Understand Encrypted Client Hello (ECH)

Firefox Firefox Last updated: 4 weeks ago 100% of users voted this helpful

Firefox version 118 introduced a significant security enhancement called Encrypted Client Hello (ECH), which is enabled by default in Firefox 119 and above. When you browse the Internet, your data needs protection from prying eyes. Most online communication uses a security protocol called Transport Layer Security (TLS) to encrypt your information and keep it safe. However, there's a catch. This protection starts after an initial “hello” message, also known as a “handshake”. Unfortunately, this handshake happens in the open, exposing sensitive information like the name of the website that you are connecting to.

ECH 1

ECH addresses this vulnerability in the TLS protocol. When you use ECH, your initial “hello” message to a website becomes securely encrypted. Only the website you're visiting can decrypt it, ensuring your message remains private throughout its journey. In simple terms, ECH acts as a guardian, making it much harder to identify which websites you are visiting, protecting your online activity, and improving your privacy.

ECH 2

ECH relies on DNS over HTTPS (DoH) for its functionality, using it to fetch the key needed for encryption. Together, they form an even more robust privacy barrier as DoH focuses on encrypting DNS queries to protect the translation of website names to IP addresses, while ECH encrypts the initial communication between devices and websites to improve the security of the connection establishment process.

This collaboration addresses weaknesses present when technologies are used in isolation, ensuring comprehensive online privacy. In line with Mozilla's commitment to privacy and security in Firefox, ECH is enabled by default and used where available. ECH relies on DNS records fetched via DoH, so make sure to enable DoH. Using an encrypted DNS transport like DoH is vital to ensure your browsing traffic isn’t leaked via the normally unencrypted DNS protocol.ECH delivers the most privacy benefit when DNS records are fetched via an encrypted transport like DoH, so we recommend enabling DoH in Firefox.

If you’re using family safety software or have deployed Firefox in an enterprise environment, you shouldn’t need to make any changes to your configuration. Firefox won’t use ECH to encrypt traffic if any of the DoH opt-outs have been configured. Similarly, if your family safety software or enterprise administrator have configured Firefox to use a transparent proxy, this will also disable ECH encryption. Most family safety software and enterprise solutions should work with ECH without any modifications, in particular, if they integrate directly into the browser via an extension, filter DNS records or act as a transparent proxy. Encrypted Client Hello can also be disabled via Enterprise policy or if family safety settings are enabled in the operating system.

Also, when you're online, your Internet Service Provider (ISP) might be collecting information about what you do on the Internet, using invasive techniques like deep packet inspection. This is where ECH comes in as a game-changer. It addresses privacy worries by preventing ISPs from gathering your browsing data, creating profiles about you without asking, and selling this information. So with ECH, your data stays private, making it harder for them to build those profiles.

As a bonus, combining ECH with a VPN like Mozilla VPN adds an extra layer of protection to your online privacy. The VPN acts as a secure tunnel, masking your identity, while ECH ensures that your initial “hello” message remains confidential from network monitors. For details on using a VPN with Firefox's ECH, see Encrypted Client Hello (ECH) - Frequently asked questions.

Learn more

Was this article helpful?

Please wait...

These fine people helped write this article:

Illustration of hands

Volunteer

Grow and share your expertise with others. Answer questions and improve our knowledge base.

Learn More