Do any of top ~10k websites support Encrypted Client Hello?



Informative and unfortunate.

1 Like

Cloudflare giveth, Cloudflare taketh away?

ECH is disabled globally, and cannot currently be enabled in the Cloudflare Dashboard.


@SkewedZeppelin is there a script or tool you use to test ECH support of remote websites?

Cloudflare giveth, Cloudflare taketh

Indeed. (but they are working on re-implementing it)

Ironically it felt like we were in a better position with respect to ECH a year or two ago (Cloudflare had enabled ECH by default, Firefox had an explicit about:config option to enable it independently from DoH)


while read line; do
	if /usr/bin/dig @ +timeout=1 +short HTTPS "$line" | grep -q "ech="; then
		echo "YES: $line";
		echo "NO: $line";
done < domains.txt;

Firefox before 127 actually does require TRR to use ECH.
125 added an option to use the host resolver for HTTPS records, but only 127 enables it by default.


Good news!

Let me make sure I understand correctly

With this change, will ECH be toggled/enabled by default, independently of DoH (in the browser or on the host system)? Or does this still require DoH but now supports DoH on the host instead of only in the browser?

there are 3 relevant settings here:

  1. network.dns.echconfig.enabled controls whether ECH will be attempted
  2. network.trr.mode controls the state of the built-in resolver
  3. network.dns.native_https_query controls whether or not to lookup HTTPS records using the system resolver

ECH should work as long as 1 is enabled and either 2 or 3 is enabled.

In the case of using 3 over 2, you should still have your system use DoH or DoT as otherwise ECH isn’t very effective.

1 Like