For those of us who always wanted to ensure privacy and security in our browsing experience, we always choose to browse web sites which can provide SSL.

When you browse a web site that uses SSL to encrypt the data being transported, the browser starts with a Client Hello which is in plain text, and includes the host name of the web site that you intended to visit, in the handshake.

So, I wanted to show what happens when I visit https://www.cloudflare.com using Firefox, and I captured an image of the Client Hello portion of the SSL handshake using WireShark. As you can see, the host name can be seen in plaintext.

Then, I enabled Encrypted SNI (Server Name Indication), or in short, ESNI in Firefox. I did this by going to the URL about:config which brings up Firefox's configuration editor, entering ESNI in the search bar, and toggling the value of the setting to true.

I also had to enable DNS-over-HTTPS (DOH), but this was already done in the past.

DOH allows your browser to query for domain names over HTTPS, instead of the usual DNS query over UDP port 53.

So, then, restarting Firefox and visiting https://www.cloudflare.com again and here's what WireShark shows. From the image below, you can see that the host name is now encrypted. But how did Firefox encrypt the hostname? I'll let Cloudflare explain it instead.

If only one host name resolves specifically to the IP address of the web site that you're visiting, then given the IP address, one will know what web site you're visiting. But if multiple host names resolves to a single IP address, and the web server supports ESNI, then no one will know what web site you're visiting, except the company hosting the web server.

Today, only Mozilla's Firefox and Cloudflare supports ESNI, but it is hoped that other CDNs will follow soon.