Say hello to MacBook Neo

Apple’s all-new MacBook fea­tures a durable alu­minum de­sign, a stun­ning 13-inch Liquid Retina dis­play, the power of Apple sil­i­con, and all-day bat­tery life — all for the break­through start­ing price of just $599

Apple to­day un­veiled MacBook Neo, an all-new lap­top that de­liv­ers the magic of the Mac at a break­through price, mak­ing it even more ac­ces­si­ble to mil­lions of peo­ple around the world. MacBook Neo starts with a beau­ti­ful Apple de­sign, fea­tur­ing a durable alu­minum en­clo­sure in an ar­ray of gor­geous col­ors — blush, in­digo, sil­ver, and a fresh new cit­rus. Its stun­ning 13-inch Liquid Retina dis­play brings web­sites, pho­tos, videos, and apps to life with high res­o­lu­tion and bright­ness, and sup­port for 1 bil­lion col­ors. Powered by A18 Pro, MacBook Neo can fly through every­day tasks, from brows­ing the web and stream­ing con­tent, to edit­ing pho­tos, ex­plor­ing cre­ative hob­bies, or us­ing AI ca­pa­bil­i­ties across apps. In fact, it’s up to 50 per­cent faster for every­day tasks like web brows­ing,1 and up to 3x faster when run­ning on-de­vice AI work­loads like ap­ply­ing ad­vanced ef­fects to pho­tos,2 com­pared to the best­selling PC with the lat­est ship­ping Intel Core Ultra 5. Providing up to 16 hours of bat­tery life, MacBook Neo al­lows users to go all day on a sin­gle charge.3 A 1080p FaceTime HD cam­era and dual mics make it easy to look and sound great, and the dual side-fir­ing speak­ers with Spatial Audio de­liver crisp, im­mer­sive sound. MacBook Neo also fea­tures Apple’s renowned Magic Keyboard for com­fort­able and pre­cise typ­ing, and a large Multi-Touch track­pad with sup­port for in­tu­itive ges­tures, en­abling smooth and pre­cise con­trol. Completing the MacBook Neo ex­pe­ri­ence is ma­cOS Tahoe, with pow­er­ful built-in apps like Messages, Pages, Calendar, and Safari; seam­less in­te­gra­tion with iPhone; Apple Intelligence; as well as broad com­pat­i­bil­ity with third-party apps. And start­ing at just $599 and $499 for ed­u­ca­tion, MacBook Neo is Apple’s most af­ford­able lap­top ever, pro­vid­ing an un­prece­dented com­bi­na­tion of qual­ity and value. MacBook Neo is avail­able to pre-or­der start­ing to­day, with avail­abil­ity be­gin­ning Wednesday, March 11.

“We’re in­cred­i­bly ex­cited to in­tro­duce MacBook Neo, which de­liv­ers the magic of the Mac at a break­through price,” said John Ternus, Apple’s se­nior vice pres­i­dent of Hardware Engineering. “Built from the ground up to be more af­ford­able for even more peo­ple, MacBook Neo is a lap­top only Apple could cre­ate. It fea­tures a durable alu­minum de­sign in four beau­ti­ful col­ors; a bril­liant Liquid Retina dis­play; Apple sil­i­con-pow­ered per­for­mance; all-day bat­tery life; a high-qual­ity cam­era, mics, and speak­ers; a Magic Keyboard and Multi-Touch track­pad; and the in­tu­itive and pow­er­ful fea­tures of ma­cOS. There is sim­ply no other lap­top like it.”

MacBook Neo pro­vides an un­matched com­bi­na­tion of qual­ity and af­ford­abil­ity for stu­dents, fam­i­lies, small busi­ness own­ers, new Mac users, and more.

A fanned-out ar­ray of MacBook Neo mod­els in its four col­ors: sil­ver, blush, cit­rus, and in­digo.

MacBook Neo comes in four beau­ti­ful col­ors — sil­ver, blush, cit­rus, and in­digo.

MacBook Neo comes in four beau­ti­ful col­ors — blush, in­digo, sil­ver, and cit­rus.

MacBook Neo comes in four beau­ti­ful col­ors — blush, in­digo, sil­ver, and cit­rus.

MacBook Neo comes in four beau­ti­ful col­ors — blush, in­digo, sil­ver, and cit­rus.

MacBook Neo comes in four beau­ti­ful col­ors — blush, in­digo, sil­ver, and cit­rus.

A user an­swers emails and browses the web on their cit­rus MacBook Neo.

A per­son uses ChatGPT and Canva on their blush MacBook Neo.

A per­son mul­ti­tasks be­tween apps on their in­digo MacBook Neo.

With A18 Pro, MacBook Neo can power through a wide range of every­day tasks, from brows­ing the web to send­ing emails and ef­fort­lessly mul­ti­task­ing be­tween apps.

With A18 Pro, MacBook Neo can power through a wide range of every­day tasks, from brows­ing the web to send­ing emails and ef­fort­lessly mul­ti­task­ing be­tween apps.

With A18 Pro, MacBook Neo can power through a wide range of every­day tasks, from brows­ing the web to send­ing emails and ef­fort­lessly mul­ti­task­ing be­tween apps.

A18 Pro fea­tures a 5-core GPU to fa­cil­i­tate smooth per­for­mance for every­thing from FaceTime calls to ca­sual game­play.

A stu­dent uses their cit­rus MacBook Neo in a class­room set­ting.

A per­son lounges in bed us­ing MacBook Neo while lis­ten­ing to mu­sic on AirPods Max.

A per­son uses their sil­ver MacBook Neo in an au­di­to­rium-like set­ting.

MacBook Neo de­liv­ers up to 16 hours of bat­tery life on a sin­gle charge, mak­ing it a per­fect on-the-go com­pan­ion for school, work, or play.

MacBook Neo de­liv­ers up to 16 hours of bat­tery life on a sin­gle charge, mak­ing it a per­fect on-the-go com­pan­ion for school, work, or play.

MacBook Neo de­liv­ers up to 16 hours of bat­tery life on a sin­gle charge, mak­ing it a per­fect on-the-go com­pan­ion for school, work, or play.

MacBook Neo de­liv­ers up to 16 hours of bat­tery life on a sin­gle charge, mak­ing it a per­fect on-the-go com­pan­ion for school, work, or play.

Customers can pre-or­der the new MacBook Neo start­ing to­day at ap­ple.com/​store and in the Apple Store app in 30 coun­tries and re­gions, in­clud­ing the U. S. It will be­gin ar­riv­ing to cus­tomers, and will be in Apple Store lo­ca­tions and Apple Authorized Resellers, start­ing Wednesday, March 11.

MacBook Neo starts at $599 (U.S.) and $499 (U.S.) for ed­u­ca­tion. It is avail­able in four col­ors — blush, in­digo, sil­ver, and cit­rus. Additional tech­ni­cal spec­i­fi­ca­tions, con­fig­ure-to-or­der op­tions, and ac­ces­sories are avail­able at ap­ple.com/​mac.

With Apple Trade In, cus­tomers can trade in their cur­rent com­puter and get credit to­ward a new Mac. Customers can visit ap­ple.com/​shop/​trade-in to see what their de­vice is worth.

AppleCare de­liv­ers ex­cep­tional ser­vice and sup­port, with flex­i­ble op­tions for Apple users. Customers can choose AppleCare+ to cover their new Mac, or in the U.S., AppleCare One to pro­tect mul­ti­ple prod­ucts in one sim­ple plan. Both plans in­clude cov­er­age for ac­ci­dents like drops and spills, theft and loss pro­tec­tion on el­i­gi­ble prod­ucts, bat­tery re­place­ment ser­vice, and 24/7 sup­port from Apple Experts. For more in­for­ma­tion, visit ap­ple.com/​ap­ple­care.

Every cus­tomer who buys di­rectly from Apple Retail gets ac­cess to Personal Setup. In these guided on­line ses­sions, a Specialist can walk them through setup, or fo­cus on fea­tures that help them make the most of their new de­vice. Customers can also learn more about get­ting started and go­ing fur­ther with their new de­vice with a Today at Apple ses­sion at their near­est Apple Store.

Customers in the U.S. who shop at Apple us­ing Apple Card can pay monthly at 0 per­cent APR when they choose to check out with Apple Card Monthly Installments, and they’ll get 3 per­cent Daily Cash back — all up front. More in­for­ma­tion — in­clud­ing de­tails on el­i­gi­bil­ity, ex­clu­sions, and Apple Card terms — is avail­able at ap­ple.com/​ap­ple-card/​monthly-in­stall­ments.

Apple’s all-new MacBook fea­tures a durable alu­minum de­sign, a stun­ning 13-inch Liquid Retina dis­play, the power of Apple sil­i­con, and all-day bat­tery life — all for the break­through start­ing price of just $599

CUPERTINO, CALIFORNIA Apple to­day un­veiled MacBook Neo, an all-new lap­top that de­liv­ers the magic of the Mac at a break­through price, mak­ing it even more ac­ces­si­ble to mil­lions of peo­ple around the world. MacBook Neo starts with a beau­ti­ful Apple de­sign, fea­tur­ing a durable alu­minum en­clo­sure in an ar­ray of gor­geous col­ors — blush, in­digo, sil­ver, and a fresh new cit­rus. Its stun­ning 13-inch Liquid Retina dis­play brings web­sites, pho­tos, videos, and apps to life with high res­o­lu­tion and bright­ness, and sup­port for 1 bil­lion col­ors. Powered by A18 Pro, MacBook Neo can fly through every­day tasks, from brows­ing the web and stream­ing con­tent, to edit­ing pho­tos, ex­plor­ing cre­ative hob­bies, or us­ing AI ca­pa­bil­i­ties across apps. In fact, it’s up to 50 per­cent faster for every­day tasks like web brows­ing,1 and up to 3x faster when run­ning on-de­vice AI work­loads like ap­ply­ing ad­vanced ef­fects to pho­tos,2 com­pared to the best­selling PC with the lat­est ship­ping Intel Core Ultra 5. Providing up to 16 hours of bat­tery life, MacBook Neo al­lows users to go all day on a sin­gle charge.3 A 1080p FaceTime HD cam­era and dual mics make it easy to look and sound great, and the dual side-fir­ing speak­ers with Spatial Audio de­liver crisp, im­mer­sive sound. MacBook Neo also fea­tures Apple’s renowned Magic Keyboard for com­fort­able and pre­cise typ­ing, and a large Multi-Touch track­pad with sup­port for in­tu­itive ges­tures, en­abling smooth and pre­cise con­trol. Completing the MacBook Neo ex­pe­ri­ence is ma­cOS Tahoe, with pow­er­ful built-in apps like Messages, Pages, Calendar, and Safari; seam­less in­te­gra­tion with iPhone; Apple Intelligence; as well as broad com­pat­i­bil­ity with third-party apps. And start­ing at just $599 and $499 for ed­u­ca­tion, MacBook Neo is Apple’s most af­ford­able lap­top ever, pro­vid­ing an un­prece­dented com­bi­na­tion of qual­ity and value. MacBook Neo is avail­able to pre-or­der start­ing to­day, with avail­abil­ity be­gin­ning Wednesday, March 11.

“We’re in­cred­i­bly ex­cited to in­tro­duce MacBook Neo, which de­liv­ers the magic of the Mac at a break­through price,” said John Ternus, Apple’s se­nior vice pres­i­dent of Hardware Engineering. “Built from the ground up to be more af­ford­able for even more peo­ple, MacBook Neo is a lap­top only Apple could cre­ate. It fea­tures a durable alu­minum de­sign in four beau­ti­ful col­ors; a bril­liant Liquid Retina dis­play; Apple sil­i­con-pow­ered per­for­mance; all-day bat­tery life; a high-qual­ity cam­era, mics, and speak­ers; a Magic Keyboard and Multi-Touch track­pad; and the in­tu­itive and pow­er­ful fea­tures of ma­cOS. There is sim­ply no other lap­top like it.”

