Aug 15 2022 01:21 PM
How to enable Encrypted Client Hello (ECH) in Microsoft Edge version 105 and above.
Right-click on desktop shortcut of Edge browser, select properties and add this at the end of the target:
--enable-features=EncryptedClientHello
so that it will look like this: (there is a space before --)
preferably turn on these related flags as well to improve the overall experience of this feature.
edge://flags/#dns-https-svcb
edge://flags/#use-dns-https-svcb-alpn
Make sure to go to Edge settings edge://settings/privacy and turn on Secure DNS and choose Clouldflare. now restart the browser, visit this webpage and confirm ECH is enabled.
Read more about how Encrypted Client Hello is useful and how it protects your privacy.
https://blog.cloudflare.com/encrypted-client-hello/
The Use Cases and Benefits of SVCB and HTTPS DNS Record Types (this is for the flags you turned on)
Chrome platform status for ECH
https://chromestatus.com/feature/6196703843581952
Sep 28 2022 01:26 AM
Oct 03 2022 01:08 PM
Dec 08 2022 09:55 AM
Jan 31 2023 09:55 PM
@HYKMI 还需要在edge设置里-隐私、搜索和服务-使用安全的 DNS 指定如何查找网站的网络地址-请选择服务提供商-cloudflare的dns
Feb 16 2023 02:00 AM
@TairikuOkami wrote:
No, you can not, it only works to disable ECH, not to enable it.
You have to run Edge with a parameter. This policy is useless.
https://postimg.cc/B8tjxQb3 - https://postimg.cc/jW9Lv0n7
I only talked about the command line switch though, and it does work, Group policy used to manage it doesn't enforce it like this command line switch does.
Feb 26 2023 02:55 PM - edited Feb 26 2023 03:49 PM
Hello,
I tried what you said with Edge 110.0.1587.56. Cloudflare shows working at https://www.cloudflare.com/ssl/encrypted-sni/ but not https://defo.ie/ech-check.php
I did the following:
1) Enable "Use DNS https alpn" at edge://flags/#use-dns-https-svcb-alpn
(I don't see edge://flags/#dns-https-svcb )
2) Edit Edge shortcut to include --enable-features=EncryptedClientHello
3) Kill all Edge processes with "taskkill /im msedge.exe /f"
4) Open Edge and go to both sites to see if ESNI works
It shows that ESNI is working on Cloudflare site but not defo.ie. Any thoughts if the defo.ie site may be not working or something my side/ISP? My main DNS servers on my Asus router are 1.1.1.1 and 9.9.9.9 with IPv6 equivalent and utilize DoT.
I seem to get mixed results with Secure DNS and Secure SNI when I refresh and do Check My Browser or kill msedge and try again. Secure SNI will show not working at first and Secure DNS working. When I refresh, Secure DNS will show not working but Secure SNI working. Both DNS providers support DNSSEC. Two things here Secure DNS and Secure SNI but hoping to use two DNS providers and if 9.9.9.9 doesn't support Secure SNI, is there an alternative I can try?
Thanks,
Jason
Jun 26 2023 10:36 AM
I just tried this again in Edge Version 114.0.1823.58 (Official build) (64-bit) and it's working
Use the same procedure I explained in my post, it should work, just make sure Startup boost isn't on so that when you change the command line flags it will take effect immediately.
Cloudflare's website is also updated to support ECH and it detects it too.
Here i checked it with Wireshark too for this site: https://defo.ie/ech-check.php
Aug 03 2023 07:41 AM - edited Aug 03 2023 07:45 AM
Not working in new Edge 115 version and startup boost is disabled.
Aug 10 2023 11:47 AM
Oct 01 2023 07:40 AM - edited Oct 01 2023 07:44 AM
@HotCakeXech测试通过,当我通过Wireshark抓取数据包时,我看到了sni的真实域名,看到截图,这是怎么回事?
Oct 06 2023 09:07 AM