Modern Browser with a feature to disable SNI
I want to know if there is any modern client browser which allows disabling the SNI (server name indication) extension of the TLS.
I want to know because it seems that my ISP blocks some HTTPS websites depending on the SNI feature because the server name is sent in plain text.
This paper provides more insight but their tool to disable SNI-based filtering is outdated.
(NB: I know that I can just use VPN. I know that a lot of websites won't work if I don't use SNI. Moreover, I don't want to install old outdated browsers which didn't have SNI, eg: Firefox 1.5 or chrome 5.7)
Recently firefox added ESNI support as an experimental feature. This means that on sites that support it (over TLS1.3), the browser will send encrypted server name during handshake.
Many of the sites behind cloudflare currently support it (some are still using tls1.2 though).
(Un)fortunately(?) currently ESNI on firefox is paired with DoH, meaning you should also enable trr on the browser. See here
To enable ESNI on firefox:
-
about:config
network.trr.mode: 2
network.trr.uri: https://dns.google/dns-query
(the default did not work for me)network.security.esni.enabled: true
Restart
Validate whether ESNI is enabled in your browser: https://www.cloudflare.com/ssl/encrypted-sni/
Check whther the site you want to access supports tls1.3 (then there is a high chance that it will also support esni): https://www.cdn77.com/tls-test
Make some requests
-
about:networking#dns
- Can check whether any requests use ESNI