MacBook Neo fea­tures a beau­ti­fully crafted alu­minum de­sign that’s built to last. With its soft, rounded cor­ners, MacBook Neo looks el­e­gant while feel­ing solid and com­fort­able to hold. At just 2.7 pounds, it’s also easy to carry in a back­pack or hand­bag. Bringing a fun touch of per­son­al­ity and style to every­day com­put­ing, MacBook Neo comes in a spec­trum of four gor­geous col­ors: blush, in­digo, sil­ver, and cit­rus. These col­ors ex­tend to the Magic Keyboard in lighter shades and new wall­pa­pers, cre­at­ing a co­he­sive de­sign aes­thetic and mak­ing MacBook Neo the most col­or­ful MacBook yet.

A gor­geous 13-inch Liquid Retina dis­play fea­tures a 2408-by-1506 res­o­lu­tion, 500 nits of bright­ness, and sup­port for 1 bil­lion col­ors, bring­ing to life sharp, crys­tal-clear text and vi­brant im­ages. The dis­play is both brighter and higher in res­o­lu­tion than most PC lap­tops in this price range, putting it in a class of its own. Finally, an anti-re­flec­tive coat­ing pro­vides a com­fort­able view­ing ex­pe­ri­ence in a va­ri­ety of light­ing con­di­tions, al­low­ing users to watch movies, edit pho­tos, or take video calls from any­where.

At the heart of MacBook Neo is A18 Pro, en­abling users to power through things they do every day, like brows­ing the web, cre­at­ing doc­u­ments, stream­ing con­tent, edit­ing pho­tos, and tak­ing ad­van­tage of AI. Users can seam­lessly work be­tween their fa­vorite apps, like Messages, WhatsApp, Canva, Excel, Safari, and more. MacBook Neo with A18 Pro is up to 50 per­cent faster for every­day tasks than the best­selling PC with the lat­est ship­ping Intel Core Ultra 5.1 And for more de­mand­ing ac­tiv­i­ties, it’s up to 3x faster for on-de­vice AI work­loads2 and up to 2x faster for tasks like photo edit­ing.4 The in­te­grated 5-core GPU brings graph­ics to life while play­ing ac­tion-packed games or ex­plor­ing cre­ative hob­bies. And a 16-core Neural Engine sup­ports fast on-de­vice Apple Intelligence fea­tures and every­day AI tasks like sum­ma­riz­ing notes in Bear or us­ing the Clean Up tool in the Photos app, while en­sur­ing user data stays pri­vate and se­cure. MacBook Neo is also fan­less, so it runs com­pletely silent.

Thanks to the in­cred­i­ble power ef­fi­ciency of Apple sil­i­con, MacBook Neo de­liv­ers up to 16 hours of bat­tery life on a sin­gle charge.3 This makes it a per­fect on-the-go com­pan­ion for work or play, from the class­room to the cof­fee shop, and every­where in be­tween.

MacBook Neo fea­tures Apple’s much-loved Magic Keyboard, which pro­vides a com­fort­able, pre­cise typ­ing ex­pe­ri­ence, while a large Multi-Touch track­pad lets users click, scroll, swipe, and pinch any­where on its sur­face. The MacBook Neo model with Touch ID en­ables easy, quick, and se­cure lo­gin au­then­ti­ca­tion, and the abil­ity to con­ve­niently au­tho­rize pur­chases us­ing Apple Pay.

The 1080p FaceTime HD cam­era on MacBook Neo has op­ti­mized im­age pro­cess­ing to de­liver vi­brant video calls. Dual mics with di­rec­tional beam­form­ing are de­signed to re­duce back­ground noise and iso­late a user’s voice, al­low­ing it to come across loud and clear for an ex­cel­lent video con­fer­enc­ing ex­pe­ri­ence. And dual side-fir­ing speak­ers with sup­port for Spatial Audio and Dolby Atmos pro­duce im­mer­sive sound for watch­ing a movie, lis­ten­ing to mu­sic, or us­ing apps like GarageBand.

MacBook Neo fea­tures two USB-C ports for con­nect­ing ac­ces­sories or an ex­ter­nal dis­play.5 Both ports can be used for charg­ing. MacBook Neo also in­cludes a head­phone jack for wired au­dio. Wi-Fi 6E pro­vides fast wire­less con­nec­tiv­ity, and Bluetooth 6 en­sures re­li­able wire­less con­nec­tions for pe­riph­er­als and ac­ces­sories.

ma­cOS is Apple’s pow­er­ful and in­tu­itive op­er­at­ing sys­tem for Mac.6 With in­cred­i­ble fea­tures and built-in apps like Safari, Photos, Messages, and FaceTime, ma­cOS en­ables users to get started right out of the box. Apple Intelligence fea­tures like Writing Tools, Live Translation, and more are deeply in­te­grated across ma­cOS, el­e­vat­ing the user ex­pe­ri­ence by bring­ing in­tel­li­gence to the apps users rely on every day.7 Advanced pri­vacy and se­cu­rity also come stan­dard, fea­tur­ing in­dus­try‑lead­ing en­cryp­tion, ro­bust virus pro­tec­tions, and au­to­matic free se­cu­rity up­dates to help keep users pro­tected.

iPhone users can tap in to Continuity fea­tures built in to ma­cOS to make work­ing across iPhone and Mac a breeze. Handoff lets users start a task on MacBook Neo and con­tinue it on iPhone, while Universal Clipboard al­lows users to copy and paste con­tent be­tween de­vices. With iPhone Mirroring, users can view and in­ter­act with their iPhone di­rectly on MacBook Neo, and users switch­ing to Mac for the first time can use iPhone to con­ve­niently and se­curely trans­fer set­tings, files, pho­tos, pass­words, and more.

Built with the Environment in Mind

MacBook Neo was built from the ground up to be Apple’s low­est-car­bon MacBook, and brings the com­pany even closer to reach­ing its am­bi­tious plan to be car­bon neu­tral across its en­tire foot­print by 2030. It fea­tures 60 per­cent re­cy­cled con­tent — the high­est per­cent­age of any Apple prod­uct.8 This in­cludes 90 per­cent re­cy­cled alu­minum over­all and 100 per­cent re­cy­cled cobalt in the bat­tery. The en­clo­sure is man­u­fac­tured with a ma­te­r­ial-ef­fi­cient form­ing process that uses 50 per­cent less alu­minum com­pared to tra­di­tional ma­chin­ing meth­ods. MacBook Neo is man­u­fac­tured with 45 per­cent re­new­able elec­tric­ity, like wind and so­lar, across the sup­ply chain. It also meets Apple’s high stan­dards for en­ergy ef­fi­ciency and safe chem­istry. Additionally, the pa­per pack­ag­ing is 100 per­cent fiber-based and can be eas­ily re­cy­cled.9

Customers can pre-or­der the new MacBook Neo start­ing to­day at ap­ple.com/​store and in the Apple Store app in 30 coun­tries and re­gions, in­clud­ing the U.S. It will be­gin ar­riv­ing to cus­tomers, and will be in Apple Store lo­ca­tions and Apple Authorized Resellers, start­ing Wednesday, March 11.

MacBook Neo starts at $599 (U.S.) and $499 (U.S.) for ed­u­ca­tion. It is avail­able in four col­ors — blush, in­digo, sil­ver, and cit­rus. Additional tech­ni­cal spec­i­fi­ca­tions, con­fig­ure-to-or­der op­tions, and ac­ces­sories are avail­able at ap­ple.com/​mac.

With Apple Trade In, cus­tomers can trade in their cur­rent com­puter and get credit to­ward a new Mac. Customers can visit ap­ple.com/​shop/​trade-in to see what their de­vice is worth.

AppleCare de­liv­ers ex­cep­tional ser­vice and sup­port, with flex­i­ble op­tions for Apple users. Customers can choose AppleCare+ to cover their new Mac, or in the U.S., AppleCare One to pro­tect mul­ti­ple prod­ucts in one sim­ple plan. Both plans in­clude cov­er­age for ac­ci­dents like drops and spills, theft and loss pro­tec­tion on el­i­gi­ble prod­ucts, bat­tery re­place­ment ser­vice, and 24/7 sup­port from Apple Experts. For more in­for­ma­tion, visit ap­ple.com/​ap­ple­care.

Every cus­tomer who buys di­rectly from Apple Retail gets ac­cess to Personal Setup. In these guided on­line ses­sions, a Specialist can walk them through setup, or fo­cus on fea­tures that help them make the most of their new de­vice. Customers can also learn more about get­ting started and go­ing fur­ther with their new de­vice with a Today at Apple ses­sion at their near­est Apple Store.

Customers in the U.S. who shop at Apple us­ing Apple Card can pay monthly at 0 per­cent APR when they choose to check out with Apple Card Monthly Installments, and they’ll get 3 per­cent Daily Cash back — all up front. More in­for­ma­tion — in­clud­ing de­tails on el­i­gi­bil­ity, ex­clu­sions, and Apple Card terms — is avail­able at ap­ple.com/​ap­ple-card/​monthly-in­stall­ments.

About Apple

Apple rev­o­lu­tion­ized per­sonal tech­nol­ogy with the in­tro­duc­tion of the Macintosh in 1984. Today, Apple leads the world in in­no­va­tion with iPhone, iPad, Mac, AirPods, Apple Watch, and Apple Vision Pro. Apple’s six soft­ware plat­forms — iOS, iPa­dOS, ma­cOS, watchOS, vi­sionOS, and tvOS — pro­vide seam­less ex­pe­ri­ences across all Apple de­vices and em­power peo­ple with break­through ser­vices in­clud­ing the App Store, Apple Music, Apple Pay, iCloud, and Apple TV. Apple’s more than 150,000 em­ploy­ees are ded­i­cated to mak­ing the best prod­ucts on earth and to leav­ing the world bet­ter than we found it.

Testing was con­ducted by Apple in January and February 2026 us­ing pre­pro­duc­tion MacBook Neo sys­tems with Apple A18 Pro, 6-core CPU, 5-core GPU, 8GB of uni­fied mem­ory, and 256GB SSD, as well as pro­duc­tion Intel Core Ultra 5-based PC sys­tems with Intel Graphics, 8GB of RAM, 256GB SSD, and the lat­est ver­sion of Windows 11 Home avail­able at the time of test­ing. Bestselling PC lap­top with the lat­est ship­ping Intel Core Ultra 5 proces­sor is based on pub­licly avail­able sales data over the prior six months. Speedometer 3.1 per­for­mance bench­mark tested with pre-re­lease Safari 26.3 on ma­cOS Tahoe, and both Chrome 144.0.7559.110 and Edge 144.0.3719.104 on Windows 11 Home. Performance tests are con­ducted us­ing spe­cific com­puter sys­tems and re­flect the ap­prox­i­mate per­for­mance of MacBook Neo.

Testing was con­ducted by Apple in January and February 2026 us­ing pre­pro­duc­tion MacBook Neo sys­tems with Apple A18 Pro, 6-core CPU, 5-core GPU, 8GB of uni­fied mem­ory, and 256GB SSD, as well as pro­duc­tion Intel Core Ultra 5-based PC sys­tems with Intel Graphics, 8GB of RAM, 256GB SSD, and the lat­est ver­sion of Windows 11 Home avail­able at the time of test­ing. Bestselling PC lap­top with the lat­est ship­ping Intel Core Ultra 5 proces­sor is based on pub­licly avail­able sales data over the prior six months. Adobe Photoshop 2026 27.3.0 tested us­ing the fol­low­ing fil­ters and func­tions: su­per zoom, depth blur, JPEG ar­ti­fact re­moval, style trans­fer, photo restora­tion, and land­scape mixer. Performance tests are con­ducted us­ing spe­cific com­puter sys­tems and re­flect the ap­prox­i­mate per­for­mance of MacBook Neo.

