ECH (Encrypted Client Hello) encrypts SNI, which is the only field in cleartext in a HTTPS connection. It requires use of an encrypted DNS server (Edit: no longer mandatory). Enabling this will further protect user privacy by shadowing what WMF sites they are connecting to.
It could also make WMF sites more censorship-resistant. Note that packets with ECH has a distinct signature, so a censor may choose to block it at all.
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Open | ssingh | T252132 Deploy Wikimedia DNS: DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) public resolver | |||
| Open | Feature | None | T205378 Support ECH on Wikimedia servers |
The swap of Traffic for Traffic-Icebox in this ticket's set of tags was based on a bulk action for all tickets that aren't are neither part of our current planned work nor clearly a recent, higher-priority emergent issue. This is simply one step in a larger task cleanup effort. Further triage of these tickets (and especially, organizing future potential project ideas from them into a new medium) will occur afterwards! For more detail, have a look at the extended explanation on the main page of Traffic-Icebox . Thank you!
unsubing, as I think I was added to this ticket by mistake. This is traffic/traffic security expertise, and they already triaged and aware of the task.
Mozilla have now launched ECH in Firefox. Cloudflare have also launched server side support globally. Chrome will be shipping ECH imminently.
Is it worth re-triaging this feature?
@DennisJJackson Hi and welcome to Phabricator! What in this ticket led you to asking for "retriage" (and what does that mean)?
@Aklapper - It looks like this issue was originally raised several years ago and put in the icebox. I'm flagging that the situation around standardization and deployment of ECH has changed rather dramatically since then. This work would also be closely aligned with Wikimedia's recent work on hosting secure DNS.
I'm just flagging that its worth taking a look at and seeing whether its still icebox priority for Wikimedia or whether its worth actively working on.
Hi @DennisJJackson: Thanks for the question. We do plan to work on ECH and enable it for our sites and have had some discussions internally. There is no timeline yet as such, for a variety of reasons, the limited browser support being one, though that has clearly changed over the past few weeks. There are some other considerations here as well such as the lack of server-side options for turning it on but we are hoping the DEfO project will provide the much needed support there for HAProxy, which is what we use for TLS termination.
Once we have defined some timeline, we will re-triage this task and share updates here. Thanks for checking!
Change #1122155 had a related patch set uploaded (by Ssingh; author: Ssingh):
[operations/dns@master] wikimedia-ech: add ncredir-parking
Change #1122155 merged by Ssingh:
[operations/dns@master] wikimedia-ech: add ncredir-parking
Change #1132669 had a related patch set uploaded (by Ssingh; author: Ssingh):
[operations/puppet@production] P:durum: add conditional to enable ECH
Change #1132730 had a related patch set uploaded (by Ssingh; author: Ssingh):
[operations/puppet@production] aptrepo: add component for ECH-enabled nginx
Change #1132730 merged by Ssingh:
[operations/puppet@production] aptrepo: add component for ECH-enabled nginx
Change #1133135 had a related patch set uploaded (by Muehlenhoff; author: Muehlenhoff):
[operations/puppet@production] Add pbuilder hook for ECH builds
Change #1133190 had a related patch set uploaded (by Ssingh; author: Ssingh):
[operations/puppet@production] hiera: acme_chief: add wikimedia-ech.org
Change #1133917 had a related patch set uploaded (by Ssingh; author: Ssingh):
[operations/dns@master] utils: add a script to generate HTTPS TYPE65 records for ECH
Change #1133917 merged by Ssingh:
[operations/dns@master] utils: add a script to generate HTTPS TYPE65 records for ECH
Change #1133135 merged by Muehlenhoff:
[operations/puppet@production] Add pbuilder hook for ECH builds
Change #1133190 merged by Ssingh:
[operations/puppet@production] hiera: acme_chief: add wikimedia-ech.org
Change #1134726 had a related patch set uploaded (by Ssingh; author: Ssingh):
[operations/puppet@production] package_builder: add bc package for OpenSSL build
Change #1134726 merged by Ssingh:
[operations/puppet@production] package_builder: add bc package for OpenSSL build
Mentioned in SAL (#wikimedia-operations) [2025-04-09T15:38:40Z] <sukhe> reprepro -C component/nginx-ech include bookworm-wikimedia openssl_3.4.1-1+ech1_amd64.changes: T205378
Change #1135728 had a related patch set uploaded (by Ssingh; author: Ssingh):
[integration/config@master] Zuul: [operations/debs/nginx-ech] Add debian-glue CI
Change #1135731 had a related patch set uploaded (by Ssingh; author: Ssingh):
[operations/puppet@production] package_builder: add packages for nginx build
