Enrypted client hello/server name extensions in FF 118

[moonbat]

So per the support article, Firefox 118 will have this feature and it relies on DoH to do its function. This feature was discussed here before when it was a new proposal. The idea is to encrypt the URL itself that the browser is requesting DNS resolution for, so no one can find out what server you're trying to resolve.
Two questions -

• Is DoH necessary for this to work? Can it work with IPSEC assuming the target website also implements the relevant TLS 1.3 extension?
• Will it be ported to PM/is it already available, presumably if it is no longer a draft spec?

[Moonchild]

Is DoH necessary for this to work?

Not at all. See also this bug at Mozilla. It's been open for 5 years but clearly Mozilla wanted to push using DoH so they didn't implement the feature outside of the new DoH plumbing.

The issue I have with enforcing DoH is that it just adds one more level of control to a centralized entity for all your browsing. ECH is only useful to shield you from snooping of your traffic on local networks and only insofar as you can't deduce from the subsequent connection IPs which sites are visited. Of course this falls directly in line with centralized proxying of traffic (e.g. cloudflare) and the more websites use a single point of presence to connect to, the more pooled it becomes and therefore a network observer can deduce fewer of the visited sites.

Will it be ported to PM/is it already available, presumably if it is no longer a draft spec?

There's currently nothing to port because Mozilla only implemented it using DoH and our DNS resolver isn't kitted out to handle it.

I repeat from my previous thread though:

Encrypted SNI is yet another piecemeal thing that isn't needed in normal situations. Everything that is done here is specifically to eliminate any "leaks" to the local network and trying to make the browser stealth except for an outbound tunnel, if used. It's nonsense for any other workflow.

Once more, none of this is needed or useful if you use a VPN (or any other encapsulation protocol) tunnel to tunnel your way out of what you consider an untrusted local network. Even a web proxy over https will already completely bypass the need for any of these service-based encryptions/cloaking methods.

"Encrypted SNI is yet another piecemeal thing that isn't needed in normal situations." -- even the Mozilla blog post specifically states "if technologies are used in isolation", which is usually never the case.

[moonbat]

They tack on these features and then reinforce the 'Pale Moon is insecure' narrative for not supporting them
Always felt DoH was more of a D'oh! than anything else. I've got dnscrypt-proxy set up with DNSSEC-only servers and it works great.

[Moonchild]

It's actually even simpler. If you use a VPN and make sure to resolve through the tunnel (which is an option with just about every VPN offer out there), there will be 0 traffic that can be snooped on your local network since all you have is an encrypted channel to a single outside server.
Basically all these in-browser "features" are unnecessary if you set up your networking correctly, and it feels very much like a way to forcefully funnel all traffic through controlled third parties silently in the background instead of letting the user decide if they actually want tunnelling. Either that or cheat your way around corporate networking restrictions that you shouldn't be doing