Testing was con­ducted by Apple in January 2026 us­ing pre­pro­duc­tion MacBook Neo sys­tems with Apple A18 Pro, 6-core CPU, 5-core GPU, 8GB of uni­fied mem­ory, and 256GB SSD. Wireless web bat­tery life tested by brows­ing 25 pop­u­lar web­sites while con­nected to Wi-Fi. Video stream­ing bat­tery life tested with 1080p con­tent in Safari while con­nected to Wi-Fi. All sys­tems tested with dis­play bright­ness set to eight clicks from bot­tom. Battery life varies by use and con­fig­u­ra­tion. See ap­ple.com/​bat­ter­ies for more in­for­ma­tion.

Testing was con­ducted by Apple in January and February 2026 us­ing pre­pro­duc­tion MacBook Neo sys­tems with Apple A18 Pro, 6-core CPU, 5-core GPU, 8GB of uni­fied mem­ory, and 256GB SSD, as well as pro­duc­tion Intel Core Ultra 5-based PC sys­tems with Intel Graphics, 8GB of RAM, 256GB SSD, and the lat­est ver­sion of Windows 11 Home avail­able at the time of test­ing. Bestselling PC lap­top with the lat­est ship­ping Intel Core Ultra 5 proces­sor is based on pub­licly avail­able sales data over the prior six months. Tested with Affinity v3.0.3.4027 us­ing the built-in bench­mark 30000. Performance tests are con­ducted us­ing spe­cific com­puter sys­tems and re­flect the ap­prox­i­mate per­for­mance of MacBook Neo.

MacBook Neo fea­tures two USB-C ports — USB 3 (left) and USB 2 (right). External dis­play con­nec­tiv­ity sup­ported on left USB 3 port only.

ma­cOS Tahoe is avail­able as a free soft­ware up­date. Some fea­tures may not be avail­able in all re­gions or in all lan­guages. See re­quire­ments at ap­ple.com/​os/​ma­cos.

Apple Intelligence is avail­able in beta with sup­port for these lan­guages: English, Danish, Dutch, French, German, Italian, Norwegian, Portuguese, Spanish, Swedish, Turkish, Vietnamese, Chinese (simplified), Chinese (traditional), Japanese, and Korean. Some fea­tures may not be avail­able in all re­gions or lan­guages. For fea­ture and lan­guage avail­abil­ity and sys­tem re­quire­ments, see sup­port.ap­ple.com/​en-us/​121115.

Product re­cy­cled or re­new­able con­tent is the mass of cer­ti­fied re­cy­cled ma­te­r­ial rel­a­tive to the over­all mass of the de­vice, not in­clud­ing pack­ag­ing or in-box ac­ces­sories. Comparison ex­cludes ac­ces­sories.

Breakdown of U.S. re­tail pack­ag­ing by weight. Adhesives, inks, and coat­ings are ex­cluded from cal­cu­la­tions.

Copy text

* Customers can pre-or­der the new MacBook Neo start­ing to­day at ap­ple.com/​store and in the Apple Store app in 30 coun­tries and re­gions, in­clud­ing the U.S. It will be­gin ar­riv­ing to cus­tomers, and will be in Apple Store lo­ca­tions and Apple Authorized Resellers, start­ing Wednesday, March 11.

* MacBook Neo starts at $599 (U.S.) and $499 (U.S.) for ed­u­ca­tion. It is avail­able in four col­ors — blush, in­digo, sil­ver, and cit­rus. Additional tech­ni­cal spec­i­fi­ca­tions, con­fig­ure-to-or­der op­tions, and ac­ces­sories are avail­able at ap­ple.com/​mac.

* With Apple Trade In, cus­tomers can trade in their cur­rent com­puter and get credit to­ward a new Mac. Customers can visit ap­ple.com/​shop/​trade-in to see what their de­vice is worth.

* AppleCare de­liv­ers ex­cep­tional ser­vice and sup­port, with flex­i­ble op­tions for Apple users. Customers can choose AppleCare+ to cover their new Mac, or in the U.S., AppleCare One to pro­tect mul­ti­ple prod­ucts in one sim­ple plan. Both plans in­clude cov­er­age for ac­ci­dents like drops and spills, theft and loss pro­tec­tion on el­i­gi­ble prod­ucts, bat­tery re­place­ment ser­vice, and 24/7 sup­port from Apple Experts. For more in­for­ma­tion, visit ap­ple.com/​ap­ple­care.

* Every cus­tomer who buys di­rectly from Apple Retail gets ac­cess to Personal Setup. In these guided on­line ses­sions, a Specialist can walk them through setup, or fo­cus on fea­tures that help them make the most of their new de­vice. Customers can also learn more about get­ting started and go­ing fur­ther with their new de­vice with a Today at Apple ses­sion at their near­est Apple Store.

* Customers in the U.S. who shop at Apple us­ing Apple Card can pay monthly at 0 per­cent APR when they choose to check out with Apple Card Monthly Installments, and they’ll get 3 per­cent Daily Cash back — all up front. More in­for­ma­tion — in­clud­ing de­tails on el­i­gi­bil­ity, ex­clu­sions, and Apple Card terms — is avail­able at ap­ple.com/​ap­ple-card/​monthly-in­stall­ments.

* Testing was con­ducted by Apple in January and February 2026 us­ing pre­pro­duc­tion MacBook Neo sys­tems with Apple A18 Pro, 6-core CPU, 5-core GPU, 8GB of uni­fied mem­ory, and 256GB SSD, as well as pro­duc­tion Intel Core Ultra 5-based PC sys­tems with Intel Graphics, 8GB of RAM, 256GB SSD, and the lat­est ver­sion of Windows 11 Home avail­able at the time of test­ing. Bestselling PC lap­top with the lat­est ship­ping Intel Core Ultra 5 proces­sor is based on pub­licly avail­able sales data over the prior six months. Speedometer 3.1 per­for­mance bench­mark tested with pre-re­lease Safari 26.3 on ma­cOS Tahoe, and both Chrome 144.0.7559.110 and Edge 144.0.3719.104 on Windows 11 Home. Performance tests are con­ducted us­ing spe­cific com­puter sys­tems and re­flect the ap­prox­i­mate per­for­mance of MacBook Neo.

* Testing was con­ducted by Apple in January and February 2026 us­ing pre­pro­duc­tion MacBook Neo sys­tems with Apple A18 Pro, 6-core CPU, 5-core GPU, 8GB of uni­fied mem­ory, and 256GB SSD, as well as pro­duc­tion Intel Core Ultra 5-based PC sys­tems with Intel Graphics, 8GB of RAM, 256GB SSD, and the lat­est ver­sion of Windows 11 Home avail­able at the time of test­ing. Bestselling PC lap­top with the lat­est ship­ping Intel Core Ultra 5 proces­sor is based on pub­licly avail­able sales data over the prior six months. Adobe Photoshop 2026 27.3.0 tested us­ing the fol­low­ing fil­ters and func­tions: su­per zoom, depth blur, JPEG ar­ti­fact re­moval, style trans­fer, photo restora­tion, and land­scape mixer. Performance tests are con­ducted us­ing spe­cific com­puter sys­tems and re­flect the ap­prox­i­mate per­for­mance of MacBook Neo.

* Testing was con­ducted by Apple in January 2026 us­ing pre­pro­duc­tion MacBook Neo sys­tems with Apple A18 Pro, 6-core CPU, 5-core GPU, 8GB of uni­fied mem­ory, and 256GB SSD. Wireless web bat­tery life tested by brows­ing 25 pop­u­lar web­sites while con­nected to Wi-Fi. Video stream­ing bat­tery life tested with 1080p con­tent in Safari while con­nected to Wi-Fi. All sys­tems tested with dis­play bright­ness set to eight clicks from bot­tom. Battery life varies by use and con­fig­u­ra­tion. See ap­ple.com/​bat­ter­ies for more in­for­ma­tion.

* Testing was con­ducted by Apple in January and February 2026 us­ing pre­pro­duc­tion MacBook Neo sys­tems with Apple A18 Pro, 6-core CPU, 5-core GPU, 8GB of uni­fied mem­ory, and 256GB SSD, as well as pro­duc­tion Intel Core Ultra 5-based PC sys­tems with Intel Graphics, 8GB of RAM, 256GB SSD, and the lat­est ver­sion of Windows 11 Home avail­able at the time of test­ing. Bestselling PC lap­top with the lat­est ship­ping Intel Core Ultra 5 proces­sor is based on pub­licly avail­able sales data over the prior six months. Tested with Affinity v3.0.3.4027 us­ing the built-in bench­mark 30000. Performance tests are con­ducted us­ing spe­cific com­puter sys­tems and re­flect the ap­prox­i­mate per­for­mance of MacBook Neo.

* MacBook Neo fea­tures two USB-C ports — USB 3 (left) and USB 2 (right). External dis­play con­nec­tiv­ity sup­ported on left USB 3 port only.

* ma­cOS Tahoe is avail­able as a free soft­ware up­date. Some fea­tures may not be avail­able in all re­gions or in all lan­guages. See re­quire­ments at ap­ple.com/​os/​ma­cos.

* Apple Intelligence is avail­able in beta with sup­port for these lan­guages: English, Danish, Dutch, French, German, Italian, Norwegian, Portuguese, Spanish, Swedish, Turkish, Vietnamese, Chinese (simplified), Chinese (traditional), Japanese, and Korean. Some fea­tures may not be avail­able in all re­gions or lan­guages. For fea­ture and lan­guage avail­abil­ity and sys­tem re­quire­ments, see sup­port.ap­ple.com/​en-us/​121115.

* Product re­cy­cled or re­new­able con­tent is the mass of cer­ti­fied re­cy­cled ma­te­r­ial rel­a­tive to the over­all mass of the de­vice, not in­clud­ing pack­ag­ing or in-box ac­ces­sories. Comparison ex­cludes ac­ces­sories.

* Breakdown of U.S. re­tail pack­ag­ing by weight. Adhesives, inks, and coat­ings are ex­cluded from cal­cu­la­tions.

Testing was con­ducted by Apple in January and February 2026 us­ing pre­pro­duc­tion MacBook Neo sys­tems with Apple A18 Pro, 6-core CPU, 5-core GPU, 8GB of uni­fied mem­ory, and 256GB SSD, as well as pro­duc­tion Intel Core Ultra 5-based PC sys­tems with Intel Graphics, 8GB of RAM, 256GB SSD, and the lat­est ver­sion of Windows 11 Home avail­able at the time of test­ing. Bestselling PC lap­top with the lat­est ship­ping Intel Core Ultra 5 proces­sor is based on pub­licly avail­able sales data over the prior six months. Speedometer 3.1 per­for­mance bench­mark tested with pre-re­lease Safari 26.3 on ma­cOS Tahoe, and both Chrome 144.0.7559.110 and Edge 144.0.3719.104 on Windows 11 Home. Performance tests are con­ducted us­ing spe­cific com­puter sys­tems and re­flect the ap­prox­i­mate per­for­mance of MacBook Neo.

Testing was con­ducted by Apple in January and February 2026 us­ing pre­pro­duc­tion MacBook Neo sys­tems with Apple A18 Pro, 6-core CPU, 5-core GPU, 8GB of uni­fied mem­ory, and 256GB SSD, as well as pro­duc­tion Intel Core Ultra 5-based PC sys­tems with Intel Graphics, 8GB of RAM, 256GB SSD, and the lat­est ver­sion of Windows 11 Home avail­able at the time of test­ing. Bestselling PC lap­top with the lat­est ship­ping Intel Core Ultra 5 proces­sor is based on pub­licly avail­able sales data over the prior six months. Adobe Photoshop 2026 27.3.0 tested us­ing the fol­low­ing fil­ters and func­tions: su­per zoom, depth blur, JPEG ar­ti­fact re­moval, style trans­fer, photo restora­tion, and land­scape mixer. Performance tests are con­ducted us­ing spe­cific com­puter sys­tems and re­flect the ap­prox­i­mate per­for­mance of MacBook Neo.

