from the how-dare-anyone-lie-to-congress dept.
Arthur T Knackerbracket has found the following story:
Mozilla is urging Congress to reject the broadband industry's lobbying campaign against encrypted DNS in Firefox and Chrome.
The Internet providers' fight against this privacy feature raises questions about how they use broadband customers' Web-browsing data, Mozilla wrote in a letter sent today to the chairs and ranking members of three House of Representatives committees. Mozilla also said that Internet providers have been giving inaccurate information to lawmakers and urged Congress to "publicly probe current ISP data collection and use policies."
DNS over HTTPS helps keep eavesdroppers from seeing what DNS lookups your browser is making. This can make it more difficult for ISPs or other third parties to monitor what websites you visit.
"Unsurprisingly, our work on DoH [DNS over HTTPS] has prompted a campaign to forestall these privacy and security protections, as demonstrated by the recent letter to Congress from major telecommunications associations. That letter contained a number of factual inaccuracies," Mozilla Senior Director of Trust and Security Marshall Erwin wrote.
(Score: 2) by tangomargarine on Monday November 04 2019, @08:41PM (10 children)
I have to imagine that the politicians know on some level that when they asked for ISP opinions on the thing, whatever the ISPs told them would be self-serving bullshit that wouldn't be helpful. As a regulator, when you ask the people you're regulating what they want, obviously their answer will be "less regulation, and also maybe some free money while you're at it."
But of course the assumption is that the politiweasels actually care that they're being lied to.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2, Funny) by fustakrakich on Monday November 04 2019, @09:00PM (5 children)
But of course the assumption is that the politiweasels actually care that they're being lied to.
Quid pro quo is not just for presidents, you know. It is the lubricating gel. Without it, the process is very painful.
La politica e i criminali sono la stessa cosa..
(Score: 2) by tangomargarine on Monday November 04 2019, @09:21PM (4 children)
The process of raping the customer shouldn't be easy to do.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 1) by fustakrakich on Monday November 04 2019, @09:26PM (3 children)
The customer has to say no.
La politica e i criminali sono la stessa cosa..
(Score: 3, Insightful) by tangomargarine on Monday November 04 2019, @09:53PM (1 child)
I'm going to continue this analogy with, statutory rape is a thing where you're not legally allowed to say "yes" regardless.
When there's only one option for ISPs in your area...
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 0, Offtopic) by fustakrakich on Monday November 04 2019, @10:01PM
endthebacklog [endthebacklog.org] [really is on topic]
La politica e i criminali sono la stessa cosa..
(Score: 3, Insightful) by DannyB on Monday November 04 2019, @10:17PM
When the customer says "no" or gives any type of feedback, that constitutes what is known as "consent".
What doesn't kill me makes me weaker for next time.
(Score: 2) by nobu_the_bard on Monday November 04 2019, @10:21PM (2 children)
It's possible this is true of some, but also possible they genuinely don't know better and aren't incentivized enough to care. I have encountered politicians who did the equivalent of a wiki walk after I discussed some security topic with them when they realized how much they'd underestimated the complexity of the situation.
I'm aware many people would prefer to assume the worst, and I'm certain its true at times, but if you're in a position to let your elected officials know about this concern, you aren't likely to be worse off for doing it at the least.
(Score: 1) by fustakrakich on Monday November 04 2019, @10:44PM (1 child)
Comparatively speaking, American politicians are relatively responsive to demands from the voters. It just requires massive numbers of them, enough to put reelection at risk.
La politica e i criminali sono la stessa cosa..
(Score: 2) by tangomargarine on Tuesday November 05 2019, @05:10PM
What was that one quote from Churchill, "Always trust America to do the right thing...after they've exhausted all other options"?
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by Runaway1956 on Tuesday November 05 2019, @01:25AM
Any honest congress critter would have to assume that everything he heard was bullshit, to greater and lesser degrees. The hard part is filtering the yummy chunks from the liquid dross. Or, you can just let the chickens work it over.
(Score: 5, Insightful) by Anonymous Coward on Monday November 04 2019, @08:59PM (7 children)
Placing fixed DNS over HTTPS, so even local control of DNS is blocked is bad.
My firewall has blacked holed over 17,000 domains protecting my network, now Firefox and Chrome are going to blow right through them, vs honoring local DNS first.
What about local machines on my network, that I want to be found? They are not in this bypassed DoH.
Same goes for my company.
This is similar complaint in England, where ISP are required law to block websites. Mozilla is putting out a English version to allow that.
