10
edits
Changes
Add note about OCSP and OCSP Stapling
Note that DoH must also be enabled for ECH to be actively used. This is exposed as a user visible setting in <code>about:preferences</code>. See also the [https://wiki.mozilla.org/Trusted_Recursive_Resolver TRR Prefs] and the [https://wiki.mozilla.org/Security/DNS_Over_HTTPS DoH Prefs].
====== Interaction with Revocation Checking ======
Firefox supports various methods for checking whether certificates have been revoked including OCSP, OCSP Stapling and (experimentally) CRLite. OCSP requires querying the certificate's revocation status with the issuing CA and so leaks information about the site a user is visiting. Consequently, sites deploying ECH should also use OCSP Stapling or short lived certificates which don't involve any network communication and so improves user privacy (Cloudflare deploy OCSP Stapling universally). If sites do not use OCSP Stapling, then ECH still provides a substantial privacy benefit as OCSP responses are cached for multiple days and so the majority of site visits will be protected. In the longer term, CRLite will allow for privacy preserving revocation checking without requiring action by site operators.
Users who prefer improved privacy over the security of revocation checking can disable revocation via the browser UX in about:preferences (or in about:config by preference).
==== Testing ECH and Reporting Bugs ====
