Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Mozilla Brings Encrypted SNI to Firefox Nightly

Mozilla says Firefox Nightly now supports encrypting the Transport Layer Security (TLS) Server Name Indication (SNI) extension, several weeks after Cloudflare announced it turned on Encrypted SNI (ESNI) across all of its network.

Mozilla says Firefox Nightly now supports encrypting the Transport Layer Security (TLS) Server Name Indication (SNI) extension, several weeks after Cloudflare announced it turned on Encrypted SNI (ESNI) across all of its network.

Introduced in 2003 to address the issue of accessing encrypted websites hosted at the same IP, the SNI extension was found to leak the identity of the sites that the user visits, which creates privacy issues. The problem is that, during the initial TLS handshake, the ClientHello message is sent unencrypted.

ESNI, an extension to TLS version 1.3 and above, attempts to mitigate that by replacing the SNI extension in ClientHello with an encrypted variant.

Now, Firefox Nightly users can take advantage of this added protection by enabling the encryption of SNI in the browser. ESNI will automatically work with any site that supports it, which currently only means sites hosted by Cloudflare.

Over 80% of the web traffic today is encrypted with HTTPS, meaning that the content of the messages exchanged between a server and a user’s browser are kept private, but attackers can still learn which sites the user is accessing.

As Mozilla’s Eric Rescorla explains, browsing history information leaks to the network in four ways, namely through the TLS certificate message, DNS name resolution, the server IP address, and the SNI extension.

TLS 1.3 now encrypts the server certificate by default and DNS traffic can be protected by using DNS over HTTPS. The IP address remains an issue, somewhat mitigated by the fact that multiple sites often use the same address (which is the reason SNI was needed in the first place).

ESNI, Rescorla says, posed challenges because initial designs affected performance, and TLS 1.3 was eventually published without it. As it turns out, the issue can be mounted via mass-conversion to encrypted SNI.

Advertisement. Scroll to continue reading.

“Big Content Distribution Networks (CDNs) host a lot of sites all on the same machines. If they’re willing to convert all their customers to ESNI at once, then suddenly ESNI no longer reveals a useful signal because the attacker can see what CDN you are going to anyway,” he explains.

With the added support for ESNI, Firefox becomes the first browser to adopt the technology. Users looking to take advantage of it should grab the latest Firefox Nightly build, make sure they have DNS over HTTPS enabled, and set the “network.security.esni.enabled” preference in about:config to “true”.

“This should automatically enable ESNI for any site that supports it. Right now, that’s just Cloudflare, which has enabled ESNI for all its customers, but we’re hoping that other providers will follow them,” Rescorla notes.

Related: Cloudflare Encrypts SNI Across Its Network

Related: Major Browsers to Kill TLS 1.0, 1.1

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Robert Shaker II has joined application security firm ActiveState as Chief Product and Technology Officer.

MorganFranklin Cyber has promoted Nick Stallone and Ferdinand Hamada into newly created roles.

Jessica Newman has joined Sophos as General Manager of Global Cyber Insurance.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.