DoH cannot be set on by default, that just means GOOGLE and Cloudflare are getting to monetize the DNS business.
POLITICS ARE ALL LIES AND HALF TRUTHS. Even from the truth-tellers.
(Score: 3, Disagree) by exaeta on Monday November 04 2019, @09:12PM (5 children)
The Government is a Bird
(Score: 2, Funny) by fustakrakich on Monday November 04 2019, @09:41PM
DNS over HTTP is a fine mechanism to circumvent organizational wiretapping of DNS queries. I fully support DNS over HTTPS.
Normally I would agree, but Cloudflare? Eventually the ISP's owners will buy them, and then who has all that DNS info?
And this whole HTTPS thing is a joke also. The certs aren't worth the paper they're printed on.
La politica e i criminali sono la stessa cosa..
(Score: 5, Insightful) by maxwell demon on Monday November 04 2019, @09:59PM (3 children)
The problem isn't exactly that DNS is checked over HTTPS, the problem is that this decision is made on the browser level.
I would have absolutely no problem with a program you install at your computer that makes all the DNS lookups on that computer go through HTTPS. I do have a problem with the browser not using the computer's configured DNS, whatever that is.
And no, it doesn't break just enterprise setups. It breaks every single home router whose web interface is accessed through a local domain name.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Monday November 04 2019, @11:15PM
"A program" which a regular user would not even know about, let alone be able to properly configure, will be used only by a tiny minority. As a consequence, any action against that program, the protocol, and its users, will go through unopposed. Which rather defeats the whole purpose.
Common browser (Chrome) using a common protocol (HTTPS) to a common endpoint (Cloudflare) on the other hand, is where breaking it is "breaking the Internet" for the masses, which isn't yet commonly done. A separate program like you want, could well exist alongside it, and hide in the noise; but its attempting to stand alone will be the very essence of pointless.
(Score: 3, Informative) by exaeta on Tuesday November 05 2019, @04:33PM (1 child)
The Government is a Bird
(Score: 2) by maxwell demon on Tuesday November 05 2019, @05:52PM
Then configure your computer to fetch the DNS from elsewhere. Over HTTPS, from Google, from your friend's private DNS server, it doesn't matter. The point is, the browser is the wrong place for that. Probably you don't even have to do that at your computer; you can configure your home router to use a different DNS server, which will distribute that setting through DHCP.
If I open a page from Firefox, I want to get the IP from the same place as when I use wget. Or links.
And if I make an entry in my hosts file, I want the browser to honour that, too.
What about users of Pi-hole? [wikipedia.org] I'm sure they'll not be amused if all the ads (and possibly malware) suddenly start coming through again, just because the browser no longer honours the settings of the computer.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by RamiK on Tuesday November 05 2019, @03:53AM
You have full control over it as a user wanting to switch providers or simply disable it or as an admin wanting to reroute DNS requests to their own enterprise server: https://support.mozilla.org/en-US/kb/firefox-dns-over-https [mozilla.org]
DoH has other issues regarding performance and anonymity... But the former is marginal while the latter is yet to be proven and is mostly a theoretical concern relating to piracy content that we can simply wait until it makes it to court before reconsidering.
compiling...
(Score: 2) by exaeta on Monday November 04 2019, @09:01PM (1 child)
The Government is a Bird
(Score: 0) by Anonymous Coward on Tuesday November 05 2019, @05:52AM
because Moscow Mitch is breaking government for a decade.
(Score: 2) by SomeGuy on Monday November 04 2019, @09:23PM (3 children)
Don't forget that ISPs want to be able to redirect not-found domains to advertising.
Of course, I'm sure these DNS over HTTPS providers will want to do that eventually to.
(Score: 2) by NotSanguine on Monday November 04 2019, @11:27PM
Neither of my ISPs (Spectrum, Megapath) do that (yet). In fact, advertising isn't how my ISPs make their money (as scummy and rent-seeking as they are).
So I should cede my own control of DNS resolution to a company whose entire business model rests on expanding advertising?
That seems like an odd solution to this issue. Please do expand upon your thoughts. Perhaps I'm missing something.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by Runaway1956 on Tuesday November 05 2019, @01:30AM (1 child)
The "default" DoH is 1.1.1.1 I don't see them doing advertising, but they do keep statistics. Given a choice between advertising and statistics, I think I'd rather see the advertising. Better to look up the list of DoH providers, and pick one of them at random, or pick one based on your preferred criteria.
