mirror of
https://github.com/mikaela/mikaela.github.io/
synced 2024-11-25 22:09:24 +01:00
HTTPS Everywhere: sneak in ECH, add section on Firefox DoH & Wikipedia links
This commit is contained in:
parent
59025bacf6
commit
1ddb0b9f36
@ -28,6 +28,7 @@ for those is the official documentation (bottom of the page).
|
|||||||
- [Chromium](#chromium)
|
- [Chromium](#chromium)
|
||||||
- [DNS-over-HTTPS](#dns-over-https)
|
- [DNS-over-HTTPS](#dns-over-https)
|
||||||
- [Firefox](#firefox)
|
- [Firefox](#firefox)
|
||||||
|
- [DNS-over-HTTPS](#dns-over-https-1)
|
||||||
- [Documentation and other policies](#documentation-and-other-policies)
|
- [Documentation and other policies](#documentation-and-other-policies)
|
||||||
|
|
||||||
<!-- END doctoc generated TOC please keep comment here to allow auto update -->
|
<!-- END doctoc generated TOC please keep comment here to allow auto update -->
|
||||||
@ -79,6 +80,7 @@ a matter of creating a json file there, e.g.
|
|||||||
|
|
||||||
```json
|
```json
|
||||||
{
|
{
|
||||||
|
"EncryptedClientHelloEnabled": true,
|
||||||
"HttpsOnlyMode": "force_enabled",
|
"HttpsOnlyMode": "force_enabled",
|
||||||
"HttpsUpgradesEnabled": true
|
"HttpsUpgradesEnabled": true
|
||||||
}
|
}
|
||||||
@ -92,6 +94,19 @@ Of course the user can still navigate there, but HTTPS Everywhere the
|
|||||||
extension had that behaviour too and there is likely a separate policy for
|
extension had that behaviour too and there is likely a separate policy for
|
||||||
that.
|
that.
|
||||||
|
|
||||||
|
_EncryptedClientHello was added here some hours after publishing the article
|
||||||
|
alongside with Firefox DNS-over-HTTPS. See the bottom of page for changelog
|
||||||
|
link._
|
||||||
|
|
||||||
|
To put `EncryptedClientHello` simply, it will hide which domain you are
|
||||||
|
requesting from https capable web server, which may be serving multiple
|
||||||
|
domains when DNS-Over-HTTPS is used (browser restriction, not ECH), while
|
||||||
|
generally the query for `example.net` would go in plaintext alongside _Server
|
||||||
|
Name Indication_.
|
||||||
|
|
||||||
|
It's good for your privacy, bad for enterprise network admin or those willing
|
||||||
|
to perform censorship.
|
||||||
|
|
||||||
### DNS-over-HTTPS
|
### DNS-over-HTTPS
|
||||||
|
|
||||||
You might have noticed that Chromium no longer allows you to use DNS over
|
You might have noticed that Chromium no longer allows you to use DNS over
|
||||||
@ -162,6 +177,7 @@ editor and have contents similar to:
|
|||||||
```json
|
```json
|
||||||
{
|
{
|
||||||
"policies": {
|
"policies": {
|
||||||
|
"DisableEncryptedClientHello": false,
|
||||||
"Preferences": {
|
"Preferences": {
|
||||||
"dom.block_download_insecure": {
|
"dom.block_download_insecure": {
|
||||||
"Status": "locked",
|
"Status": "locked",
|
||||||
@ -184,6 +200,58 @@ within settings HTTPS-Only mode is used in all windows and grayed out.
|
|||||||
|
|
||||||
An easy test is again [http.badssl.com](http://http.badssl.com).
|
An easy test is again [http.badssl.com](http://http.badssl.com).
