What's New: ECH Detection, Quad9 Support, Score Fix & a Live Globe

1. Encrypted Client Hello (ECH) is now a scored check

Until now, HTTPS hid your page content from your ISP — but not which site you were visiting. Every time your browser opens a TLS connection, it sends a Server Name Indication (SNI) field in plaintext. Your ISP, router, or any network observer can read it: reddit.com, protonmail.com, every domain, in the clear.

Encrypted Client Hello fixes this. ECH wraps the TLS handshake inside an outer encrypted layer so the SNI is never visible to the network. It's supported in Firefox by default (when DNS-over-HTTPS is active) and on Cloudflare-hosted sites.

We now probe cloudflare-ech.com/cdn-cgi/trace during every test. If the response includes sni=encrypted, ECH is active and your SNI is hidden from the network. If it says sni=plaintext, every HTTPS hostname you visit is visible to your ISP.

The VPN waiver exists because a VPN tunnel already encrypts the entire TLS handshake before it reaches your ISP — SNI visibility at the network layer is irrelevant.

2. Quad9 DNS is now detected and scored

Quad9 (9.9.9.9) is a free, non-logging, Swiss-based DNS resolver operated by a non-profit foundation. It supports DNS-over-HTTPS and DNS-over-TLS, blocks known malicious domains using 25+ threat intel providers, and has never sold user data — by charter.

The challenge with DNS detection from a web browser is that we can't directly observe which resolver your device is querying. We can only see your outgoing IP, which tells us whether you're on a VPN — but not which DNS resolver you've configured.

The solution: Quad9 operates on.quad9.net — a domain that only resolves successfully when your DNS traffic is routed through Quad9's resolver. During the TLS check step, we now attempt a fetch to that domain with a 3-second timeout. If it resolves, Quad9 is confirmed. If it throws a network error, you're not using Quad9 DNS.

Confirmed Quad9 users now receive the same +9 DNS privacy bonus as Cloudflare WARP users, and your results show a dedicated finding:

Quad9 has also been added to the recommended tools section as a free, no-account option alongside NextDNS, NordVPN, and Mullvad.

3. Scoring bug fix: up to 28-point inflation corrected

Shortly after launching, Reddit users flagged that some clearly at-risk connections — AT&T subscribers with documented surveillance history and no VPN — were receiving scores of 100. We dug in and found two compounding bugs in the scoring engine.

Bug 1: Self-attested DNS gave a bonus instead of a reduced penalty

When a user checked "I use encrypted DNS (DoH/DoT)" before running the test, the engine awarded +8 points AND skipped the −20 ISP DNS penalty. The problem: we can't verify this claim remotely. A user could tick the box and receive a 28-point swing with zero evidence.

The fix: self-attested DoH now applies −10 points (a reduced penalty — better than confirmed ISP DNS at −20, but not rewarded as if verified). The checkbox now reflects honest uncertainty rather than false trust.

Bug 2: ECH plaintext had zero score impact

ECH was displayed as a finding in results, but the underlying score weight was set to 0. SNI being fully visible to the ISP had no effect on your privacy score. Fixed: ECH plaintext now applies −8 points when no VPN is active.

Database backfill

All 2,424 historical test runs were re-scored against the corrected engine. 483 runs required updates. Score changes ranged from −8 to −26 points. 194 runs that were previously categorized as "Low Risk" were correctly reclassified as "Medium Risk".

4. UX: collapsible results & reordered layout

Test results previously showed all findings expanded by default, which made the page feel overwhelming — especially for users with 5–7 findings. All finding cards are now collapsed by default, with a click-to-expand chevron toggle. Severity is still visible in the collapsed state (color and label).

The results page layout was also reordered. The findings list now comes first, followed by recommended tools, then the share card. The score donut and connection summary remain at the top.

5. Live global test activity map

Inspired by Quad9's GlobeOfWonder — an open-source WebGL globe they use to visualise real-time DNS blocking events worldwide — we built a lighter version using cobe, the same 5KB WebGL library that powers Vercel's homepage globe.

The globe on the leaderboard and homepage shows the last 30 days of tests aggregated by country. Each marker is sized logarithmically by test volume. The side panel shows the top 5 countries with their average privacy scores, colored green/yellow/red by risk level.

Country coordinates are mapped from ISO 3166-1 alpha-2 codes to geographic centroids. The data refreshes every 5 minutes via the /api/globe endpoint.

What's next

A few things on the radar:

• NextDNS detection using the same self-test domain pattern as Quad9
• Detecting Pi-hole setups where DNS appears local but forwards upstream unencrypted
• Country-level scoring breakdowns on the leaderboard

If you found a false positive, want to flag a scoring issue, or have a feature request, the best place is the contact page.