Changes

* ECH status can be accessed via the Extension API GetSecurityInfo, see the [https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/webRequest/SecurityInfo MDN documentation].

{| class="wikitable"

Note that DoH must also be enabled for ECH to be actively used. This is exposed as a user visible setting in <code>about:preferences</code>. See also the [https://wiki.mozilla.org/Trusted_Recursive_Resolver TRR Prefs] and the [https://wiki.mozilla.org/Security/DNS_Over_HTTPS DoH Prefs].

Firefox supports various methods for checking whether certificates have been revoked including OCSP, OCSP Stapling and (experimentally) CRLite. OCSP requires querying the certificate's revocation status with the issuing CA and so leaks information about the site a user is visiting. Consequently, sites deploying ECH should also use OCSP Stapling or short lived certificates which don't involve any network communication and so improves user privacy (Cloudflare deploy OCSP Stapling universally). If sites do not use OCSP Stapling, then ECH still provides a substantial privacy benefit as OCSP responses are cached for multiple days and so the majority of site visits will be protected. In the longer term, CRLite will allow for privacy preserving revocation checking without requiring action by site operators.