Mikaela
/
mikaela.github.io
mirror of https://github.com/mikaela/mikaela.github.io/
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

HTTPS Everywhere: sneak in ECH, add section on Firefox DoH & Wikipedia links

This commit is contained in:
Aminda Suomalainen 2024-05-17 16:05:20 +03:00
parent 59025bacf6
commit 1ddb0b9f36
Signed by: Mikaela
SSH Key Fingerprint: SHA256:CXLULpqNBdUKB6E6fLA1b/4SzG0HvKD19PbIePU175Q
1 changed files with 72 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
blog/_posts/2024-05-17-https-everywhere.md
View File

@ -28,6 +28,7 @@ for those is the official documentation (bottom of the page).
- [Chromium](#chromium) - [Chromium](#chromium)
- [DNS-over-HTTPS](#dns-over-https) - [DNS-over-HTTPS](#dns-over-https)
- [Firefox](#firefox) - [Firefox](#firefox)
- [DNS-over-HTTPS](#dns-over-https-1)
- [Documentation and other policies](#documentation-and-other-policies) - [Documentation and other policies](#documentation-and-other-policies)
<!-- END doctoc generated TOC please keep comment here to allow auto update --> <!-- END doctoc generated TOC please keep comment here to allow auto update -->
@ -79,6 +80,7 @@ a matter of creating a json file there, e.g.
```json ```json
{ {
"EncryptedClientHelloEnabled": true,
"HttpsOnlyMode": "force_enabled", "HttpsOnlyMode": "force_enabled",
"HttpsUpgradesEnabled": true "HttpsUpgradesEnabled": true
} }
@ -92,6 +94,19 @@ Of course the user can still navigate there, but HTTPS Everywhere the
extension had that behaviour too and there is likely a separate policy for extension had that behaviour too and there is likely a separate policy for
that. that.
_EncryptedClientHello was added here some hours after publishing the article
alongside with Firefox DNS-over-HTTPS. See the bottom of page for changelog
link._
To put `EncryptedClientHello` simply, it will hide which domain you are
requesting from https capable web server, which may be serving multiple
domains when DNS-Over-HTTPS is used (browser restriction, not ECH), while
generally the query for `example.net` would go in plaintext alongside _Server
Name Indication_.
It's good for your privacy, bad for enterprise network admin or those willing
to perform censorship.
### DNS-over-HTTPS ### DNS-over-HTTPS
You might have noticed that Chromium no longer allows you to use DNS over You might have noticed that Chromium no longer allows you to use DNS over
@ -162,6 +177,7 @@ editor and have contents similar to:
```json ```json
{ {
"policies": { "policies": {
"DisableEncryptedClientHello": false,
"Preferences": { "Preferences": {
"dom.block_download_insecure": { "dom.block_download_insecure": {
"Status": "locked", "Status": "locked",
@ -184,6 +200,58 @@ within settings HTTPS-Only mode is used in all windows and grayed out.
An easy test is again [http.badssl.com](http://http.badssl.com). An easy test is again [http.badssl.com](http://http.badssl.com).
### DNS-over-HTTPS
_This section was edited in afterwards some hours after the publishing. Refer
to the log link on the bottom for more information._
Like Chromium, Firefox also supports DoH, although here it must be in the
same `/etc/firefox/policies/policies.json` file as before. It's simply appended
(or prepended) a bit:
```json
{
"policies": {
"DNSOverHTTPS": {
"Enabled": true,
"Fallback": false,
"Locked": true,
"ProviderURL": "https://dns.quad9.net/dns-query"
},
"DisableEncryptedClientHello": false,
"Preferences": {
"dom.block_download_insecure": {
"Status": "locked",
"Type": "boolean",
"Value": true
},
"dom.security.https_only_mode": {
"Status": "locked",
"Type": "boolean",
"Value": true
}
}
}
}
```
The new sections are also quite self-explanatory with boolean `true` or `false`
values.
- Is DoH enabled by default?
- Is it OK to automatically use system resolver if the DoH server doesn't
work? (There is a similar warning as with HTTPS only mode even if this was
`false` like in the example.)
- Is the user allowed to change these options (including which DoH server (if
any) they want to use) or are they grayed out? I like locking it so I don't
have to worry where else I may have configured it.
- Which URL is used for queries? I am under impression that unlike with
Chromium, multiple addresses aren't allowed here.
_I have a temptation to also write about preferring IPv6 connections through
DoH in Firefox, but that would be even more off-topic and this page already
provides all the examples and links interested reader would need for that._
## Documentation and other policies ## Documentation and other policies
In case you have talked with me recently, chances are you have heard me In case you have talked with me recently, chances are you have heard me
@ -209,5 +277,9 @@ complaining about all the nice settings being hidden in browser policy.
- [Deploying uBlock Origin](https://github.com/gorhill/uBlock/wiki/Deploying-uBlock-Origin) and [deploying uBlock Origin configuration](https://github.com/gorhill/uBlock/wiki/Deploying-uBlock-Origin:-configuration) - [Deploying uBlock Origin](https://github.com/gorhill/uBlock/wiki/Deploying-uBlock-Origin) and [deploying uBlock Origin configuration](https://github.com/gorhill/uBlock/wiki/Deploying-uBlock-Origin:-configuration)
- These also apply to [AdNauseam](https://adnauseam.io/), just change the - These also apply to [AdNauseam](https://adnauseam.io/), just change the
extension ID in your policy. extension ID in your policy.
- Possibly helpful Wikipedia articles:
- [HTTPS Everywhere](https://en.m.wikipedia.org/wiki/HTTPS_Everywhere)
- [DNS-over-HTTPS](https://en.m.wikipedia.org/wiki/DNS_over_HTTPS)
- [Server Name Indication & Encrypted Client-Hello](https://en.m.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello)
[_GitHub commits for this page._](https://github.com/Mikaela/mikaela.github.io/commits/master/blog/_posts/2024-05-17-https-everywhere.md) [_GitHub commits for this page._](https://github.com/Mikaela/mikaela.github.io/commits/master/blog/_posts/2024-05-17-https-everywhere.md)