(Score: 0) by Anonymous Coward on Tuesday November 05 2019, @06:25PM
You will not be given such a choice. Statistics will always be kept, even if they say they won't. Especially if they say they won't.
(Score: 3, Insightful) by The Mighty Buzzard on Monday November 04 2019, @09:39PM (1 child)
Fair's fair. Congress lies to America all the time.
My rights don't end where your fear begins.
(Score: 2, Insightful) by fustakrakich on Monday November 04 2019, @09:45PM
If they want to win reelection, they have to. Let's not wag the dog.
La politica e i criminali sono la stessa cosa..
(Score: 3, Insightful) by Anonymous Coward on Monday November 04 2019, @10:01PM (1 child)
The cognitive dissonance at Mozilla is pretty intense. If Mozilla truly cared about user privacy they would not be consistently and actively working against it.
Here's some things that come to mind, in no particular order (and I've probably missed a lot).
The list is ever-expanding with almost every new firefox revision. Disabling these behaviours is often nontrivial, typically you need to find some obtusely-named about:config option to set, one at a time. Then if you install a new version of firefox you probably have to go through this all over again because some new "feature" has been added that transmits information to third parties on the internet. And by default, Firefox will overwrite itself with new code provided by Mozilla whenever Mozilla wants it to.
These are not the actions of an organization that gives a shit about your privacy.
Lastly, no list like this is complete without mentioning the fact that automatically downloading and executing third party javascript code is pretty much game over for user privacy, but I won't hold that against Mozilla in this case because unfortunately that behaviour is pretty much the definition of a "web browser" at this point.
(Score: 1) by zion-fueled on Tuesday November 05 2019, @02:33AM
Yes, which is why you can't use firefox-firefox anymore. This has been true for some time. First I used Cyberfox and now waterfox. Chrome can be handled via the ungoogled version.
Using the default browsers is crazy and even with your list, firefox is the nice guy.
(Score: 3, Informative) by takyon on Monday November 04 2019, @10:03PM
Google adds temporary flag to Chrome to allow FTP protocol [ghacks.net]
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by NotSanguine on Monday November 04 2019, @10:22PM (4 children)
No thank you.
From TFS:
There. FTFY.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 0) by Anonymous Coward on Monday November 04 2019, @10:58PM (3 children)
whom to allow and whom to forbid spying on its users. Not for a censor-in-the-middle, however much you personally love bondage and discipline.
(Score: 4, Insightful) by NotSanguine on Monday November 04 2019, @11:19PM (2 children)
Where did I say anything different? I own all the systems in my home and *I* choose to use a PiHole (and other mechanisms) to block/retard the ability of folks to track/serve ads to those systems.
What's more, *I* decide which DNS servers are used to resolve queries for me.
What was it you were blathering on about? I'm not clear what your beef is with DNSBLs [wikipedia.org], or why you think that Google (Chrome), Mozilla (Firefox) or anyone else should be able to decide which DNS servers are used to resolve names on *my* systems.
Please do expand upon this. I'm eager to hear how ceding my ability to control my own network traffic is somehow a desire to be abused.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 1) by zion-fueled on Tuesday November 05 2019, @02:36AM
I mean, you're right. DOH will take from dnscrypt which is using servers I set. If one has to run nothing its nice as an option but taking my system over by default is not cool.
(Score: 2) by NotSanguine on Tuesday November 05 2019, @04:05AM
Grrr!
That should have read:
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 3, Insightful) by Anonymous Coward on Monday November 04 2019, @10:29PM (11 children)
I get tired of government criticizing Google/Facebook/Twitter all the time when the real villains here are ISPs, Cable companies, Cell phone carriers that keep merging, Hollywood, and old media.
(Score: 1, Insightful) by Anonymous Coward on Monday November 04 2019, @10:52PM (10 children)
There. FTFY.
(Score: 1) by fustakrakich on Monday November 04 2019, @10:56PM (9 children)
Don't stop beating on Google/Facebook/Twitter
Why? Can they block access to anything?
La politica e i criminali sono la stessa cosa..
(Score: 0) by Anonymous Coward on Monday November 04 2019, @11:20PM (7 children)
They do so thousands of times every day.
You just haven't been paying attention. Which is probably why you have the political ideas of a nine year-old.
(Score: 1) by fustakrakich on Tuesday November 05 2019, @02:58AM (6 children)
They do so thousands of times every day.
