I just came across this article and I think it’ll be helpful to people here:
Interesting read, thanks. I’ve used Librewolf before and liked it. However I’m unsure the advertised benefits outweigh the fact patches and updates take longer. When you think about a internet browser, that’s an application with a extremely large codebase with a comparatively large attack surface to other applications. Mozilla is going to be quicker at security patches, and with Librewolf those patches need to be integrated into their code. By the time someone gets done tweaking their Firefox environment with uBlock and Arkenfox I’m not sure if Librewolf is better. And as for encrypted SNI you could use dnscrypt-proxy for this, or just use a VPN that pushes their DNS through a server that supports encrypted client hello (which is most probably). The one thing that Librewolf would still hold the edge in however is user friendliness. Where stock Firefox needs tweaking, Librewolf does not. Unless you’re running Linux, in which case the only parameter you should adjust is making sure you use a wayland environment for enhanced security. But that would go for pretty much any application not just browser.
1 Like
Neither a VPN or dnscrypt fix the plaintext SNI leak.
Each website you visit must support ECH.
I have a list here: https://divested.dev/misc/ech.txt
4 Likes
Appreciate the correction. I admittedly don’t know much about ECH/SNI. I was under the impression this was related to what server you were using. As I was testing different servers I connected to with the Cloudfare test and it registered some of them having SNI support while others did not.
Hmm… Somehow even when I enable Cloudflare DoH in Firefox (“Max protection” mode), the https://crypto.cloudflare.com/cdn-cgi/trace still returns sni=plaintext
You do not need Cloudflare or DoH or DoT or dnscrypt or the Firefox resolver to use ECH.
You can use any resolver.
That domain is not ECH enabled:
dig https crypto.cloudflare.com
try https://pq.cloudflareresearch.com/cdn-cgi/trace instead
1 Like
Ah I see. I did not know about pq.cloudflareresearch.com. Thanks a lot.
I tested with Firefox’ DoH because somehow on my machine I can’t force ECH on the test websites (Windows 10, FF 130.0.1 new fresh profile) without FF DoH. I don’t know what’s wrong and how to solve it.
On https://pq.cloudflareresearch.com/cdn-cgi/trace , it returns sni=plaintext
On https://www.cloudflare.com/ssl/encrypted-sni/, Secure SNI returns X
Firefox only supports native HTTPS query on “Windows 11, Linux, Android 10+”, otherwise the built-in resolver is necessary.
1 Like
Oh I see, I understand now. Thanks for the information 
I agree completely with this comment. I’m a regular/average user and never did figure how to use arkenfox. It’s hard to find a tutorial giving step by step instructions to. I now use Librewolf instead on Kubuntu OS
2 Likes
Mullvad Browser is to be used without any configuration whatsoever, including installation of extensions. Librewolf or Firefox with arkenfox use case would be to configure it as you see fit + install any necessary extensions, at the cost of some fingerprinting privacy. I think the clear case for Librewolf is it being the simpler way to use arkenfoxed Firefox, with the downside of lacking behind in updates (and maybe some others).
1 Like
And it’s not even that bad. With the recent critical vuln discovered in FF, Librewolf updated within hours.
2 Likes
I appreciate your reply!
You obviously have much more computing knowledge than me, but the topic of “slow updates” or “sparse updates” for Apps came up earlier and it really made me think!
I think most people assume that more updates an App receives the better/more secure/more reliable/more features it’ll have.
Apps that don’t receive updates often may just not need many updates because the Apps have been built with a strong foundation.
I use librewolf for day to day webrowsing. I like it fingerprinting resistance.
2 Likes