Testing was con­ducted by Apple in January 2026 us­ing pre­pro­duc­tion MacBook Neo sys­tems with Apple A18 Pro, 6-core CPU, 5-core GPU, 8GB of uni­fied mem­ory, and 256GB SSD. Wireless web bat­tery life tested by brows­ing 25 pop­u­lar web­sites while con­nected to Wi-Fi. Video stream­ing bat­tery life tested with 1080p con­tent in Safari while con­nected to Wi-Fi. All sys­tems tested with dis­play bright­ness set to eight clicks from bot­tom. Battery life varies by use and con­fig­u­ra­tion. See ap­ple.com/​bat­ter­ies for more in­for­ma­tion.

Testing was con­ducted by Apple in January and February 2026 us­ing pre­pro­duc­tion MacBook Neo sys­tems with Apple A18 Pro, 6-core CPU, 5-core GPU, 8GB of uni­fied mem­ory, and 256GB SSD, as well as pro­duc­tion Intel Core Ultra 5-based PC sys­tems with Intel Graphics, 8GB of RAM, 256GB SSD, and the lat­est ver­sion of Windows 11 Home avail­able at the time of test­ing. Bestselling PC lap­top with the lat­est ship­ping Intel Core Ultra 5 proces­sor is based on pub­licly avail­able sales data over the prior six months. Tested with Affinity v3.0.3.4027 us­ing the built-in bench­mark 30000. Performance tests are con­ducted us­ing spe­cific com­puter sys­tems and re­flect the ap­prox­i­mate per­for­mance of MacBook Neo.

MacBook Neo fea­tures two USB-C ports — USB 3 (left) and USB 2 (right). External dis­play con­nec­tiv­ity sup­ported on left USB 3 port only.

ma­cOS Tahoe is avail­able as a free soft­ware up­date. Some fea­tures may not be avail­able in all re­gions or in all lan­guages. See re­quire­ments at ap­ple.com/​os/​ma­cos.

Apple Intelligence is avail­able in beta with sup­port for these lan­guages: English, Danish, Dutch, French, German, Italian, Norwegian, Portuguese, Spanish, Swedish, Turkish, Vietnamese, Chinese (simplified), Chinese (traditional), Japanese, and Korean. Some fea­tures may not be avail­able in all re­gions or lan­guages. For fea­ture and lan­guage avail­abil­ity and sys­tem re­quire­ments, see sup­port.ap­ple.com/​en-us/​121115.

Product re­cy­cled or re­new­able con­tent is the mass of cer­ti­fied re­cy­cled ma­te­r­ial rel­a­tive to the over­all mass of the de­vice, not in­clud­ing pack­ag­ing or in-box ac­ces­sories. Comparison ex­cludes ac­ces­sories.

Breakdown of U. S. re­tail pack­ag­ing by weight. Adhesives, inks, and coat­ings are ex­cluded from cal­cu­la­tions.

I’m be­hind on writ­ing about Qwen 3.5, a truly re­mark­able fam­ily of open weight mod­els re­leased by Alibaba’s Qwen team over the past few weeks. I’m hop­ing that the 3.5 fam­ily does­n’t turn out to be Qwen’s swan song, see­ing as that team has had some very high pro­file de­par­tures in the past 24 hours.

It all started with this tweet from Junyang Lin (@JustinLin610):

Junyang Lin was the lead re­searcher build­ing Qwen, and was key to re­leas­ing their open weight mod­els from 2024 on­wards.

As far as I can tell a trig­ger for this res­ig­na­tion was a re-org within Alibaba where a new re­searcher hired from Google’s Gemini team was put in charge of Qwen, but I’ve not con­firmed that de­tail.

More in­for­ma­tion is avail­able in this ar­ti­cle from 36kr.com. Here’s Wikipedia on 36Kr con­firm­ing that it’s a cred­i­ble me­dia source es­tab­lished in 2010 with a good track record re­port­ing on the Chinese tech­nol­ogy in­dus­try.

The ar­ti­cle is in Chinese—here are some quotes trans­lated via Google Translate:

At ap­prox­i­mately 1:00 PM Beijing time on March 4th, Tongyi Lab held an emer­gency All Hands meet­ing, where Alibaba Group CEO Wu Yongming frankly told Qianwen em­ploy­ees.

Twelve hours ago (at 0:11 AM Beijing time on March 4th), Lin Junyang, the tech­ni­cal lead for Alibaba’s Qwen Big Data Model, sud­denly an­nounced his res­ig­na­tion on X. Lin Junyang was a key fig­ure in pro­mot­ing Alibaba’s open-source AI mod­els and one of Alibaba’s youngest P10 em­ploy­ees. Amidst the in­dus­try up­roar, many mem­bers of Qwen were also un­able to ac­cept the sud­den de­par­ture of their team’s key fig­ure.

“Given far fewer re­sources than com­peti­tors, Junyang’s lead­er­ship is one of the core fac­tors in achiev­ing to­day’s re­sults,” mul­ti­ple Qianwen mem­bers told 36Kr. […]

Regarding Lin Junyang’s where­abouts, no new con­clu­sions were reached at the meet­ing. However, around 2 PM, Lin Junyang posted again on his WeChat Moments, stat­ing, “Brothers of Qwen, con­tinue as orig­i­nally planned, no prob­lem,” with­out ex­plic­itly con­firm­ing whether he would re­turn. […]

That piece also lists sev­eral other key mem­bers who have ap­par­ently re­signed:

With Lin Junyang’s de­par­ture, sev­eral other Qwen mem­bers also an­nounced their de­par­ture, in­clud­ing core lead­ers re­spon­si­ble for var­i­ous sub-ar­eas of Qwen mod­els, such as:

Binyuan Hui: Lead Qwen code de­vel­op­ment, prin­ci­pal of the Qwen-Coder se­ries mod­els, re­spon­si­ble for the en­tire agent train­ing process from pre-train­ing to post-train­ing, and re­cently in­volved in ro­bot­ics re­search.

Bowen Yu: Lead Qwen post-train­ing re­search, grad­u­ated from the University of Chinese Academy of Sciences, lead­ing the de­vel­op­ment of the Qwen-Instruct se­ries mod­els.

Kaixin Li: Core con­trib­u­tor to Qwen 3.5/VL/Coder, PhD from the National University of Singapore.

Besides the afore­men­tioned in­di­vid­u­als, many young re­searchers also re­signed on the same day.

Based on the above it looks to me like every­thing is still very much up in the air. The pres­ence of Alibaba’s CEO at the “emergency All Hands meet­ing” sug­gests that the com­pany un­der­stands the sig­nif­i­cance of these res­ig­na­tions and may yet re­tain some of the de­part­ing tal­ent.

This story hits par­tic­u­larly hard right now be­cause the Qwen 3.5 mod­els ap­pear to be ex­cep­tion­ally good.

I’ve not spent enough time with them yet but the scale of the new model fam­ily is im­pres­sive. They started with Qwen3.5-397B-A17B on February 17th—an 807GB model—and then fol­lowed with a flurry of smaller sib­lings in 122B, 35B, 27B, 9B, 4B, 2B, 0.8B sizes.

I’m hear­ing pos­i­tive noises about the 27B and 35B mod­els for cod­ing tasks that still fit on a 32GB/64GB Mac, and I’ve tried the 9B, 4B and 2B mod­els and found them to be no­tably ef­fec­tive con­sid­er­ing their tiny sizes. That 2B model is just 4.57GB—or as small as 1.27GB quan­tized—and is a full rea­son­ing and multi-modal (vision) model.

It would be a real tragedy if the Qwen team were to dis­band now, given their proven track record in con­tin­u­ing to find new ways to get high qual­ity re­sults out of smaller and smaller mod­els.

If those core Qwen team mem­bers ei­ther start some­thing new or join an­other re­search lab I’m ex­cited to see what they do next.

Subscribe

Patterns for get­ting the best re­sults out of cod­ing agents like Claude Code and OpenAI Codex. See my in­tro­duc­tion for more on this pro­ject.

Principles

Hoard things you know how to do

Testing and QA

Anthropic co-founder and CEO Dario Amodei is not happy — per­haps pre­dictably so — with OpenAI chief Sam Altman. In a memo to staff, re­ported by The Information, Amodei re­ferred to OpenAI’s deal­ings with the Department of Defense as “safety the­ater.”

“The main rea­son [OpenAI] ac­cepted [the DoD’s deal] and we did not is that they cared about pla­cat­ing em­ploy­ees, and we ac­tu­ally cared about pre­vent­ing abuses,” Amodei wrote.

Last week, Anthropic and the U. S. Department of Defense (DoD) failed to come to an agree­ment over the mil­i­tary’s re­quest for un­re­stricted ac­cess to the AI com­pa­ny’s tech­nol­ogy. Anthropic, which al­ready had a $200 mil­lion con­tract with the mil­i­tary, in­sisted the DoD af­firm that it would not use the com­pa­ny’s AI to en­able do­mes­tic mass sur­veil­lance or au­tonomous weaponry.

Instead, the DoD — known un­der the Trump ad­min­is­tra­tion as the Department of War — struck a deal with OpenAI. Altman stated that his com­pa­ny’s new de­fense con­tract would in­clude pro­tec­tions against the same red lines that Anthropic had as­serted.

In a let­ter to staff, Amodei refers to OpenAI’s mes­sag­ing as “straight up lies,” stat­ing that Altman is falsely “presenting him­self as a peace­maker and deal­maker.”

Amodei might not be speak­ing solely from a po­si­tion of bit­ter­ness, here. Anthropic specif­i­cally took is­sue with the DoD’s in­sis­tence on the com­pa­ny’s AI be­ing avail­able for “any law­ful use.” OpenAI said in a blog post that its con­tract al­lows use of its AI sys­tems for “all law­ful pur­poses.”

“It was clear in our in­ter­ac­tion that the DoW con­sid­ers mass do­mes­tic sur­veil­lance il­le­gal and was not plan­ning to use it for this pur­pose,” OpenAI’s blog post stated. “We en­sured that the fact that it is not cov­ered un­der law­ful use was made ex­plicit in our con­tract.”

Critics have pointed out that the law is sub­ject to change, and what is con­sid­ered il­le­gal now might end up be­ing al­lowed in the fu­ture.

And the pub­lic seems to be sid­ing with Anthropic. ChatGPT unin­stalls jumped 295% af­ter OpenAI made its deal with the DoD.

“I think this at­tempted spin/​gaslight­ing is not work­ing very well on the gen­eral pub­lic or the me­dia, where peo­ple mostly see OpenAI’s deal with the DoW as sketchy or sus­pi­cious, and see us as the he­roes (we’re #2 in the App Store now!),” Amodei wrote to his staff. “It is work­ing on some Twitter mo­rons, which does­n’t mat­ter, but my main worry is how to make sure it does­n’t work on OpenAI em­ploy­ees.”

One CLI for all of Google Workspace — built for hu­mans and AI agents.

Drive, Gmail, Calendar, and every Workspace API. Zero boil­er­plate. Structured JSON out­put. 40+ agent skills in­cluded.

npm in­stall -g @googleworkspace/cli

gws does­n’t ship a sta­tic list of com­mands. It reads Google’s own Discovery Service at run­time and builds its en­tire com­mand sur­face dy­nam­i­cally. When Google Workspace adds an API end­point or method, gws picks it up au­to­mat­i­cally.

npm in­stall -g @googleworkspace/cli

gws auth setup # walks you through Google Cloud pro­ject con­fig + OAuth lo­gin

gws drive files list –params ‘{“pageSize”: 5}’

cargo in­stall –path .