Where? They have no influence on my connection. They do on yours?
La politica e i criminali sono la stessa cosa..
(Score: 0) by Anonymous Coward on Tuesday November 05 2019, @03:33AM (3 children)
Wow! you are thick, aren't you?
Search engine results returned (or not), items added (or not) to your feeds.
Pervasive tracking of your browsing habits impacting which ads are (not) shown.
No, they aren't *directly* blocking access to specific sites, but then, neither are ISPs, at least not any that I deal with -- does yours? Which one is it? What sites do they block?
You're (as usual) talking out of your ass and it smells that way too.
(Score: 0, Flamebait) by fustakrakich on Tuesday November 05 2019, @07:07AM (2 children)
Google/Facebook/Twitter cannot control access like the ISP can. And in various countries the ISPs do block access. Nobody else has that kind of power.
You can block the ads if you find them offensive.
Your anger is misdirected.
And what's you doin' smellin' my ass??!
La politica e i criminali sono la stessa cosa..
(Score: 0, Informative) by Anonymous Coward on Tuesday November 05 2019, @07:33AM
And of course the moderator wants to be an asshole too... Carrying some kind of grudge. I guess it can't be helped. Cowards
(Score: 0) by Anonymous Coward on Thursday November 07 2019, @10:12PM
Not angry at you. Just amused at your naivete and ignorance.
Your posts are usually good for a laugh at your expense. Carry on!
(Score: 3, Interesting) by maxwell demon on Tuesday November 05 2019, @06:15PM (1 child)
Please tell, me, how many sites you visited today use Google Analytics? How many use Google Adsense? How many use Google Tag Manager? How many use googleapis?
Note that all those fetch directly from Google servers. It allows Google to collect data on you. But in principle, it also allows Google to inject arbitrary malicious code. You may say Google doesn't do that, but can you say for sure it never will? Or that it indeed doesn't do that already on selected targets? Consider in particular those sites which load all their content over JavaScript. And now consider that they also load JavaScript from Google. That JavaScript can arbitrarily modify the site's JavaScript in your browser, and nobody will see it except by analysing the JavaScript you received. And yes, that's the JavaScript you received, as it is well technically possible to serve different JavaScript to different people.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2, Interesting) by fustakrakich on Tuesday November 05 2019, @06:36PM
Please tell, me, how many sites you visited today use Google Analytics?
I can block google and javascript. The ISP is the much bigger threat. Oversight of service provision and keeping the market open is much more important than getting all hysterical over content provision that can be trivially filtered out.
La politica e i criminali sono la stessa cosa..
(Score: 0) by Anonymous Coward on Tuesday November 05 2019, @08:32AM
On their own platforms, yes, but they can also conduct mass surveillance on the populace, and the data from such surveillance can then be fed to governments. If you don't make quite a bit of effort to defeat their surveillance (uMatrix, uBlock Origin, altering browser settings), then the amount of data they can collect about you while you're browsing sites that have nothing to do with them is extraordinary. Average users don't know much about technology or tracking, but that doesn't mean they deserve to be spied on by third party thugs like Google, Facebook, etc.
Then, Facebook has shadow profiles about people who don't allow themselves to be used by their disservice. If someone uploads a picture of you without your consent and tags your name, well, Facebook now has your facial recognition data and a nice little profile about you that they can expand over time. Don't think that not being a Facebook Used will save you from their surveillance.
Google is slowly taking over the web with disservices such as Recaptcha. The amount of sites that ask you to fill out a Recaptcha is insane. In my case, since I use uMatrix, those websites simply don't function and I can't use them; they are defective by design. The amount of websites that use this garbage will only increase with time, since apparently no one can have local captchas anymore. Ordinary users who don't block this tracking will just be subject to yet more data collection.
Our privacy laws should be so strict that these companies are forced to cease to exist. Of course, these are the same governments that benefit from mass surveillance to begin with, so only an overwhelming public backlash could possibly get them to do anything about it. If you don't see the problem, then you're part of the problem.
(Score: 2) by Bot on Monday November 04 2019, @10:52PM
> against encrypted DNS in Firefox and Chrome.
"and Chrome" being the key.
Mozilla is just proxying for google the battle to pwn DNS lookups.
Mozilla has already proven being google's lapdog by giving up the extensions ecosystem. Unless the request came from the deep state. But differentiating between google and deep state and deep pockets is frankly splitting hair.
This comment written with waterfox.
Account abandoned.
(Score: 2, