urlscan.io logo urlscan.io
SecurityTrails logo

www.cloudflare.com Open in urlscan Pro
104.16.124.96  Public Scan

Back to summary
Submitted URL: http://cloudflare-ech.com/
Effective URL: https://www.cloudflare.com/ssl/encrypted-sni/
Submission: On December 18 via manual from BR — Scanned from NZ

Form analysis 0 forms found in the DOM

Text Content

Preview Mode
Documentation




SOLUTIONS


 * BY TOPIC
   
   
   BY NEED
   
   
   BY INDUSTRY
   
   
   PUBLIC INTEREST

 * Contact sales


PRODUCTS


 * OUR PRODUCTS
   
   
    * FOR YOUR EMPLOYEES
      
      
      FOR APPS AND INFRASTRUCTURE
      
      
      FOR DEVELOPERS
   
   
   SEARCH DOMAIN NAMES
   
   
   REGISTER YOUR DOMAIN
   
   
   GET 1.1.1.1
   
   
   NEED HELP CHOOSING?

 * Latest product news
 * Contact sales


PRICING


 * OUR PLANS & PRICING
   
   
   ENTERPRISE PLAN
   
   
   COMPARE ALL PLANS
   
   
   REGISTER DOMAIN
   
   
   NEED HELP CHOOSING?

 * View FAQs
 * Contact sales


RESOURCES


 * LIBRARY
   
   
   DOCUMENTATION
   
   
    * GETTING STARTED
      
      
      APPLICATION SECURITY
      
      
      APPLICATION SERVICES
      
      
      ZERO TRUST SERVICES
      
      
      DEVELOPER PLATFORM
      
      
      NETWORK SERVICES
      
      
      INSIGHTS
      
      
      API
      
      
      AI
   
   
   LEARNING
   
   
   TRUST & COMPLIANCE
   
   
   TRENDS & INSIGHTS
   
   
   BLOG
   
   
   CLOUDFLARE TV
   
   
   COMMUNITY FORUM
   
   
   GET HELP

 * Contact sales


PARTNERS


 * PARTNER NETWORK
   
   
   PEERING PORTAL

 * Partner Network


WHY CLOUDFLARE


 * WHY CHOOSE CLOUDFLARE
   
   
    * LEARN ABOUT CLOUDFLARE
      
      
      COMPARISONS
   
   
   WHY TRUST CLOUDFLARE

 * Contact sales


SIGN UP

 * Sign up


CONTACT SALES

 * Contact sales


LOG IN

 * Log in


SUPPORT

 * Community Support
 * Help Center
 * Contact Cloudflare
 * Lost account access?


LOG IN

 * Log in

skip to contentSales: +61 1300 748 959+1 (650) 319 8930
Support
Log in

SolutionsProductsPricingResourcesPartnersWhy Cloudflare
Support
Sign up
Sign upContact salesLog in
Log in

SolutionsProductsPricingResourcesPartnersWhy Cloudflare
Support
Sign up




BROWSING EXPERIENCE SECURITY CHECK

HOW SECURE IS YOUR BROWSING EXPERIENCE?

When you browse websites, there are several points where your privacy could be
compromised, such as by your ISP or the coffee shop owner providing your WiFi
connection. This page automatically tests whether your DNS queries and answers
are encrypted, whether your DNS resolver uses DNSSEC, which version of TLS is
used to connect to the page, and whether your browser supports securing the
Server Name Indication (SNI) using Encrypted Client Hello (ECH).
Check My Browser
What do the results mean?

A check failure (❌) indicates that your browsing data could be vulnerable. An
unwanted party could see sensitive information such as which sites or servers
you are visiting, or the certificate you are using. If the DNS response is
fraudulent, you could also end up visiting and/or providing data to an
unintended party.

A pass ✅ indicates that your browser or DNS resolver supports that particular
feature.

If I pass all four tests, am I secure no matter which site I browse?