A Nix flake is also avail­able at github:google­work­space/​cli

nix run github:google­work­space/​cli

For hu­mans — stop writ­ing curl calls against REST docs. gws gives you tab‑com­ple­tion, –help on every re­source, –dry-run to pre­view re­quests, and auto‑pag­i­na­tion.

For AI agents — every re­sponse is struc­tured JSON. Pair it with the in­cluded agent skills and your LLM can man­age Workspace with­out cus­tom tool­ing.

# List the 10 most re­cent files

gws drive files list –params ‘{“pageSize”: 10}’

# Create a spread­sheet

gws sheets spread­sheets cre­ate –json ‘{“properties”: {“title”: “Q1 Budget”}}’

# Send a Chat mes­sage

gws chat spaces mes­sages cre­ate \

–params ‘{“parent”: “spaces/xyz”}’ \

–json ‘{“text”: “Deploy com­plete.“}’ \

–dry-run

# Introspect any method’s re­quest/​re­sponse schema

gws schema drive.files.list

# Stream pag­i­nated re­sults as NDJSON

gws drive files list –params ‘{“pageSize”: 100}’ –page-all | jq -r ‘.files[].name’

The CLI sup­ports mul­ti­ple auth work­flows so it works on your lap­top, in CI, and on a server.

Credentials are en­crypted at rest (AES-256-GCM) with the key stored in your OS keyring.

gws auth setup # one-time: cre­ates a Cloud pro­ject, en­ables APIs, logs you in

gws auth lo­gin # sub­se­quent lo­gins

Requires the gcloud CLI to be in­stalled and au­then­ti­cated.

Use this when gws auth setup can­not au­to­mate pro­ject/​client cre­ation, or when you want ex­plicit con­trol.

Configure OAuth brand­ing/​au­di­ence if prompted:

Download the client JSON and save it to:

gws auth lo­gin

You can com­plete OAuth ei­ther man­u­ally or with browser au­toma­tion.

* Agent-assisted flow: the agent opens the URL, se­lects ac­count, han­dles con­sent prompts, and re­turns con­trol once the lo­cal­host call­back suc­ceeds.

If con­sent shows “Google has­n’t ver­i­fied this app” (testing mode), click Continue. If scope check­boxes ap­pear, se­lect re­quired scopes (or Select all) be­fore con­tin­u­ing.

On the head­less ma­chine:

ex­port GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE=/path/to/credentials.json

gws drive files list # just works

Point to your key file; no lo­gin needed.

ex­port GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE=/path/to/service-account.json

gws drive files list

ex­port GOOGLE_WORKSPACE_CLI_IMPERSONATED_USER=ad­min@ex­am­ple.com

Useful when an­other tool (e.g. gcloud) al­ready mints to­kens for your en­vi­ron­ment.

ex­port GOOGLE_WORKSPACE_CLI_TOKEN=$(gcloud auth print-ac­cess-to­ken)

Environment vari­ables can also live in a .env file.

The repo ships 100+ Agent Skills (SKILL.md files) — one for every sup­ported API, plus higher-level helpers for com­mon work­flows and 50 cu­rated recipes for Gmail, Drive, Docs, Calendar, and Sheets. See the full Skills Index for the com­plete list.

# Install all skills at once

npx skills add https://​github.com/​google­work­space/​cli

# Or pick only what you need

npx skills add https://​github.com/​google­work­space/​cli/​tree/​main/​skills/​gws-drive

npx skills add https://​github.com/​google­work­space/​cli/​tree/​main/​skills/​gws-gmail

Install the ex­ten­sion into the Gemini CLI:

gem­ini ex­ten­sions in­stall https://​github.com/​google­work­space/​cli

Installing this ex­ten­sion gives your Gemini CLI agent di­rect ac­cess to all gws com­mands and Google Workspace agent skills. Because gws han­dles its own au­then­ti­ca­tion se­curely, you sim­ply need to au­then­ti­cate your ter­mi­nal once prior to us­ing the agent, and the ex­ten­sion will au­to­mat­i­cally in­herit your cre­den­tials.

gws mcp starts a Model Context Protocol server over stdio, ex­pos­ing Google Workspace APIs as struc­tured tools that any MCP-compatible client (Claude Desktop, Gemini CLI, VS Code, etc.) can call.

gws mcp -s drive # ex­pose Drive tools

gws mcp -s drive,gmail,cal­en­dar # ex­pose mul­ti­ple ser­vices

gws mcp -s all # ex­pose all ser­vices (many tools!)

“mcpServers”: {

“gws”: {

“command”: “gws”,

“args”: [“mcp”, “-s”, “drive,gmail,calendar”]

gws drive files cre­ate –json ‘{“name”: “report.pdf”}’ –upload ./report.pdf

Integrate Google Cloud Model Armor to scan API re­sponses for prompt in­jec­tion be­fore they reach your agent.

gws gmail users mes­sages get –params ‘…’ \

–sanitize “projects/P/locations/L/templates/T”

Build a clap::Com­mand tree from the doc­u­men­t’s re­sources and meth­ods

If a re­quired Google API is not en­abled for your GCP pro­ject, you will see a 403 er­ror with rea­son ac­cess­Not­Con­fig­ured:

“error”: {

“code”: 403,

“message”: “Gmail API has not been used in pro­ject 549352339482 …”,

“reason”: “accessNotConfigured”,

“enable_url”: “https://​con­sole.de­vel­op­ers.google.com/​apis/​api/​gmail.googleapis.com/​overview?pro­ject=549352339482”

gws also prints an ac­tion­able hint to stderr:

Click the en­able_url link (or copy it from the en­able_url JSON field).

cargo build # dev build

cargo clippy — -D warn­ings # lint

cargo test # unit tests

./scripts/coverage.sh # HTML cov­er­age re­port → tar­get/​llvm-cov/​html/

If you ever want a good laugh, ask an aca­d­e­mic to ex­plain what they get paid to do, and who pays them to do it.

In STEM fields, it works like this: the uni­ver­sity pays you to teach, but un­less you’re at a lib­eral arts col­lege, you don’t ac­tu­ally get pro­moted or rec­og­nized for your teach­ing. Instead, you get pro­moted and rec­og­nized for your re­search, which the uni­ver­sity does not gen­er­ally pay you for. You have to ask some­one else to pro­vide that part of your salary, and in the US, that some­one else is usu­ally the fed­eral gov­ern­ment. If you’re lucky—and these days, very lucky—you get a chunk of money to grow your bac­te­ria or smash your elec­trons to­gether or what­ever, you write up your re­sults for pub­li­ca­tion, and this is where the mon­key busi­ness re­ally be­gins.

In most dis­ci­plines, the next step is send­ing your pa­per to a peer-re­viewed jour­nal, where it gets eval­u­ated by an ed­i­tor and (if the ed­i­tor sees some promise in it) a few re­view­ers. These peo­ple are aca­d­e­mics just like you, and they gen­er­ally do not get paid for their time. Editors maybe get a small stipend and a bit of pro­fes­sional cred, while re­view­ers get noth­ing but the warm fuzzies of do­ing “service to the field”, or the cold thrill of tank­ing other peo­ple’s pa­pers.

If you’re lucky again, your pa­per gets ac­cepted by the jour­nal, which now owns the copy­right to your work. They do not pay you for this! If any­thing, you pay them an “article pro­cess­ing charge” for the priv­i­lege of no longer own­ing the rights to your pa­per. This is con­sid­ered a great honor.

The jour­nals then pay­wall your work, sell the ac­cess back to you and your col­leagues, and pocket the profit. Universities cover these sub­scrip­tions and fees by charg­ing the gov­ern­ment “indirect costs” on every grant—money that does­n’t go to the re­search it­self, but to all the things that sup­port the re­search, like keep­ing the lights on, clean­ing the toi­lets, and ac­cess­ing the jour­nals that the re­searchers need to read.

Nothing about this sys­tem makes sense, which is why I think we should build a new one. In the mean­time, though, we should also fix the old one. But that’s hard, for two rea­sons. First, many peo­ple are in­vested in things work­ing ex­actly the way they do now, so every stu­pid idea has a con­stituency be­hind it. Second, our cur­rent ad­min­is­tra­tion seems to be­lieve in pol­icy by blood­let­ting: if some­thing is­n’t work­ing, just slice it open at ran­dom. Thanks to these hap­haz­ard cuts and can­cel­la­tions, we now have a sys­tem that is both dys­func­tional and ane­mic.

I see a way to solve both prob­lems at once. We can sat­isfy both the sci­en­tists and the scalpel-wield­ing politi­cians by rid­ding our­selves of the one con­stituency that should not ex­ist. Of all the crazy parts of our crazy sys­tem, the cra­zi­est part is where tax­pay­ers pay for the re­search, then pay pri­vate com­pa­nies to pub­lish it, and then pay again so sci­en­tists can read it. We may not agree on much, but we can all agree on this: it is time, fi­nally and for­ever, to get rid of for-profit sci­en­tific pub­lish­ers.

The writer G. K. Chesterton once said that be­fore you knock any­thing down, you ought to know how it got there in the first place. So be­fore we show for-profit pub­lish­ers the pointy end of a pitch­fork, we ought to know where they came from and why they per­sist.

It used to be a huge pain to pro­duce a phys­i­cal jour­nal—some­one had to op­er­ate the print­ing presses, lick the stamps, and mail the copies all over the world. Unsurprisingly, aca­d­e­mics did­n’t care much about do­ing those things. When gov­ern­ment money started flow­ing into uni­ver­si­ties post-World War II and the num­ber of ar­ti­cles ex­ploded, pri­vate com­pa­nies were like, “Hey, why don’t we take these jour­nals off your hands—you keep do­ing the sci­en­tific stuff and we’ll han­dle all the bor­ing stuff.” And the aca­d­e­mics were like “Sounds good, we’re sure this won’t have any un­fore­seen con­se­quences.”

Those com­pa­nies knew they had a cap­tive au­di­ence, so they bought up as many jour­nals as they could. Journal ar­ti­cles aren’t in­ter­change­able com­modi­ties like corn or soy­beans—if your sci­ence sup­plier starts goug­ing you, you can’t just switch to a new one. Adding to this lock-in ef­fect, pub­lish­ing in “high-impact” jour­nals be­came the key to suc­cess in sci­ence, which meant if you wanted to move up, your uni­ver­sity had to pay up. So, even as the in­ter­net made it much cheaper to pro­duce a jour­nal, pub­lish­ers made it much more ex­pen­sive to sub­scribe to one.

The peo­ple run­ning this scam had no il­lu­sions about it, even if they hoped that other peo­ple did. Here’s how one CEO de­scribed it:

You have no idea how prof­itable these jour­nals are once you stop do­ing any­thing. When you’re build­ing a jour­nal, you spend time get­ting good ed­i­to­r­ial boards, you treat them well, you give them din­ners. […] [and then] we stop do­ing all that stuff and then the cash just pours out and you would­n’t be­lieve how won­der­ful it is.

So here’s the re­port we can make to Mr. Chesterton: for-profit sci­en­tific pub­lish­ers arose to solve the prob­lem of pro­duc­ing phys­i­cal jour­nals. The in­ter­net mostly solved that prob­lem. Now the pub­lish­ers are the prob­lem. These days, Springer Nature, Elsevier, Wiley, and the like are ba­si­cally gi­ant op­er­a­tions that proof­read, for­mat, and store PDFs. That’s not noth­ing, but it’s pretty close to noth­ing.

