Firefox

20428 readers

50 users here now

/c/firefox

A place to discuss the news and latest developments on the open-source browser Firefox.

Rules

1. Adhere to the instance rules

2. Be kind to one another

3. Communicate in a civil manner

Reporting

If you would like to bring an issue to the moderators attention, please use the "Create Report" feature on the offending comment or post and it will be reviewed as time allows.

founded 5 years ago

MODERATORS

k_o_t@lemmy.ml

golden_zealot@lemmy.ml

299

Say (an encrypted) hello to a more private internet. | The Mozilla Blog (blog.mozilla.org)

submitted 2 years ago by kixik@lemmy.ml to c/firefox@lemmy.ml

29 comments fedilink hide all child comments

r/privacy

you are viewing a single comment's thread
view the rest of the comments

[–] Bitrot@lemmy.sdf.org 11 points 2 years ago* (last edited 2 years ago)

The problem doesn’t involve DNS, it’s after that step.

SNI is when your browser connects to the server. A server may host multiple sites on the same IP, so your browser says “I would like to open an encrypted session to lemmy.ml”. It does this in the clear. If it was an unencrypted http site it would be in headers, but in https those headers aren’t passed until after the encrypted session is set up, so there has to be some way for the server to know the specific site. Anybody listening to SNI traffic knows the exact site you connected to, even if there are hundreds at that ip.

This adds a public key to the DNS record, so your browser is able to encrypt that initial hello message before the https session is encrypted. Someone listening might see something like “ECH: randomgibberish” but the server can decrypt it.