|
||||||
|
|
||||||
|
### DNS-over-HTTPS
|
||||||
|
|
||||||
|
_This section was edited in afterwards some hours after the publishing. Refer
|
||||||
|
to the log link on the bottom for more information._
|
||||||
|
|
||||||
|
Like Chromium, Firefox also supports DoH, although here it must be in the
|
||||||
|
same `/etc/firefox/policies/policies.json` file as before. It's simply appended
|
||||||
|
(or prepended) a bit:
|
||||||
|
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
"policies": {
|
||||||
|
"DNSOverHTTPS": {
|
||||||
|
"Enabled": true,
|
||||||
|
"Fallback": false,
|
||||||
|
"Locked": true,
|
||||||
|
"ProviderURL": "https://dns.quad9.net/dns-query"
|
||||||
|
},
|
||||||
|
"DisableEncryptedClientHello": false,
|
||||||
|
"Preferences": {
|
||||||
|
"dom.block_download_insecure": {
|
||||||
|
"Status": "locked",
|
||||||
|
"Type": "boolean",
|
||||||
|
"Value": true
|
||||||
|
},
|
||||||
|
"dom.security.https_only_mode": {
|
||||||
|
"Status": "locked",
|
||||||
|
"Type": "boolean",
|
||||||
|
"Value": true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
The new sections are also quite self-explanatory with boolean `true` or `false`
|
||||||
|
values.
|
||||||
|
|
||||||
|
- Is DoH enabled by default?
|
||||||
|
- Is it OK to automatically use system resolver if the DoH server doesn't
|
||||||
|
work? (There is a similar warning as with HTTPS only mode even if this was
|
||||||
|
`false` like in the example.)
|
||||||
|
- Is the user allowed to change these options (including which DoH server (if
|
||||||
|
any) they want to use) or are they grayed out? I like locking it so I don't
|
||||||
|
have to worry where else I may have configured it.
|
||||||
|
- Which URL is used for queries? I am under impression that unlike with
|
||||||
|
Chromium, multiple addresses aren't allowed here.
|
||||||
|
|
||||||
|
_I have a temptation to also write about preferring IPv6 connections through
|
||||||
|
DoH in Firefox, but that would be even more off-topic and this page already
|
||||||
|
provides all the examples and links interested reader would need for that._
|
||||||
|
|
||||||
## Documentation and other policies
|
## Documentation and other policies
|
||||||
|
|
||||||
In case you have talked with me recently, chances are you have heard me
|
In case you have talked with me recently, chances are you have heard me
|
||||||
@ -209,5 +277,9 @@ complaining about all the nice settings being hidden in browser policy.
|
|||||||
- [Deploying uBlock Origin](https://github.com/gorhill/uBlock/wiki/Deploying-uBlock-Origin) and [deploying uBlock Origin configuration](https://github.com/gorhill/uBlock/wiki/Deploying-uBlock-Origin:-configuration)
|
- [Deploying uBlock Origin](https://github.com/gorhill/uBlock/wiki/Deploying-uBlock-Origin) and [deploying uBlock Origin configuration](https://github.com/gorhill/uBlock/wiki/Deploying-uBlock-Origin:-configuration)
|
||||||
- These also apply to [AdNauseam](https://adnauseam.io/), just change the
|
- These also apply to [AdNauseam](https://adnauseam.io/), just change the
|
||||||
extension ID in your policy.
|
extension ID in your policy.
|
||||||
|
- Possibly helpful Wikipedia articles:
|
||||||
|
- [HTTPS Everywhere](https://en.m.wikipedia.org/wiki/HTTPS_Everywhere)
|
||||||
|
- [DNS-over-HTTPS](https://en.m.wikipedia.org/wiki/DNS_over_HTTPS)
|
||||||
|
- [Server Name Indication & Encrypted Client-Hello](https://en.m.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello)
|
||||||
|
|
||||||
[_GitHub commits for this page._](https://github.com/Mikaela/mikaela.github.io/commits/master/blog/_posts/2024-05-17-https-everywhere.md)
|
[_GitHub commits for this page._](https://github.com/Mikaela/mikaela.github.io/commits/master/blog/_posts/2024-05-17-https-everywhere.md)
|
||||||
|
Loading…
Reference in New Issue
Block a user