Mozilla Brings Encrypted SNI to Firefox Nightly
21.10.2018 securityweek Safety
Mozilla says Firefox Nightly now supports encrypting the Transport Layer Security (TLS) Server Name Indication (SNI) extension, several weeks after Cloudflare announced it turned on Encrypted SNI (ESNI) across all of its network.
Introduced in 2003 to address the issue of accessing encrypted websites hosted at the same IP, the SNI extension was found to leak the identity of the sites that the user visits, which creates privacy issues. The problem is that, during the initial TLS handshake, the ClientHello message is sent unencrypted.
ESNI, an extension to TLS version 1.3 and above, attempts to mitigate that by replacing the SNI extension in ClientHello with an encrypted variant.
Now, Firefox Nightly users can take advantage of this added protection by enabling the encryption of SNI in the browser. ESNI will automatically work with any site that supports it, which currently only means sites hosted by Cloudflare.
Over 80% of the web traffic today is encrypted with HTTPS, meaning that the content of the messages exchanged between a server and a user’s browser are kept private, but attackers can still learn which sites the user is accessing.
As Mozilla’s Eric Rescorla explains, browsing history information leaks to the network in four ways, namely through the TLS certificate message, DNS name resolution, the server IP address, and the SNI extension.
TLS 1.3 now encrypts the server certificate by default and DNS traffic can be protected by using DNS over HTTPS. The IP address remains an issue, somewhat mitigated by the fact that multiple sites often use the same address (which is the reason SNI was needed in the first place).
ESNI, Rescorla says, posed challenges because initial designs affected performance, and TLS 1.3 was eventually published without it. As it turns out, the issue can be mounted via mass-conversion to encrypted SNI.
“Big Content Distribution Networks (CDNs) host a lot of sites all on the same machines. If they’re willing to convert all their customers to ESNI at once, then suddenly ESNI no longer reveals a useful signal because the attacker can see what CDN you are going to anyway,” he explains.
With the added support for ESNI, Firefox becomes the first browser to adopt the technology. Users looking to take advantage of it should grab the latest Firefox Nightly build, make sure they have DNS over HTTPS enabled, and set the “network.security.esni.enabled” preference in about:config to “true”.
“This should automatically enable ESNI for any site that supports it. Right now, that’s just Cloudflare, which has enabled ESNI for all its customers, but we’re hoping that other providers will follow them,” Rescorla notes.