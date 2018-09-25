With the exception–perhaps–of your therapist or significant other, no one has more power to learn your secrets than your internet service provider. An ISP can see every website that you choose to access. And with the scrapping of Obama-era privacy regulations last year , the U.S. federal government has no rules against ISPs collecting and selling your information to marketers. But new tech fixes are plugging the privacy holes that the government won’t.

The effort began in April, when Firefox browser maker Mozilla and content delivery network Cloudflare rolled out measures to block one of the easiest ways for ISPs to snoop. They started encrypting the browser’s “DNS lookup” of a web site’s numerical IP address–converting Google.com to 172.217.7.196, for instance. (See our instructions for setting this up.)

Now Mozilla and Cloudflare, and possibly other tech companies like Apple, will start to close another loophole–one that reveals the identity of a multitude of smaller websites.

Whack-a-security hole

Big sites–think Facebook, Google, Netflix–have their own IP addresses on the internet, currently making their identities impossible to hide. But a lot of smaller sites live together on server farms at shared IP addresses. To reach the right site among many at a particular address, your browser has to specify the site’s “server name identification,” or SNI. Anyone sitting between you and the server–be it an ISP, a nosy government, or a hacker on a public Wi-Fi network–can easily read these SNIs to track your browsing. An emerging technology called Encrypted SNI, or ESNI, hides that information.

On the browser side, Mozilla confirms that it will begin adding ESNI to Firefox this week. Given that Mozilla’s CTO Eric Rescorla is one of the creators of the draft ESNI technical specification, adoption by Firefox isn’t a shocker. Like many of the browser’s other security and privacy features, ESNI will debut in the beta version, called Firefox Nightly. ESNI is just another step in an ongoing process, says Selena Deckelmann, a senior director of engineering for Firefox.

“The idea is to find all of these places where this type of information about where users are browsing is leaking and to shut those leaks down,” she says.

On the server side, content delivery network Cloudflare just announced support for ESNI. (Its head of Cryptography Nick Sullivan is another ESNI co-creator.) Services like Cloudflare sit at a critical point between websites and users–storing copies of sites in datacenters around the world to provide faster access. When you “visit” a German site from the U.S., for instance, chances are you’re actually seeing a copy of it in a server farm dozens or hundreds, rather than thousands, of miles away.