No one knows how much pub­lish­ers make in re­turn for pro­vid­ing these mod­est ser­vices, but we can guess. In 2017, the Association of Research Libraries sur­veyed its 123 mem­ber in­sti­tu­tions and found they were pay­ing a col­lec­tive $1 bil­lion in jour­nal sub­scrip­tions every year. The ARL cov­ers some of the biggest uni­ver­si­ties, but not nearly all of them, so let’s guess that num­ber ac­counts for half of all uni­ver­sity sub­scrip­tion spend­ing. In 2023, the fed­eral gov­ern­ment es­ti­mated it paid nearly $380 mil­lion in ar­ti­cle pro­cess­ing charges alone, and those are sep­a­rate from sub­scrip­tions. So it would­n’t be crazy if American uni­ver­si­ties were pay­ing some­thing like $2.5 bil­lion to pub­lish­ers every year, with the ma­jor­ity of that ul­ti­mately com­ing from tax­pay­ers.

To put those costs in per­spec­tive: if the fed­eral gov­ern­ment cut out the pub­lish­ers, it would prob­a­bly save more money every year than it has “saved” in its re­cent at­tempts to cut off sci­en­tific fund­ing to uni­ver­si­ties. It’s un­clear how much money will ul­ti­mately be clawed back, as grants con­tinue to get frozen, un­frozen, lit­i­gated, and ne­go­ti­ated. But right now, it seems like ~$1.4 bil­lion in promised sci­ence fund­ing is sim­ply not go­ing to be paid out. We could save more than that every year if we just stopped writ­ing checks to John Wiley & Sons.

How can such a scam con­tinue to ex­ist? In large part, it’s be­cause of a com­puter hacker from Kazakhstan.

The po­lit­i­cal sci­en­tist James C. Scott once wrote that many sys­tems only “work” be­cause peo­ple dis­obey them. For in­stance, the Soviet Union at­tempted to im­pose agri­cul­tural reg­u­la­tions so strict that peo­ple would have starved if they fol­lowed the let­ter of the law. Instead, cit­i­zens grew and traded food in se­cret. This made it look like the reg­u­la­tions were suc­cess­ful, when in fact they were a sham.

Something sim­i­lar is hap­pen­ing right now in sci­ence, ex­cept Russia is on the op­po­site side of the story this time. In the early 2010s, a Kazakhstani com­puter pro­gram­mer named Alexandra Elbakyan started down­load­ing ar­ti­cles en masse and post­ing them pub­licly on a web­site called SciHub. The pub­lish­ers sued her, so she’s hid­ing out in Russia, which pro­tects her from ex­tra­di­tion. As you can see in the map be­low, mil­lions of peo­ple now use SciHub to ac­cess sci­en­tific ar­ti­cles, in­clud­ing lots of peo­ple who seem to work at uni­ver­si­ties:

Why would re­searchers re­sort to piracy when they have le­git­i­mate ac­cess them­selves? Maybe be­cause jour­nals’ in­ter­faces are so clunky and an­noy­ing that it’s faster to go straight to SciHub. Or maybe it’s be­cause those re­searchers don’t ac­tu­ally have ac­cess. Universities are al­ways try­ing to save money by can­cel­ing jour­nal sub­scrip­tions, so aca­d­e­mics of­ten have to rely on boot­leg copies. Either way, SciHub seems to be our mod­ern-day ver­sion of those Soviet se­cret gar­dens: for-profit pub­lish­ing only “works” be­cause peo­ple find ways to cir­cum­vent it.

In a punk rock kind of way, it’s kinda cool that so many American sci­en­tists can only do their work thanks to a data­base main­tained by a Russia-backed fugi­tive. But it ought to be a huge em­bar­rass­ment to the US gov­ern­ment.

Instead, for some rea­son, the gov­ern­ment in­sists on sid­ing with pub­lish­ers against cit­i­zens. Sixteen years ago, the US had its own Elbakyan. His name was Aaron Swartz. He down­loaded mil­lions of pay­walled jour­nal ar­ti­cles us­ing a con­nec­tion at MIT, pos­si­bly in­tend­ing to share them pub­licly. Government agents ar­rested him, charged him with wire fraud, and in­tended to fine him $1 mil­lion and im­prison him for 35 years. Instead, he killed him­self. He was 26.

Scientists have tried to take on the mid­dle­men them­selves. They’ve founded open-ac­cess jour­nals. They’ve pub­lished preprints. They’ve tried al­ter­na­tive ways of eval­u­at­ing re­search. A few high-pro­file pro­fes­sors have pub­licly and dra­mat­i­cally sworn off all “luxury” out­lets, and less-fa­mous folks have fol­lowed suit: in 2012, over 10,000 re­searchers signed a pledge not to pub­lish in any jour­nals owned by Elsevier.

None of this has worked. The biggest for-profit pub­lish­ers con­tinue mak­ing more money year af­ter year. “Diamond” open ac­cess jour­nals—that is, pub­li­ca­tions that don’t charge au­thors or read­ers—only ac­count for ~10% of all ar­ti­cles. Four years af­ter that mas­sive pledge, 38% of sign­ers had bro­ken their promise and pub­lished in an Elsevier jour­nal.

These ef­forts have fiz­zled be­cause this is­n’t a prob­lem that can be solved by any in­di­vid­ual, or even many in­di­vid­u­als. Academia is so cut­throat that any­one who right­eously gives up an ad­van­tage will be out­com­peted by some­one who has fewer scru­ples. What we have here is a col­lec­tive ac­tion prob­lem.

Fortunately, we have an or­ga­ni­za­tion that ex­ists for the ex­press pur­pose of solv­ing col­lec­tive ac­tion prob­lems. It’s called the gov­ern­ment. And as luck would have it, they’re also the one pay­ing most of the bills!

So the so­lu­tion here is straight­for­ward: every gov­ern­ment grant should stip­u­late that the re­search it sup­ports can’t be pub­lished in a for-profit jour­nal. That’s it! If the pub­lic paid for it, it should­n’t be pay­walled.

The Biden ad­min­is­tra­tion tried to do this, but they did it in a stu­pid way. They man­dated that NIH-funded re­search pa­pers have to be “open ac­cess”, which sounds like a so­lu­tion, but it’s ac­tu­ally a psyop. By re­plac­ing sub­scrip­tion fees with “article pro­cess­ing charges”, pub­lish­ers can sim­ply make au­thors pay for writ­ing in­stead of mak­ing read­ers pay for read­ing. The com­pa­nies can keep skim­ming money off the sys­tem, and best of all, they get to call the re­sult “open ac­cess”.

These fees can be wild. When my PhD ad­vi­sor and I pub­lished one of our pa­pers to­gether, the jour­nal charged us an “open ac­cess” fee of $12,000. This arrange­ment is a tiny bit bet­ter than the al­ter­na­tive, be­cause at least every­body can read our pa­per now, in­clud­ing peo­ple who aren’t af­fil­i­ated with a uni­ver­sity. But those fees still have to come from some­where, and whether you charge writ­ers or read­ers, you’re ul­ti­mately charg­ing the same ac­count—namely, the US gov­ern­ment.

The Trump ad­min­is­tra­tion some­how found a way to make a stu­pid pol­icy even stu­pider. They sped up the time­line while also fir­ing a bunch of NIH staffers—ex­actly the peo­ple who would make sure that gov­ern­ment-spon­sored pub­li­ca­tions are, in fact, pub­licly ac­ces­si­ble. And you need some­one to check on that, be­cause re­searchers are no­to­ri­ously bad about this kind of stuff. They’re al­ready re­quired to up­load the re­sults of clin­i­cal tri­als to a pub­lic data­base, but more than half the time they just…don’t.

To do this right, you can­not al­low the rent-seek­ers to re­brand. You have to cut them out en­tirely. I don’t think this will fix every­thing that’s wrong with sci­ence; it will merely fix the wrongest thing. Nonprofit jour­nals still charge fees, but at least the money goes to or­ga­ni­za­tions that os­ten­si­bly care about sci­ence, rather than go­ing to CEOs who make $17 mil­lion a year. And al­most every jour­nal, for-profit or not, uses the same failed sys­tem of peer re­view. The biggest ben­e­fit of shak­ing things up, then, would be al­low­ing dif­fer­ent ap­proaches to have a chance at life, the same way an oc­ca­sional for­est fire clears away the dead wood, opens up the pinecones, and gives seedlings a shot at the sun­light.

Science phil­an­thropies should adopt the same pol­icy, and some of them al­ready have. The Navigation Fund, which over­sees bil­lions of dol­lars in sci­en­tific fund­ing, no longer bankrolls jour­nal pub­li­ca­tions at all. Seemay Chou, its di­rec­tor, re­ports that the ex­per­i­ment has been a great suc­cess:

Our re­searchers be­gan de­sign­ing ex­per­i­ments dif­fer­ently from the start. They be­came more cre­ative and col­lab­o­ra­tive. The goal shifted from telling pol­ished sto­ries to un­cov­er­ing use­ful truths. All re­sults had value, such as failed at­tempts, aban­doned in­quiries, or untested ideas, which we fre­quently re­lease through Arcadia’s Icebox. The bar for util­ity went up, as prox­ies like im­pact fac­tors dis­ap­peared.

Fifteen years ago, the open sci­ence move­ment was all about abol­ish­ing for-profit jour­nals—that’s what open sci­ence meant. It seemed like every speech would end with “ELSEVIER DELENDA EST”.

Now peo­ple barely bring it up at all. It’s like a tiger has es­caped the zoo and it’s gulp­ing down school­child­ren, but when peo­ple sug­gest zoo im­prove­ments, all the agenda items are like, “We should add an­other Dippin’ Dots kiosk”. If you bring up the loose tiger, every­one gets an­noyed at you, like “Of course, no one likes the tiger”.

I think two things hap­pened. First, we got cyn­i­cal about cy­ber­space. In the 1990s and 2000s, we re­ally thought the in­ter­net would solve most of our prob­lems. When those prob­lems per­sisted de­spite all of us get­ting broad­band, we shifted to think­ing that the in­ter­net was, in fact, caus­ing the prob­lems. And so it be­came cringe to think the in­ter­net could ever be a force for good. In 1995, for-profit pub­lish­ers were go­ing to be “the in­ter­net’s first vic­tim”; in 2015, they were “the busi­ness the in­ter­net could not kill”.

Second, when the repli­ca­tion cri­sis hit in the early 2010s, the open sci­ence move­ment got a new vil­lain—namely, naughty re­searchers. The fak­ers, the fraud­sters, the over-claimers: those are the real bad boys of sci­ence. It’s no longer cool to hate in­ter­na­tional pub­lish­ing con­glom­er­ates. Now it’s cool to hate your col­leagues.

Both of these shifts were a shame. The in­ter­net utopi­ans were right that the web would elim­i­nate the need for jour­nals, but they were wrong to think that would be enough. The repli­ca­tion po­lice were right to call out sci­en­tific malfea­sance, but they were wrong to for­get our old foes. The for-profit pub­lish­ers are just as bad as they ever were, and while the in­ter­net has made them more vul­ner­a­ble then ever, now we know they won’t go un­less they’re pushed.

If we want bet­ter sci­ence, we should catch the tiger. Not only be­cause it’s bad for the tiger to be loose, but be­cause it’s bad for us to look the other way. If you al­low an out­ra­geous scam to go unchecked, if you par­tic­i­pate in it, nor­mal­ize it—then what won’t you do? Why not also goose your stats a bit? Why not pub­lish some junk re­search? Look around: no one cares!

There are so many prob­lems with our cur­rent way of do­ing things, and most of those prob­lems are com­pli­cated and dif­fi­cult to solve. This one is­n’t. Let’s heave this suc­cubus off our sci­en­tific sys­tem and end this scam once and for all. After that, Dippin’ Dots all around.

