Understand Encrypted Client Hello (ECH)

Firefox Firefox 最終更新日時: 2週間, 6日 ago 100% のユーザーがこの記事が役立だったと投票しています
この記事はまだ翻訳されていません。すでに SUMO のローカライズ方法を知っている場合は、この記事を翻訳してください。SUMO の記事を翻訳する方法を学びたい場合は、記事翻訳の手引きをご覧ください

Firefox version 118 introduced a significant security enhancement called Encrypted Client Hello (ECH), which is enabled by default in Firefox 119 and above. When you browse the Internet, your data needs protection from prying eyes. Most online communication uses a security protocol called Transport Layer Security (TLS) to encrypt your information and keep it safe. However, there's a catch. This protection starts after an initial “hello” message, also known as a “handshake”. Unfortunately, this handshake happens in the open, exposing sensitive information like the name of the website that you are connecting to.

ECH 1

ECH addresses this vulnerability in the TLS protocol. When you use ECH, your initial “hello” message to a website becomes securely encrypted. Only the website you're visiting can decrypt it, ensuring your message remains private throughout its journey. In simple terms, ECH acts as a guardian, making it much harder to identify which websites you are visiting, protecting your online activity, and improving your privacy.

ECH 2

ECH relies on DNS over HTTPS (DoH) for its functionality, using it to fetch the key needed for encryption. Together, they form an even more robust privacy barrier as DoH focuses on encrypting DNS queries to protect the translation of website names to IP addresses, while ECH encrypts the initial communication between devices and websites to improve the security of the connection establishment process.

This collaboration addresses weaknesses present when technologies are used in isolation, ensuring comprehensive online privacy. In line with Mozilla's commitment to privacy and security in Firefox, ECH is enabled by default and used where available. ECH relies on DNS records fetched via DoH, so make sure to enable DoH. Using an encrypted DNS transport like DoH is vital to ensure your browsing traffic isn’t leaked via the normally unencrypted DNS protocol.ECH delivers the most privacy benefit when DNS records are fetched via an encrypted transport like DoH, so we recommend enabling DoH in Firefox.

If you’re using family safety software or have deployed Firefox in an enterprise environment, you shouldn’t need to make any changes to your configuration. Firefox won’t use ECH to encrypt traffic if any of the DoH opt-outs have been configured. Similarly, if your family safety software or enterprise administrator have configured Firefox to use a transparent proxy, this will also disable ECH encryption. Most family safety software and enterprise solutions should work with ECH without any modifications, in particular, if they integrate directly into the browser via an extension, filter DNS records or act as a transparent proxy. Encrypted Client Hello can also be disabled via Enterprise policy or if family safety settings are enabled in the operating system.

Also, when you're online, your Internet Service Provider (ISP) might be collecting information about what you do on the Internet, using invasive techniques like deep packet inspection. This is where ECH comes in as a game-changer. It addresses privacy worries by preventing ISPs from gathering your browsing data, creating profiles about you without asking, and selling this information. So with ECH, your data stays private, making it harder for them to build those profiles.

As a bonus, combining ECH with a VPN like Mozilla VPN adds an extra layer of protection to your online privacy. The VPN acts as a secure tunnel, masking your identity, while ECH ensures that your initial “hello” message remains confidential from network monitors. For details on using a VPN with Firefox's ECH, see Encrypted Client Hello (ECH) - Frequently asked questions.

Learn more

この記事は役に立ちましたか?

しばらくお待ちください...

以下の人々がこの記事の執筆を手伝ってくれました:

Illustration of hands

ボランティア

あなたの専門知識を成長させ、他の人と共有してください。質問に答えたり、ナレッジベースを改善したりしてください。

詳しく学ぶ