[new23d]

TLS 1.3 and ESNI (now called Encrypted Client Hello - ECH) are separate standards, although you'll see ECH only enabled in bleeding edge stacks. In fact, ECH is still in IETF draft phase [1].

It can be disabled if an organisation wishes to. I wrote about how to do this in Chrome [2,3], and will write about Firefox when I get a chance.

[1] https://datatracker.ietf.org/doc/draft-ietf-tls-esni/ [2] https://chasersystems.com/blog/disabling-encrypted-clienthel... [3] https://news.ycombinator.com/item?id=37823262

[rocqua]

Ah, i didn't know they actually moved eSNI out of TLS1.3. it was certainly part of quite a few drafts.

I do find it sad it isn't pushed harder. Companies who need to do interception have legitimate concerns, but they can be addressed.