This is an Internet Standards Track doc­u­ment.¶

This doc­u­ment is a prod­uct of the Internet Engineering Task Force (IETF). It rep­re­sents the con­sen­sus of the IETF com­mu­nity. It has re­ceived pub­lic re­view and has been ap­proved for pub­li­ca­tion by the Internet Engineering Steering Group (IESG). Further in­for­ma­tion on Internet Standards is avail­able in Section 2 of RFC 7841.¶

Information about the cur­rent sta­tus of this doc­u­ment, any er­rata, and how to pro­vide feed­back on it may be ob­tained at https://​www.rfc-ed­i­tor.org/​info/​rfc9849.¶

Copyright (c) 2026 IETF Trust and the per­sons iden­ti­fied as the doc­u­ment au­thors. All rights re­served.¶

This doc­u­ment is sub­ject to BCP 78 and the IETF Trust’s Legal Provisions Relating to IETF Documents (https://​trustee.ietf.org/​li­cense-info) in ef­fect on the date of pub­li­ca­tion of this doc­u­ment. Please re­view these doc­u­ments care­fully, as they de­scribe your rights and re­stric­tions with re­spect to this doc­u­ment. Code Components ex­tracted from this doc­u­ment must in­clude Revised BSD License text as de­scribed in Section 4.e of the Trust Legal Provisions and are pro­vided with­out war­ranty as de­scribed in the Revised BSD License.¶

Although TLS 1.3 [RFC8446] en­crypts most of the hand­shake, in­clud­ing the server cer­tifi­cate, there are sev­eral ways in which an on-path at­tacker can learn pri­vate in­for­ma­tion about the con­nec­tion. The plain­text Server Name Indication (SNI) ex­ten­sion in ClientHello mes­sages, which leaks the tar­get do­main for a given con­nec­tion, is per­haps the most sen­si­tive in­for­ma­tion left un­en­crypted in TLS 1.3.¶

This doc­u­ment spec­i­fies a new TLS ex­ten­sion called Encrypted Client Hello (ECH) that al­lows clients to en­crypt their ClientHello to the TLS server. This pro­tects the SNI and other po­ten­tially sen­si­tive fields, such as the Application-Layer Protocol Negotiation (ALPN) list

[RFC7301]. Co-located servers with con­sis­tent ex­ter­nally vis­i­ble TLS con­fig­u­ra­tions and be­hav­ior, in­clud­ing sup­ported ver­sions and ci­pher suites and how they re­spond to in­com­ing client con­nec­tions, form an anonymity set. (Note that im­ple­men­ta­tion-spe­cific choices, such as ex­ten­sion or­der­ing within TLS mes­sages or di­vi­sion of data into record-layer bound­aries, can re­sult in dif­fer­ent ex­ter­nally vis­i­ble be­hav­ior, even for servers with con­sis­tent TLS con­fig­u­ra­tions.) Usage of this mech­a­nism re­veals that a client is con­nect­ing to a par­tic­u­lar ser­vice provider, but does not re­veal which server from the anonymity set ter­mi­nates the con­nec­tion. Deployment im­pli­ca­tions of this fea­ture are dis­cussed in Section 8.¶

ECH is not in it­self suf­fi­cient to pro­tect the iden­tity of the server. The tar­get do­main may also be vis­i­ble through other chan­nels, such as plain­text client DNS queries or vis­i­ble server IP ad­dresses. However, en­crypted DNS mech­a­nisms such as DNS over HTTPS [RFC8484], DNS over TLS/DTLS [RFC7858] [RFC8094], and DNS over QUIC [RFC9250]

pro­vide mech­a­nisms for clients to con­ceal DNS lookups from net­work in­spec­tion, and many TLS servers host mul­ti­ple do­mains on the same IP ad­dress. Private ori­gins may also be de­ployed be­hind a com­mon provider, such as a re­verse proxy. In such en­vi­ron­ments, the SNI re­mains the pri­mary ex­plicit sig­nal avail­able to ob­servers to de­ter­mine the server’s iden­tity.¶

ECH is sup­ported in TLS 1.3 [RFC8446], DTLS 1.3 [RFC9147], and newer ver­sions of the TLS and DTLS pro­to­cols.¶

The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “NOT RECOMMENDED”, “MAY”, and “OPTIONAL” in this doc­u­ment are to be in­ter­preted as de­scribed in BCP 14 [RFC2119] [RFC8174]

when, and only when, they ap­pear in all cap­i­tals, as shown here. All TLS no­ta­tion comes from [RFC8446], Section 3.¶

This pro­to­col is de­signed to op­er­ate in one of two topolo­gies il­lus­trated be­low, which we call “Shared Mode” and “Split Mode”. These modes are de­scribed in the fol­low­ing sec­tion.¶

A client-fac­ing server en­ables ECH by pub­lish­ing an ECH con­fig­u­ra­tion, which is an en­cryp­tion pub­lic key and as­so­ci­ated meta­data. Domains which wish to use ECH must pub­lish this con­fig­u­ra­tion, us­ing the key as­so­ci­ated with the client-fac­ing server. This doc­u­ment de­fines the ECH con­fig­u­ra­tion’s for­mat, but del­e­gates DNS pub­li­ca­tion de­tails to [RFC9460]. See

[RFC9848] for specifics about how ECH con­fig­u­ra­tions are ad­ver­tised in SVCB and HTTPS records. Other de­liv­ery mech­a­nisms are also pos­si­ble. For ex­am­ple, the client may have the ECH con­fig­u­ra­tion pre­con­fig­ured.¶

When a client wants to es­tab­lish a TLS ses­sion with some back­end server, it con­structs a pri­vate ClientHello, re­ferred to as the ClientHelloInner. The client then con­structs a pub­lic ClientHello, re­ferred to as the

ClientHelloOuter. The ClientHelloOuter con­tains in­nocu­ous val­ues for sen­si­tive ex­ten­sions and an “encrypted_client_hello” ex­ten­sion (Section 5), which car­ries the en­crypted ClientHelloInner. Finally, the client sends ClientHelloOuter to the server.¶

The server takes one of the fol­low­ing ac­tions:¶

If it does not sup­port ECH or can­not de­crypt the ex­ten­sion, it com­pletes the hand­shake with ClientHelloOuter. This is re­ferred to as re­ject­ing ECH.¶

If it suc­cess­fully de­crypts the ex­ten­sion, it for­wards the ClientHelloInner

to the back­end server, which com­pletes the hand­shake. This is re­ferred to as ac­cept­ing ECH.¶

Upon re­ceiv­ing the server’s re­sponse, the client de­ter­mines whether or not ECH was ac­cepted (Section 6.1.4) and pro­ceeds with the hand­shake ac­cord­ingly. When ECH is re­jected, the re­sult­ing con­nec­tion is not us­able by the client for ap­pli­ca­tion data. Instead, ECH re­jec­tion al­lows the client to retry with up-to-date con­fig­u­ra­tion (Section 6.1.6).¶

The pri­mary goal of ECH is to en­sure that con­nec­tions to servers in the same anonymity set are in­dis­tin­guish­able from one an­other. Moreover, it should achieve this goal with­out af­fect­ing any ex­ist­ing se­cu­rity prop­er­ties of TLS 1.3. See Section 10.1 for more de­tails about the ECH se­cu­rity and pri­vacy goals.¶

ECH uses Hybrid Public Key Encryption (HPKE) for pub­lic key en­cryp­tion [HPKE]. The ECH con­fig­u­ra­tion is de­fined by the fol­low­ing ECHConfig struc­ture.¶

The struc­ture con­tains the fol­low­ing fields:¶

The ECHConfigContents struc­ture con­tains the fol­low­ing fields:¶

The HpkeKeyConfig struc­ture con­tains the fol­low­ing fields:¶

The client-fac­ing server ad­ver­tises a se­quence of ECH con­fig­u­ra­tions to clients, se­ri­al­ized as fol­lows.¶

The ECHConfigList struc­ture con­tains one or more ECHConfig struc­tures in de­creas­ing or­der of pref­er­ence. This al­lows a server to sup­port mul­ti­ple ver­sions of ECH and mul­ti­ple sets of ECH pa­ra­me­ters.¶

To of­fer ECH, the client sends an “encrypted_client_hello” ex­ten­sion in the

ClientHelloOuter. When it does, it MUST also send the ex­ten­sion in

ClientHelloInner.¶

The pay­load of the ex­ten­sion has the fol­low­ing struc­ture:¶

The outer ex­ten­sion uses the outer vari­ant and the in­ner ex­ten­sion uses the

in­ner vari­ant. The in­ner ex­ten­sion has an empty pay­load, which is in­cluded be­cause TLS servers are not al­lowed to pro­vide ex­ten­sions in ServerHello which were not in­cluded in ClientHello. The outer ex­ten­sion has the fol­low­ing fields:¶

When a client of­fers the outer ver­sion of an “encrypted_client_hello” ex­ten­sion, the server MAY in­clude an “encrypted_client_hello” ex­ten­sion in its EncryptedExtensions mes­sage, as de­scribed in Section 7.1, with the fol­low­ing pay­load:¶

The re­sponse is valid only when the server used the ClientHelloOuter. If the server sent this ex­ten­sion in re­sponse to the in­ner vari­ant, then the client

MUST abort with an “unsupported_extension” alert.¶

Finally, when the client of­fers the “encrypted_client_hello”, if the pay­load is the in­ner vari­ant and the server re­sponds with HelloRetryRequest, it MUST

in­clude an “encrypted_client_hello” ex­ten­sion with the fol­low­ing pay­load:¶

The value of ECHHelloRetryRequest.confirmation is set to

hrr_ac­cep­t_­con­fir­ma­tion as de­scribed in Section 7.2.1.¶

This doc­u­ment also de­fines the “ech_required” alert, which the client MUST send when it of­fered an “encrypted_client_hello” ex­ten­sion that was not ac­cepted by the server. (See Section 11.2.)¶

Clients that im­ple­ment the ECH ex­ten­sion be­have in one of two ways: ei­ther they of­fer a real ECH ex­ten­sion, as de­scribed in Section 6.1, or they send a Generate Random Extensions And Sustain Extensibility (GREASE) [RFC8701]

ECH ex­ten­sion, as de­scribed in Section 6.2. The client of­fers ECH if it is in pos­ses­sion of a com­pat­i­ble ECH con­fig­u­ra­tion and sends GREASE ECH (see Section 6.2) oth­er­wise. Clients of the lat­ter type do not ne­go­ti­ate ECH; in­stead, they gen­er­ate a dummy ECH ex­ten­sion that is ig­nored by the server. (See Section 10.10.4 for an ex­pla­na­tion.) It is also pos­si­ble for clients to al­ways send GREASE ECH with­out im­ple­ment­ing the re­main­der of this spec­i­fi­ca­tion.¶

As de­scribed in Section 3.1, servers can play two roles, ei­ther as the client-fac­ing server or as the back­end server. Depending on the server role, the ECHClientHello will be dif­fer­ent:¶

A client-fac­ing server ex­pects an ECHClientHello.type of outer, and pro­ceeds as de­scribed in Section 7.1 to ex­tract a

ClientHelloInner, if avail­able.¶

A back­end server ex­pects an ECHClientHello.type of in­ner, and pro­ceeds as de­scribed in Section 7.2.¶

If ECHClientHello.type is not a valid ECHClientHelloType, then the server MUST abort with an “illegal_parameter” alert.¶

In split mode, a client-fac­ing server which re­ceives a ClientHello

with ECHClientHello.type of in­ner MUST abort with an “illegal_parameter” alert. Similarly, in split mode, a back­end server which re­ceives a ClientHello with ECHClientHello.type of outer

MUST abort with an “illegal_parameter” alert.¶

In shared mode, a server plays both roles, first de­crypt­ing the

ClientHelloOuter and then us­ing the con­tents of the

ClientHelloInner. A shared mode server which re­ceives a

ClientHello with ECHClientHello.type of in­ner MUST abort with an “illegal_parameter” alert, be­cause such a ClientHello should never be re­ceived di­rectly from the net­work.¶

