SNI stands for Server Name Indication. It’s an extension to TLS that allows multiple online services (websites) with unique encryption certificates to share the same IP address.
Wait…what’s TLS? And “encryption certificates”?
TLS, or Transport Layer Security, is a protocol used to encrypt (or scramble) data passing over the Internet so that it cannot be intercepted on the way. Let’s say you’re doing a bank transaction online. You will not want a “middle man”, say your internet provider, your Wi-Fi network admin, or a nefarious hacker, to snoop on the transaction. This is where TLS comes in handy. It is part of a software stack that allows online services to protect sensitive data transfers by encrypting them on the way to your computer or mobile device.
Any website aiming to provide an encrypted connection requires a digitally signed certificate assigned to it. Such certificates can be obtained from an authorized vendor such as Comodo, Let’s Encrypt, Cloudflare, VeriSign, etc.
Why encrypted SNI?
There’s been a recent trend to encrypt all communication that happens online, be it the content of websites or DNS queries to access those sites. Part of this is a push to improve privacy of all types of data transfers (not just sensitive data), and part is due to broad availability of encryption options at zero to little cost. Encrypted sites also fare better on Google search results, which is a nice little incentive on top.
SNI is a weak link in this equation as it’s not encrypted by default. An SNI request includes the website address in plain text, allowing your internet provider to detect and block that request. Encrypted SNI was introduced as a proposal to close this loophole.
Read more about encrypted SNI and Firefox’s support on Cloudflare…
Note that the proposal is still under review, has undergone multiple revisions, and may take years to become a standard. Encrypted SNI also works only when it’s been enabled on both client (your computer) and server (the website) side. All this is to say that the support in Firefox is currently experimental and will continue to improve as the draft for eSNI matures.
How to enable eSNI in Firefox?
Firefox is currently the only web browser to support eSNI. Other browsers are expected to follow suit when the proposal becomes a standard.
Before enabling eSNI, I will recommend enabling encrypted DNS in Firefox. Unencrypted (or “plain text”) DNS defeats the purpose of eSNI, so follow these quick steps to encrypt it first:
Open Firefox, and go to Tools (⚙) > Options.
Scroll all the way down to Network Settings and click the Settings… button.
Once again, scroll all the way down to “Enable DNS over HTTPS”. Select your DNS provider, enable the option, and click OK.
Now that DNS over HTTPS (DoH) is on, follow these steps to enable eSNI:
In the Firefox address bar, type
about:config and hit Enter.
Accept the prompt to “proceed with caution”.
Search for “esni” and click the “Toggle” button next to
network.security.esni.enabled to enable this switch.
That does the job. Firefox will encrypt SNI requests to websites that support the feature, and your browsing sessions will be a bit more private.