nullpay.
Back to toolkit
NetworkAdvanced10 mindesktop

SNI & Encrypted Client Hello

Risk

The risk

Why this matters

Even with encrypted DNS, the TLS handshake's Server Name Indication (SNI) sends the destination domain in plaintext. Your ISP can still see which sites you visit. Encrypted Client Hello (ECH) fixes this, but adoption is patchy.

Recommended tools

What to use

Firefox
FirefoxOSSFree

First major browser to support ECH. Enable in about:config.

Setup guide

How to set it up

  1. 1

    Use Firefox (currently the best ECH support)

  2. 2

    In about:config: set network.dns.echconfig.enabled to true

  3. 3

    Set network.dns.use_https_rr_as_altsvc to true

  4. 4

    Enable DNS over HTTPS (required for ECH to work)

  5. 5

    Test at defo.ie/ech-check.php