Upcoming Firefox 57 ("Quantum") is twice as fast as Firefox 52

[Rainmaker]

Perhaps this feature isn't ready yet.

Unless I misunderstood you, that last link (quoted) simply confirms that encrypted SNI works (i.e. regular SNI leaks even with DoH, so you need eSNI on top to truly be anonymous and uncensored).

While the relevant parts of the draft TLS 1.3 standard haven't been fully ratified yet, Cloudlfare and Mozilla decided it was important enough to jump ahead and enable them anyway. That's why other browsers and DNS don't have it yet - they're waiting for the standard to be formalised. When you get it set up, with all four sections showing green, you are effectively hiding any website you visit that has eSNI available (i.e. anything behind Cloudflare atm). For example, 99% of those naughty pirate sites that are blocked in the UK use Cloudflare, and with DoH+eSNI you can connect to them perfectly fine even without a VPN. The combination of encrypted DNS and encrypted SNI means your ISP can't see what site you're connecting to.

To enable it, you need to go to about:config and set network.security.esni.enabled to true. You also need to have a compatible upstream DoH provider (which, atm, is just Cloudflare). Then you'll get all four going green like this:



I actually run my own DoH and DoT server from home, using my domain (dns.mydomain.com). It proxies the queries through AdGuard Home to kill any advertisements or trackers, and then forwards on any legitimate queries to encrypted Cloudflare DNS to keep DNSSEC and eSNI enabled.

It's worth learning a little about Firefox and setting up a user.js from ghacks if you haven't already, to properly harden your installation. Be warned it's only a template however, not a recipe - don't just copy and paste it in. You need to go through the file section by section, read the notes, and only enable what you want/tweak as needed.

 

[opethdisciple]

Unless I misunderstood you, that last link (quoted) simply confirms that encrypted SNI works (i.e. regular SNI leaks even with DoH, so you need eSNI on top to truly be anonymous and uncensored).

While the relevant parts of the draft TLS 1.3 standard haven't been fully ratified yet, Cloudlfare and Mozilla decided it was important enough to jump ahead and enable them anyway. That's why other browsers and DNS don't have it yet - they're waiting for the standard to be formalised. When you get it set up, with all four sections showing green, you are effectively hiding any website you visit that has eSNI available (i.e. anything behind Cloudflare atm). For example, 99% of those naughty pirate sites that are blocked in the UK use Cloudflare, and with DoH+eSNI you can connect to them perfectly fine even without a VPN. The combination of encrypted DNS and encrypted SNI means your ISP can't see what site you're connecting to.

To enable it, you need to go to about:config and set network.security.esni.enabled to true. You also need to have a compatible upstream DoH provider (which, atm, is just Cloudflare). Then you'll get all four going green like this:



I actually run my own DoH and DoT server from home, using my domain (dns.mydomain.com). It proxies the queries through AdGuard Home to kill any advertisements or trackers, and then forwards on any legitimate queries to encrypted Cloudflare DNS to keep DNSSEC and eSNI enabled.

It's worth learning a little about Firefox and setting up a user.js from ghacks if you haven't already, to properly harden your installation. Be warned it's only a template however, not a recipe - don't just copy and paste it in. You need to go through the file section by section, read the notes, and only enable what you want/tweak as needed.

But enabling this: network.security.esni.enabled does it break anything? I.e any website that wont work?

 

[Rainmaker]

But enabling this: network.security.esni.enabled does it break anything? I.e any website that wont work?

Nope. It only adds, it doesn't take away. On any Cloudflare site (or any other site that happens to have enabled it) you'll get eSNI working and have an extra layer of security. On any other site, it just loads the 'old' way with cleartext SNI. No penalties involved.

 

[opethdisciple]

Nope. It only adds, it doesn't take away. On any Cloudflare site (or any other site that happens to have enabled it) you'll get eSNI working and have an extra layer of security. On any other site, it just loads the 'old' way with cleartext SNI. No penalties involved.

Cool. I'll give it a go.

 

[opethdisciple]

@Rainmaker

Cooled turned it on and all green now.

Don't get why this isn't turned on by default tho. They are starting to role out dns over https in FF and Chrome now by default but this will only get a user so far. Things like this also need to be turned on.

 

[Rainmaker]

@Rainmaker

Cooled turned it on and all green now.

Don't get why this isn't turned on by default tho. They are starting to role out dns over https in FF and Chrome now by default but this will only get a user so far. Things like this also need to be turned on.

