Browsing Experience Security Check

How secure is your browsing experience?

When you browse websites, there are several points where your privacy could be compromised, such as by your ISP or the coffee shop owner providing your WiFi connection. This page automatically tests whether your DNS queries and answers are encrypted, whether your DNS resolver uses DNSSEC, which version of TLS is used to connect to the page, and whether your browser supports encrypted Server Name Indication (SNI).

Secure DNS

DNSSEC

TLS 1.3

Encrypted SNI

What do the results mean?

A check failure (❌) indicates that your browsing data could be vulnerable. An unwanted party could see sensitive information such as which sites or servers you are visiting, or the certificate you are using. If the DNS response is fraudulent, you could also end up visiting and/or providing data to an unintended party.

A pass ✅ indicates that your browser or DNS resolver supports that particular feature.

If I pass all four tests, am I secure no matter which site I browse?

Not necessarily. Even if you pass all four tests, the domain you are visiting also needs to support these technologies. If the domain you visit doesn't support DNSSEC, TLS 1.3, and Encrypted SNI, you are still potentially vulnerable, even if your browser supports these technologies.

Secure DNS

Traditionally, DNS queries are sent in plaintext. Anyone listening on the Internet can see which websites you are connecting to.

To ensure your DNS queries remain private, you should use a resolver that supports secure DNS transport such as DNS over HTTPS (DoH) or DNS over TLS (DoT).

The fast, free, privacy focused 1.1.1.1 resolver supports DNS over TLS (DoT), which you can configure by using a client that supports it. For a list of these take a look here. DNS over HTTPS can be configured in Firefox today using these instructions. Both will ensure your DNS queries remain private.

Return to top

DNSSEC

DNSSEC allows a user, application, or recursive resolver to trust that the answer to their DNS query is what the domain owner intends it to be.

Put another way: DNSSEC proves authenticity and integrity (though not confidentiality) of a response from the authoritative name server. Doing so makes it much harder for a bad actor to inject malicious DNS records into the resolution path through BGP leaks and cache poisoning. This type of tampering can allow an attacker to divert all traffic to a server they control or stop the encryption of SNI, exposing the hostname you are connecting to.

Cloudflare provides free DNSSEC support to everyone. You can read more about DNSSEC and Cloudflare at https://www.cloudflare.com/dns/dnssec/

Return to top

TLS 1.3

TLS 1.3 is the latest version of the TLS protocol and contains many improvements for performance & privacy.

If you're not using TLS 1.3, then the certificate of the server you are connecting to is not encrypted, allowing anyone listening on the Internet to discover which websites you are connecting to.

All websites on Cloudflare get TLS 1.3 support enabled as default - you can check your setting at any time by visiting the crypto section of the Cloudflare dashboard. To read more about TLS 1.3 visit https://www.cloudflare.com/learning-resources/tls-1-3/

As a website visitor you should ensure you are using a browser which supports TLS 1.3 today by visiting this page and choosing a compatible browser.

Return to top

Encrypted SNI

The Server Name Indication (SNI) exposes the hostname the client is connecting to when establishing a TLS connection. Doing so can compromise your privacy.

Encrypted SNI keeps the hostname private when you are visiting an Encrypted SNI enabled site on Cloudflare by concealing your browser’s requested hostname from anyone listening on the Internet.

All domains on Cloudflare using our authoritative name servers get Encrypted SNI enabled as default.

Cloudflare is working closely with interested browser vendors on implementing Encrypted SNI. Stay tuned to this page and our blog for further announcements.

Return to top