Privacy is not just breached by websites which you often visit, but they are also violated by ISPs, public WiFi connection and so on. It is recommended to use a VPN which makes sure to block websites to build your profile. However, if you cannot, we would highly recommend doing a browsing experience security check.
Cloudflare has developed an ESNI checker or Encrypted Server Name Indication tool. This service can check if your browsing experience is safe and the DNS queries are encrypted. That said, let’s understand one thing clearly. Don’t expect good results if you connect to Public WiFi or open networks. This tool can help you know the legitimacy of a tool you are using or any service which claims to be secure.
Browsing Experience Security Check
Cloudflare ESNI checker automatically test:
Whether your DNS queries and answers are encrypted
If DNS resolver uses DNSSEC,
The version of TLS is used to connect to the page
and whether your browser supports encrypted Server Name Indication (SNI).
Any failure indicates that browsing data could be vulnerable, i.e., anybody spoofing the network might tap into your data including servers you are visiting, or the certificate you are using. If the DNS response is fraudulent, you could also end up visiting and providing data to an unintended party.
How secure is your browser?
Once you run this test, you will get information about each, if they failed, and what do they mean. It also suggests solutions to help you resolve. That said, let’s get to understand what each of these terms means:
Secure DNS: Cloudflare DNS or Google DNS are examples of secure DNS. They make sure the data is encrypted when they leave DNS. Most of the ISPs don’t manage secure DNS. So if possible, make sure to change this on your computer or router.
DNSSEC: If you pass this, it means websites sending data is actually sent by them, and not anybody else.
TLS 1.3: It is the latest version of the TLS protocol and contains many improvements for performance & privacy.
Encrypted SNI: This feature makes sure to keep the hostname private when you are visiting an Encrypted SNI enabled site.
So if your browser supports it, does it make you secure?
Sadly, No. It is a two-way path. Support for ESNI should be available on the domain you are visiting. If the domain you visit doesn’t support DNSSEC, TLS 1.3, and Encrypted SNI, you are still potentially vulnerable.
I ran this tool on all browsers, but nobody seems to be perfect. Firefox was expected to bring this feature, but running this test with the latest version resulted otherwise. So if you fail the Browsing Experience Security Check, don’t get into a panic mode, this may take some time.