this post was submitted on 24 Jul 2025
21 points (95.7% liked)

Firefox

20639 readers
233 users here now

/c/firefox

A place to discuss the news and latest developments on the open-source browser Firefox.

Rules

1. Adhere to the instance rules

2. Be kind to one another

3. Communicate in a civil manner

Reporting

If you would like to bring an issue to the moderators attention, please use the "Create Report" feature on the offending comment or post and it will be reviewed as time allows.

founded 5 years ago
MODERATORS
k_o_t@lemmy.ml
golden_zealot@lemmy.ml
21
What does network.http.http3.sni-slicing do in Firefox? (programming.dev)
submitted 2 weeks ago by ariadna@programming.dev to c/firefox@lemmy.ml
3 comments fedilink hide all child comments
 

Hi everyone,

I came across the Firefox preference network.http.http3.sni-slicing, which appears to be related to HTTP/3 and SNI handling. However, I’ve found very little documentation explaining what it actually does.

Could someone with knowledge of Firefox internals or HTTP/3 clarify:

  • What exactly does this setting change in the browser’s behavior?
  • Does it provide any privacy or security benefits?

I’d appreciate any insights. Thanks!

you are viewing a single comment's thread
view the rest of the comments
[–] ferric_carcinization@lemmy.ml 6 points 2 weeks ago

After a quick look, looks like it tries to split the (unencrypted) hostname into multiple packets, or at least scramble it slightly. I'm not sure how much it helps in practice, but it might help against naïve filtering/scanning, as the hostname is either sent in different packets, or split and sent unordered in the same packet. It probably only helps if encrypted client hello isn't supported.

TL;DR: If I've understood everything correctly, it just moves chunks of the plaintext hostname around & tries to split it into multiple packets.

Note: Mostly based on comments, as it's late & I'm too tired to parse too much cryptography code.

Full source of the limit_chunks function, formatted with Rustfmt:

const fn limit_chunks<'a>(
    left: (u64, &'a [u8]),
    right: (u64, &'a [u8]),
    limit: usize,
) -> ((u64, &'a [u8]), (u64, &'a [u8])) {
    let (left_offset, mut left) = left;
    let (mut right_offset, mut right) = right;
    if left.len() + right.len() <= limit {
        // Nothing to do. Both chunks will fit into one packet, meaning the SNI isn't spread
        // over multiple packets. But at least it's in two unordered CRYPTO frames.
    } else if left.len() <= limit {
        // `left` is short enough to fit into this packet. So send from the *end*
        // of `right`, so that the second half of the SNI is in another packet.
        let right_len = right.len() + left.len() - limit;
        right_offset += right_len as u64;
        (_, right) = right.split_at(right_len);
    } else if right.len() <= limit {
        // `right` is short enough to fit into this packet. So only send a part of `left`.
        // The SNI begins at the end of `left`, so send the beginnig of it in this packet.
        (left, _) = left.split_at(limit - right.len());
    } else {
        // Both chunks are too long to fit into one packet. Just send a part of each.
        (left, _) = left.split_at(limit / 2);
        (right, _) = right.split_at(limit / 2);
    }
    ((left_offset, left), (right_offset, right))
}

Same, but for write_chunk:

fn write_chunk<B: Buffer>(
    offset: u64,
    data: &[u8],
    builder: &mut packet::Builder<B>,
) -> Option<(u64, usize)> {
    let mut header_len = 1 + Encoder::varint_len(offset) + 1;

    // Don't bother if there isn't room for the header and some data.
    if builder.remaining() < header_len + 1 {
        return None;
    }
    // Calculate length of data based on the minimum of:
    // - available data
    // - remaining space, less the header, which counts only one byte for the length at
    //   first to avoid underestimating length
    let length = min(data.len(), builder.remaining() - header_len);
    header_len += Encoder::varint_len(u64::try_from(length).expect("usize fits in u64")) - 1;
    let length = min(data.len(), builder.remaining() - header_len);

    builder.encode_varint(FrameType::Crypto);
    builder.encode_varint(offset);
    builder.encode_vvec(&data[..length]);
    Some((offset, length))
}

Link to the MIT license file