M-SOC 0 Posted October 16, 2023 Share Posted October 16, 2023 Greetings, In light of CloudFlare's proposed standard, Encrypted Client Hello (ECH), which prevents intermediaries from seeing the web pages a user is visiting, has ESET roadmapped any enhancements to ensure the Web Access Protection feature in Endpoint Security will still be effective in monitoring web traffic from web browsers that have integrated ECH? Reference: https://blog.cloudflare.com/announcing-encrypted-client-hello/ Thanks Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 5,259 Posted October 16, 2023 Administrators Solution Share Posted October 16, 2023 I don't think that any changes are needed. I've enabled maximum protection in secure DNS setup in Firefox 118 and didn't notice any issues. Https urls were blocked and test files downloaded via https were detected. Link to comment Share on other sites More sharing options...
SeriousHoax 87 Posted October 16, 2023 Share Posted October 16, 2023 (edited) 31 minutes ago, Marcos said: I don't think that any changes are needed. I've enabled maximum protection in secure DNS setup in Firefox 118 and didn't notice any issues. Https urls were blocked and test files downloaded via https were detected. The thing is ESET's HTTPS scanning feature breaks Encrypted Client Hello. According to tests, SNI's aren't encrypted with default ESET. This is not just ESET of course, any product with HTTPS traffic scanning breaks it. Only Adguard For Windows can apply ECH( even though it decrypts TLS connection like ESET) if you allow its DNS protection feature (enabled by default) and enable ECH from Advanced settings. It makes Adguard handle the DNS and apply ECH. So maybe this is not possible unless AV products with HTTPS scanning feature like ESET handles DNS encryption by supporting ECH. ECH is still not finalized and currently mainly supported by cloudflare services I think. But looks like eventually it will become a standard. So I'm curious how ESET is going to handle this case. Sites to test if ECH is working or not: https://tls-ech.dev/ https://defo.ie/ech-check.php https://crypto.cloudflare.com/cdn-cgi/trace/ For the last test site, you'll have to check if, sni=plaintext/encrypted. Edited October 16, 2023 by SeriousHoax AdamM and M-SOC 2 Link to comment Share on other sites More sharing options...
itman 1,746 Posted October 16, 2023 Share Posted October 16, 2023 1 hour ago, SeriousHoax said: Sites to test if ECH is working or not: https://tls-ech.dev/ https://defo.ie/ech-check.php https://crypto.cloudflare.com/cdn-cgi/trace/ Max Protection in Firefox doesn't appear to work. First, verified that Cloudflare DNS servers were being used; However, above ECH test sites all show it is not enabled. So @SeriousHoax is correct; Eset's SSL/TLS protocol scanning busts it. Link to comment Share on other sites More sharing options...
itman 1,746 Posted October 16, 2023 Share Posted October 16, 2023 (edited) I will also add that I am no fan of anything Cloudfare based; especially their DNS servers. DNS security tests I have run show my ISP(AT&T) DNS servers are far superior to Cloudfare's. As such, I could care less about this Firefox feature. Edited October 16, 2023 by itman Link to comment Share on other sites More sharing options...
SeriousHoax 87 Posted October 16, 2023 Share Posted October 16, 2023 (edited) 46 minutes ago, itman said: I will also add that I am no fan of anything Cloudfare based; especially their DNS servers. DNS security tests I have run show my ISP(AT&T) DNS servers are far superior to Cloudfare's. As such, I could care less about this Firefox feature. It doesn't have to be Cloudflare DNS. Any DNS that supports one of the encrypted DNS protocols like DoH, DoT, DoQ works. For example, I use my custom NextDNS. BTW, for Firefox one may have to manually set "network.dns.echconfig.enabled" to True. There are methods to enable in Chromium browsers also. Edited October 16, 2023 by SeriousHoax Link to comment Share on other sites More sharing options...
itman 1,746 Posted October 16, 2023 Share Posted October 16, 2023 (edited) 3 hours ago, SeriousHoax said: BTW, for Firefox one may have to manually set "network.dns.echconfig.enabled" to True. Still a no-go. All three tests show ECH not enabled. If I disable Eset HTTPS scanning, all three tests show ECH enabled. -EDIT- According to Mozilla, ECH in Firefox 118+ is based on existing DoH; DNS over HTTPS, processing. So assume Eset HTTPS scanning is also busting that. Edited October 16, 2023 by itman Link to comment Share on other sites More sharing options...
SeriousHoax 87 Posted October 17, 2023 Share Posted October 17, 2023 8 hours ago, itman said: Still a no-go. All three tests show ECH not enabled. If I disable Eset HTTPS scanning, all three tests show ECH enabled. -EDIT- According to Mozilla, ECH in Firefox 118+ is based on existing DoH; DNS over HTTPS, processing. So assume Eset HTTPS scanning is also busting that. Yeah, all AV products with SSL scanning function bust ECH. Link to comment Share on other sites More sharing options...
Recommended Posts