Glad you got it sorted! And yeah, I think they're heading that way but again, I think they're being cautious and waiting for the standard to ratify. There's also a lot of pushback on this from big ISPs and corporations... can't think why. The UK's ISP Awards even went as far as to nominate Mozilla/Firefox as Internet Villain of the Year for doing this(!!), until public backlash hit so hard they cancelled it... lol.

Edit: Don't forget to set your Tracking Protection to Strict and run uBO, at least.

 

[FredFlint]

DNSSEC is still red for me, do i need to create an account for that?

 

[darael]

Firefox v77 just installed and given me the new address bar again, despite browser.urlbar.update1 being set to false.

 

[opethdisciple]

DNSSEC is still red for me, do i need to create an account for that?

The only two things you need for this to work is:

1. Use cloudflare or NextDNS for DNS over HTTPS: settings - preferences - Scroll down to Network Settings - settings - tick "Enable DNS over HTTPS" and choose Cloudflare.

2. about:config and enable this: network.security.esni.enabled

You should now have all greens. When you go back to this page.

Probably not necessary but I use cloudflare dns locally on the PC's network connection.

 

[Rainmaker]

Firefox v77 just installed and given me the new address bar again, despite browser.urlbar.update1 being set to false.

Mozilla disabled that option in v77, just as they disabled about:config for mobile users. They're heading in a crappy direction lately imo. I moved over to Waterfox, which doesn't (yet) have the new URL bar, but it's only a matter of time. Once Ungoogled Chromium can support eSNI I think I'll be leaving Mozilla behind, after... well, whenever Netscape Navigator and the first Firefox was.

 

[FredFlint]

The only two things you need for this to work is:

1. Use cloudflare or NextDNS for DNS over HTTPS: settings - preferences - Scroll down to Network Settings - settings - tick "Enable DNS over HTTPS" and choose Cloudflare.

2. about:config and enable this: network.security.esni.enabled

You should now have all greens. When you go back to this page.

Probably not necessary but I use cloudflare dns locally on the PC's network connection.

Done that but DNSSEC is still red?

 

[LoadsaMoney]

Firefox v77 just installed and given me the new address bar again, despite browser.urlbar.update1 being set to false.

Just came through for me too.

 

[opethdisciple]

Done that but DNSSEC is still red?

Try setting your local DNS on your network adapter also. Both IPV4 and IPV6.

You can find the Cloudflare DNS ips online.

 

[FredFlint]

Try setting your local DNS on your network adapter also. Both IPV4 and IPV6.

You can find the Cloudflare DNS ips online.

Thanks but I use Hyper-V and I don't want to mess up my network, getting the VM's network settings working can be a pain, will leave it for now, thanks though.

 

[marc2003]

Firefox v77 just installed and given me the new address bar again, despite browser.urlbar.update1 being set to false.

What a bunch of bar stewards...

 

[Orcvader]

I guess a custom userchrome.css can fix the "megabar" but I really don't like the direction they've been recently going. I've not been that happy with Firefox Preview on Android either. I'm tempted to give either Edge or Vivaldi a spin for a bit as their Android apps have improved quite a bit in terms of features and UI but I still feel Firefox gives me more control over privacy.

 

[Rainmaker]

I guess a custom userchrome.css can fix the "megabar" but I really don't like the direction they've been recently going. I've not been that happy with Firefox Preview on Android either. I'm tempted to give either Edge or Vivaldi a spin for a bit as their Android apps have improved quite a bit in terms of features and UI but I still feel Firefox gives me more control over privacy.

Brave, perhaps? I was going to recommend SnowHaze but it's iOS-only for now it seems. They have built in adblock, script block, spoofing, anti-fingerprint, and all sorts. It's open source too and very fast in my experience.

 

[Orcvader]

Brave, perhaps? I was going to recommend SnowHaze but it's iOS-only for now it seems. They have built in adblock, script block, spoofing, anti-fingerprint, and all sorts. It's open source too and very fast in my experience.

I had a go with Brave and was fine with the desktop client, but the Android app felt a bit too basic for me and is pretty stripped down. A few months ago there was syncing issues as well which pushed me away back to Firefox.

 

[LoadsaMoney]

v77.0.1 released, just a bug fix

https://www.mozilla.org/en-US/firef...um=firefox-browser&utm_source=firefox-browser

 

[Glanza]

Had to manually turn webrender back on, looking at about:support it was disabled due to my refresh rate being too high.