox gives me more control over privacy.
 
Orcvader said:
I guess a custom userchrome.css can fix the "megabar" but I really don't like the direction they've been recently going. I've not been that happy with Firefox Preview on Android either. I'm tempted to give either Edge or Vivaldi a spin for a bit as their Android apps have improved quite a bit in terms of features and UI but I still feel Firefox gives me more control over privacy.
Click to expand...

Brave, perhaps? I was going to recommend SnowHaze but it's iOS-only for now it seems. They have built in adblock, script block, spoofing, anti-fingerprint, and all sorts. It's open source too and very fast in my experience.
 
Rainmaker said:
Brave, perhaps? I was going to recommend SnowHaze but it's iOS-only for now it seems. They have built in adblock, script block, spoofing, anti-fingerprint, and all sorts. It's open source too and very fast in my experience.
Click to expand...
I had a go with Brave and was fine with the desktop client, but the Android app felt a bit too basic for me and is pretty stripped down. A few months ago there was syncing issues as well which pushed me away back to Firefox.
 
Had to manually turn webrender back on, looking at about:support it was disabled due to my refresh rate being too high.
 
You must log in or register to reply here.
Back
Top Bottom