Please restore ESNI until at least Cloudflare implements ECH
Categories
(NSS :: Libraries, enhancement)
Tracking
(Not tracked)
People
(Reporter: zesanup, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
Steps to reproduce:
Open https://www.cloudflare.com/cdn-cgi/trace and see that the SNI is plaintext. This should be encrypted.
Actual results:
Some websites that are hosted on servers implementing ESNI do not work, because of ISP blocking.
Expected results:
Websites that are hosted on servers implementing ESNI, such as Cloudflare, should work.
Yes, ECH is the way forward. Everyone knows that. But it has been half a year since ESNI was removed and ECH is clearly not ready. Instead of waiting for Cloudflare and others to deploy ECH at some point in the uncertain future (though seemingly distant future, as the 10th ECH draft was published in March), why not restore ESNI functionality in Fenix so that users can access websites now? This would be the practical solution to the problem.
Backstory: https://bugzilla.mozilla.org/show_bug.cgi?id=1667801 This conversation was going somewhere positive, but some idiot decided to hurl abuses and the bug was locked. I hope to continue that discussion, and that you reconsider the premature removal of ESNI, given that no one is using ECH at the moment, and certain websites will stay ISP-blocked for the foreseeable future.
Comment 2•3 years ago
|
||
We can't just restore ESNI. Both ESNI and ECH are massively complex and touch the same code, so we made the call a long while back to replace ESNI with ECH rather than try to keep both. So ESNI is just gone now.
I can't say when ECH will be deployed, but we ask for patience. Mostly we're blocked on server side support and standardization in some mix. Both take longer than you might like, but there isn't much we can do about that.
Description
•