Not necessarily. Even if you pass all four tests, the domain you are visiting
also needs to support these technologies. If the domain you visit doesn't
support DNSSEC, TLS 1.3, and Secure SNI, you are still potentially vulnerable,
even if your browser has support for these technologies.


SECURE DNS

Return to top

Traditionally, DNS queries are sent in plaintext. Anyone listening on the
Internet can see which websites you are connecting to.

To ensure your DNS queries remain private, you should use a resolver that
supports secure DNS transport such as DNS over HTTPS (DoH) or DNS over TLS
(DoT).

The fast, free, privacy focused 1.1.1.1 resolver supports DNS over TLS (DoT),
which you can configure by using a client that supports it. For a list of these
take a look here. DNS over HTTPS can be configured in Firefox today using these
instructions. Both will ensure your DNS queries remain private.

--------------------------------------------------------------------------------


DNSSEC

Return to top

DNSSEC allows a user, application, or recursive resolver to trust that the
answer to their DNS query is what the domain owner intends it to be.

Put another way: DNSSEC proves authenticity and integrity (though not
confidentiality) of a response from the authoritative name server. Doing so
makes it much harder for a bad actor to inject malicious DNS records into the
resolution path through BGP leaks and cache poisoning. This type of tampering
can allow an attacker to divert all traffic to a server they control or stop the
encryption of SNI, exposing the hostname you are connecting to.

Cloudflare provides free DNSSEC support to everyone. You can read more about
DNSSEC and Cloudflare at https://www.cloudflare.com/dns/dnssec/.

--------------------------------------------------------------------------------


TLS 1.3

Return to top

TLS 1.3 is the latest version of the TLS protocol and contains many improvements
for performance & privacy.

If you're not using TLS 1.3, then the certificate of the server you are
connecting to is not encrypted, allowing anyone listening on the Internet to
discover which websites you are connecting to.

All websites on Cloudflare get TLS 1.3 support enabled as default - you can
check your setting at any time by visiting the crypto section of the Cloudflare
dashboard. To read more about TLS 1.3 visit
https://www.cloudflare.com/learning/ssl/why-use-tls-1.3/

As a website visitor you should ensure you are using a browser which supports
TLS 1.3 today by visiting this page and choosing a compatible browser.

--------------------------------------------------------------------------------


SECURE SNI

Return to top

Encrypted Client Hello (ECH) is an extension of the TLS handshake protocol that
prevents privacy-sensitive parameters of the handshake from being exposed to
anyone between you and Cloudflare. This protection extends to the Server Name
Indication (SNI), which would otherwise expose the hostname that you want to
connect to when establishing a TLS connection.


ECH is not yet widely available for web services behind Cloudflare, but we are
working closely with browser vendors on the implementation and deployment of
this important privacy enhancement for TLS. Read more in the blog post
introduction to ECH and our more recent update on the process of making this
protection more widespread.

Getting Started

 * Free plans
 * For enterprises
 * Compare plans
 * Domain name search
 * Get a recommendation
 * Request a demo
 * Contact sales

Resources

 * Learning center
 * Analyst reports
 * Cloudflare Radar
 * Cloudflare TV
 * Case studies
 * Webinars
 * White Papers
 * Developer docs
 * Architecture Center
 * theNET
 * Blog
 * Find an expert

Solutions

 * Connectivity cloud
 * SSE and SASE services
 * Application services
 * Network services
 * Developer services

Community

 * Community hub
 * Project Galileo
 * Athenian Project
 * Cloudflare for Campaigns
 * Critical Infrastructure Defense Project

Support

 * Help center
 * Cloudflare status
 * Trust-hub
 * Compliance
 * GDPR
 * Trust & safety

Company

 * About Cloudflare
 * Our team
 * Investor relations
 * Press
 * Careers
 * Diversity, equity, & inclusion
 * Impact/ESG
 * Network map
 * Logos & press kit
 * Become a partner

© 2024 Cloudflare, Inc.Privacy PolicyTerms of UseReport Security IssuesCookie
PreferencesTrademark
Navigated to Browsing Experience Security Check