Change #1135733 had a related patch set uploaded (by Ssingh; author: Ssingh):
[operations/debs/nginx-ech@master] Release 1.22.1-9+deb12u1+ech1
Change #1135731 abandoned by Ssingh:
[operations/puppet@production] package_builder: add packages for nginx build
Reason:
sticking to gitlab for now
Mentioned in SAL (#wikimedia-operations) [2025-04-11T13:33:46Z] <sukhe> reprepro -C component/nginx-ech include bookworm-wikimedia openssl_3.4.1-1+ech2_amd64.changes: T205378
Change #1135728 merged by jenkins-bot:
[integration/config@master] Zuul: [operations/debs/nginx-ech] Add debian-glue CI
Mentioned in SAL (#wikimedia-operations) [2025-04-11T15:23:28Z] <sukhe> reprepro -C component/nginx-ech include bookworm-wikimedia openssl_3.4.1-1+ech3_amd64.changes: T205378
Mentioned in SAL (#wikimedia-operations) [2025-04-11T15:37:24Z] <sukhe> reprepro -C component/nginx-ech include bookworm-wikimedia nginx_1.22.1-9+deb12u1+ech1_amd64.changes: T205378
Change #1136001 had a related patch set uploaded (by Hashar; author: Hashar):
[integration/config@master] Zuul: [operations/debs/nginx-ech] use component/nginx-ech
Change #1136001 merged by jenkins-bot:
[integration/config@master] Zuul: [operations/debs/nginx-ech] use component/nginx-ech
Change #1136005 had a related patch set uploaded (by Hashar; author: Hashar):
[integration/config@master] jjb: debian-glue should export COMPONENT
Change #1136005 merged by jenkins-bot:
[integration/config@master] jjb: debian-glue should export COMPONENT
Change #1136376 had a related patch set uploaded (by Ssingh; author: Ssingh):
[labs/private@master] hiera: durum: add dummy ECH private key
Change #1136376 merged by Ssingh:
[labs/private@master] hiera: durum: add dummy ECH private key
Mentioned in SAL (#wikimedia-operations) [2025-04-14T13:38:05Z] <sukhe> reprepro -C component/nginx-ech include bookworm-wikimedia nginx_1.22.1-9+deb12u1+ech2_amd64.changes: T205378
Change #1132669 merged by Ssingh:
[operations/puppet@production] P:durum: add conditional to enable ECH (durum2002)
Mentioned in SAL (#wikimedia-operations) [2025-04-16T14:22:06Z] <sukhe> reprepro -C component/nginx-ech include bookworm-wikimedia nginx_1.22.1-9+deb12u1+ech3_amd64.changes: T205378
Change #1137021 had a related patch set uploaded (by Ssingh; author: Ssingh):
[operations/dns@master] wikimedia-dns.org: add TYPE65 records for check.wikimedia-dns.org
Change #1138823 had a related patch set uploaded (by Ssingh; author: Ssingh):
[operations/puppet@production] P:durum: add conditional to enable ECH (esams)
Change #1138823 merged by Ssingh:
[operations/puppet@production] P:durum: add conditional to enable ECH (esams)
Mentioned in SAL (#wikimedia-operations) [2025-04-28T14:47:56Z] <sukhe> reprepro -C component/nginx-ech include bookworm-wikimedia nginx_1.22.1-9+deb12u1+ech4_amd64.changes: T205378
Change #1139525 had a related patch set uploaded (by Ssingh; author: Ssingh):
[operations/puppet@production] P:durum: only log ECH status for ECH-enabled clients
Change #1139525 merged by Ssingh:
[operations/puppet@production] P:durum: only log ECH status for ECH-enabled clients
Change #1139542 had a related patch set uploaded (by Ssingh; author: Ssingh):
[operations/puppet@production] hiera: durum: set do_ech true for all durum hosts
Change #1139542 merged by Ssingh:
[operations/puppet@production] hiera: durum: set do_ech true for all durum hosts
Change #1137021 merged by Ssingh:
[operations/dns@master] wikimedia-dns.org: add TYPE65 records for check.wikimedia-dns.org
Change #1139911 had a related patch set uploaded (by Ssingh; author: Ssingh):
[operations/puppet@production] P:durum: hiera: log only ech_status
Change #1135733 abandoned by Ssingh:
[operations/debs/nginx-ech@master] Release 1.22.1-9+deb12u1+ech1
Reason:
for reason mentioned above
Change #1139911 merged by Ssingh:
[operations/puppet@production] P:durum: hiera: log only ech_status
Change #1140189 had a related patch set uploaded (by Ssingh; author: Ssingh):
[operations/dns@master] wikimedia-ech.org: update zone file and add A/AAAA records
Change #1140189 merged by Ssingh:
[operations/dns@master] wikimedia-ech.org: update zone file and add A/AAAA records
Change #1142631 had a related patch set uploaded (by Ssingh; author: Ssingh):
[operations/dns@master] type65.py: add support for generation of additional HTTPS SvcParams
Change #1142631 merged by Ssingh:
[operations/dns@master] type65.py: add support for generation of additional HTTPS SvcParams
Change #1156355 had a related patch set uploaded (by Ssingh; author: Ssingh):
[operations/puppet@production] hiera: durum: revert ECH experiment
Change #1156373 had a related patch set uploaded (by Ssingh; author: Ssingh):
[operations/dns@master] wikimedia-dns.org: remove TYPE65 record
Change #1156373 merged by Ssingh:
[operations/dns@master] wikimedia-dns.org: remove TYPE65 record for check
Change #1156355 merged by Ssingh:
[operations/puppet@production] hiera: durum: revert ECH experiment