Connect with us

Hi, what are you looking for?


Data Protection

Mozilla Brings Encrypted SNI to Firefox Nightly

Mozilla says Firefox Nightly now supports encrypting the Transport Layer Security (TLS) Server Name Indication (SNI) extension, several weeks after Cloudflare announced it turned on Encrypted SNI (ESNI) across all of its network.

Mozilla says Firefox Nightly now supports encrypting the Transport Layer Security (TLS) Server Name Indication (SNI) extension, several weeks after Cloudflare announced it turned on Encrypted SNI (ESNI) across all of its network.

Introduced in 2003 to address the issue of accessing encrypted websites hosted at the same IP, the SNI extension was found to leak the identity of the sites that the user visits, which creates privacy issues. The problem is that, during the initial TLS handshake, the ClientHello message is sent unencrypted.

ESNI, an extension to TLS version 1.3 and above, attempts to mitigate that by replacing the SNI extension in ClientHello with an encrypted variant.

Now, Firefox Nightly users can take advantage of this added protection by enabling the encryption of SNI in the browser. ESNI will automatically work with any site that supports it, which currently only means sites hosted by Cloudflare.

Over 80% of the web traffic today is encrypted with HTTPS, meaning that the content of the messages exchanged between a server and a user’s browser are kept private, but attackers can still learn which sites the user is accessing.

As Mozilla’s Eric Rescorla explains, browsing history information leaks to the network in four ways, namely through the TLS certificate message, DNS name resolution, the server IP address, and the SNI extension.

TLS 1.3 now encrypts the server certificate by default and DNS traffic can be protected by using DNS over HTTPS. The IP address remains an issue, somewhat mitigated by the fact that multiple sites often use the same address (which is the reason SNI was needed in the first place).

Advertisement. Scroll to continue reading.

ESNI, Rescorla says, posed challenges because initial designs affected performance, and TLS 1.3 was eventually published without it. As it turns out, the issue can be mounted via mass-conversion to encrypted SNI.

“Big Content Distribution Networks (CDNs) host a lot of sites all on the same machines. If they’re willing to convert all their customers to ESNI at once, then suddenly ESNI no longer reveals a useful signal because the attacker can see what CDN you are going to anyway,” he explains.

With the added support for ESNI, Firefox becomes the first browser to adopt the technology. Users looking to take advantage of it should grab the latest Firefox Nightly build, make sure they have DNS over HTTPS enabled, and set the “” preference in about:config to “true”.

“This should automatically enable ESNI for any site that supports it. Right now, that’s just Cloudflare, which has enabled ESNI for all its customers, but we’re hoping that other providers will follow them,” Rescorla notes.

Related: Cloudflare Encrypts SNI Across Its Network

Related: Major Browsers to Kill TLS 1.0, 1.1

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...