If the “encrypted_client_hello” is not pre­sent, then the server com­pletes the hand­shake nor­mally, as de­scribed in [RFC8446].¶

The de­sign of ECH as spec­i­fied in this doc­u­ment nec­es­sar­ily re­quires changes to client, client-fac­ing server, and back­end server. Coordination be­tween client-fac­ing and back­end server re­quires care, as de­ploy­ment mis­takes can lead to com­pat­i­bil­ity is­sues. These are dis­cussed in Section 8.1.¶

Beyond co­or­di­na­tion dif­fi­cul­ties, ECH de­ploy­ments may also cre­ate chal­lenges for uses of in­for­ma­tion that ECH pro­tects. In par­tic­u­lar, use cases which de­pend on this un­en­crypted in­for­ma­tion may no longer work as de­sired. This is elab­o­rated upon in Section 8.2.¶

In the ab­sence of an ap­pli­ca­tion pro­file stan­dard spec­i­fy­ing oth­er­wise, a com­pli­ant ECH ap­pli­ca­tion MUST im­ple­ment the fol­low­ing HPKE ci­pher suite:¶

This sec­tion con­tains se­cu­rity con­sid­er­a­tions for ECH.¶

ECH con­sid­ers two types of at­tack­ers: pas­sive and ac­tive. Passive at­tack­ers can read pack­ets from the net­work, but they can­not per­form any sort of ac­tive be­hav­ior such as prob­ing servers or query­ing DNS. A mid­dle­box that fil­ters based on plain­text packet con­tents is one ex­am­ple of a pas­sive at­tacker. In con­trast, ac­tive at­tack­ers can also write pack­ets into the net­work for ma­li­cious pur­poses, such as in­ter­fer­ing with ex­ist­ing con­nec­tions, prob­ing servers, and query­ing DNS. In short, an ac­tive at­tacker cor­re­sponds to the con­ven­tional threat model

[RFC3552] for TLS 1.3 [RFC8446].¶

Passive and ac­tive at­tack­ers can ex­ist any­where in the net­work, in­clud­ing be­tween the client and client-fac­ing server, as well as be­tween the client-fac­ing and back­end servers when run­ning ECH in split mode. However, for split mode in par­tic­u­lar, ECH makes two ad­di­tional as­sump­tions:¶

The chan­nel be­tween each client-fac­ing and each back­end server is au­then­ti­cated such that the back­end server only ac­cepts mes­sages from trusted client-fac­ing servers. The ex­act mech­a­nism for es­tab­lish­ing this au­then­ti­cated chan­nel is out of scope for this doc­u­ment.¶

The at­tacker can­not cor­re­late mes­sages be­tween a client and client-fac­ing server with mes­sages be­tween client-fac­ing and back­end server. Such cor­re­la­tion could al­low an at­tacker to link in­for­ma­tion unique to a back­end server, such as their server name or IP ad­dress, with a clien­t’s en­crypted ClientHelloInner. Correlation could oc­cur through tim­ing analy­sis of mes­sages across the client-fac­ing server, or via ex­am­in­ing the con­tents of mes­sages sent be­tween client-fac­ing and back­end servers. The ex­act mech­a­nism for pre­vent­ing this sort of cor­re­la­tion is out of scope for this doc­u­ment.¶

Given this threat model, the pri­mary goals of ECH are as fol­lows.¶

Security preser­va­tion. Use of ECH does not weaken the se­cu­rity prop­er­ties of TLS with­out ECH.¶

Handshake pri­vacy. TLS con­nec­tion es­tab­lish­ment to a server name within an anonymity set is in­dis­tin­guish­able from a con­nec­tion to any other server name within the anonymity set. (The anonymity set is de­fined in Section 1.)¶

Downgrade re­sis­tance. An at­tacker can­not down­grade a con­nec­tion that at­tempts to use ECH to one that does not use ECH.¶

These prop­er­ties were for­mally proven in [ECH-Analysis].¶

With re­gards to hand­shake pri­vacy, client-fac­ing server con­fig­u­ra­tion de­ter­mines the size of the anonymity set. For ex­am­ple, if a client-fac­ing server uses dis­tinct ECHConfig val­ues for each server name, then each anonymity set has size k = 1. Client-facing servers

SHOULD de­ploy ECH in such a way so as to max­i­mize the size of the anonymity set where pos­si­ble. This means client-fac­ing servers should use the same ECHConfig for as many server names as pos­si­ble. An at­tacker can dis­tin­guish two server names that have dif­fer­ent

ECHConfig val­ues based on the ECHClientHello.config_id value.¶

This also means pub­lic in­for­ma­tion in a TLS hand­shake should be con­sis­tent across server names. For ex­am­ple, if a client-fac­ing server ser­vices many back­end ori­gin server names, only one of which sup­ports some ci­pher suite, it may be pos­si­ble to iden­tify that server name based on the con­tents of the un­en­crypted hand­shake mes­sage. Similarly, if a back­end ori­gin reuses KeyShare val­ues, then that pro­vides a unique iden­ti­fier for that server.¶

Beyond these pri­mary se­cu­rity and pri­vacy goals, ECH also aims to hide, to some ex­tent, the fact that it is be­ing used at all. Specifically, the GREASE ECH ex­ten­sion de­scribed in Section 6.2 does not change the se­cu­rity prop­er­ties of the TLS hand­shake at all. Its goal is to pro­vide “cover” for the real ECH pro­to­col (Section 6.1), as a means of ad­dress­ing the “do not stick out” re­quire­ments of [RFC8744]. See Section 10.10.4 for de­tails.¶

The fol­low­ing pro­ce­dure processes the “ech_outer_extensions” ex­ten­sion (see

Section 5.1) in lin­ear time, en­sur­ing that each ref­er­enced ex­ten­sion in the ClientHelloOuter is in­cluded at most once:¶

Let I be ini­tial­ized to zero and N be set to the num­ber of ex­ten­sions in ClientHelloOuter.¶

For each ex­ten­sion type, E, in OuterExtensions:¶

If E is “encrypted_client_hello”, abort the con­nec­tion with an “illegal_parameter” alert and ter­mi­nate this pro­ce­dure.¶

While I is less than N and the I-th ex­ten­sion of

ClientHelloOuter does not have type E, in­cre­ment I.¶

If I is equal to N, abort the con­nec­tion with an “illegal_parameter” alert and ter­mi­nate this pro­ce­dure.¶

Otherwise, the I-th ex­ten­sion of ClientHelloOuter has type E. Copy it to the EncodedClientHelloInner and in­cre­ment I.¶

This doc­u­ment draws ex­ten­sively from ideas in [PROTECTED-SNI], but is a much more lim­ited mech­a­nism be­cause it de­pends on the DNS for the pro­tec­tion of the ECH key. , , ,

, , , and also pro­vided im­por­tant ideas and con­tri­bu­tions.¶

On a fresh in­stal­la­tion of Firefox on MacOS, right-click­ing an im­age while some text on the page is high­lighted (to show as many but­tons as pos­si­ble) looks like so:

To be blunt: holy fuck­ing shit, what the fuck is all of this shit? 26 rows of which 2 are greyed-out (aka: fuck­ing use­less), 7 di­viders, 2 sub­menus; be­cause a sin­gle row for “Ask an AI Chatbot” was­n’t enough, they just had to make an­other sub­menu. Amazing.

The “Inspect Accessibility Properties” but­ton was added be­cause I opened the DevTools (Inspector) once. It’s not ob­vi­ous how to ac­tu­ally dis­able it ever again. Why am I shown “Copy Clean Link” if there is no clean link (or the link is al­ready clean)? The same goes for “Copy Clean Link to Highlight”. Why can’t I make it so it al­ways de­faults to the “clean link” no mat­ter what (and get rid of “Copy Link” com­pletely, in­stead)? “Ask an AI Chatbot”? No, fuck you.

The rest? Completely use­less. Thanks for show­ing me every fea­ture you’ve ever shipped, with no au­thor­i­ta­tive se­lec­tion of what users ac­tu­ally care about — and mak­ing it com­pletely non-ob­vi­ous how to dis­able the use­less shit here.

Enough vent­ing, let’s clean this all up. The fol­low­ing set­tings in about:con­fig can be used to dis­able a ton of these use­less right-click menu but­tons. Note, some of them ac­tu­ally dis­able other func­tion­al­ity, so choose wisely. We can set the fol­low­ing to false:

* browser.trans­la­tions.se­lect.en­able — Removes the “Translate Selection” but­ton from the right-click menu.

* screen­shots.browser.com­po­nent.en­abled — Disables the built-in Firefox screen­shot func­tion­al­ity, which also re­moves the “Take Screenshot” but­ton.

* dom.tex­t_frag­ments.en­abled — Disables Text Fragments sup­port, which also re­moves the “Copy Link to Highlight” but­ton (and dis­ables the auto-fo­cus on URLs that in­clude #:~:text=…).

* de­v­tools.ac­ces­si­bil­ity.en­abled — Disables the DevTools Accessibility Inspector and re­moves the “Inspect Accessibility Properties” but­ton.

* browser.ml.linkPre­view.en­abled — Disables Link Previews (and the AI-generated key points in­side them), re­mov­ing “Preview Link” but­ton.

* dom.text-recog­ni­tion.en­abled — Disables OCR on im­ages, re­mov­ing the “Copy Text From Image” but­ton.

* ex­ten­sions.for­maut­ofill.ad­dresses.en­abled — Disables ad­dress aut­ofill and the as­so­ci­ated menu/​but­ton that some­times ap­pears in forms.

* ex­ten­sions.for­maut­ofill.cred­it­Cards.en­abled — Disables credit card/​pay­ment method aut­ofill and re­moves the as­so­ci­ated menu/​but­ton that some­times ap­pears in forms.

* wid­get.ma­cos.na­tive-con­text-menus — Turns off na­tive ma­cOS con­text menus so Firefox uses its own menus. This re­moves the “Services” but­ton.

* print.en­abled — Completely dis­ables Firefox’ print­ing UI and ca­pa­bil­i­ties, which also re­moves the “Print” and “Print Selection…” but­tons.

How do we look now?

Great, much bet­ter, we’re down from 26 but­tons to just 15. Here’s what it looks like when you right-click on a page and when you right-click a link:

We still have the fol­low­ing use­less but­tons though:

Why do all of the above have …? (edit: ac­cord­ing to this, “it means that more in­for­ma­tion is re­quired to com­plete the task (e.g. re­quest­ing the file­name for sav­ing a file)”. But the real bad news is that we can’t get rid of these things by sim­ply tog­gling some op­tion in about:con­fig.

We also have these when we right-click in a form:

Despite the browser only be­ing used in one lan­guage, there is no way to get rid of the “Languages” menu there. It’s pos­si­ble to get rid of “Check Spelling” by com­pletely dis­abling spellcheck, but that’s a use­ful fea­ture for me, so I don’t.

Those re­main­ing use­less but­tons can only be re­moved by cre­at­ing a cus­tom user­Chrome.css. I’ll cover how to do that in my next post.

For what it’s worth, it is nice that these but­tons can be en­abled/​dis­abled, and user­Chrome.css is cool. But at the same time, imag­ine be­ing a com­pletely new Firefox user, who has zero use for any of this? How are they sup­posed to fig­ure out how to do all of this? It took me a sig­nif­i­cant amount of time to find those set­tings to dis­able (and some of them are hacks, like dis­abling print.en­abled). Maybe Firefox should im­ple­ment some­thing sim­i­lar to their “Customize Toolbar”, which makes it easy to plug & play each of the right-click but­tons. “PRs wel­come” as they say, I sup­pose.