Mynacol

We’re at the brink of encrypting everything for #TLS web requests that’s possible. The remaining fields:

  • Encrypted #ClientHello. Firefox currently tests native HTTPS record querying to support most setups directly. Can be enabled with network.dns.native_https_query.
  • Traditional TCP metadata is replaced with QUIC, which e.g. encrypts ACKs after the first key exchange. Automatically included in HTTP/3 and enabled in browsers.
  • Related: to protect from quantum computers, use a hybrid quantum-safe key exchange. For #TLS that’s a hybrid of x25519 and Kyber. Can be enabled in Firefox with security.tls.enable_kyber.
  • DNS requests. The last place to get the domain name for many unencrypted. Choose a trusted DNS resolver and use DoT or DoH if possible. Later on, the world also tries to secure recursive-authoritative queries with ADoQ and ADoT.

Some of this stuff can be tested with https://crypto.cloudflare.com/cdn-cgi/trace

Server-side support for HTTP/3 and ECH is still very much a minority, but we’re getting there.

May 12, 2024 at 10:33amWeb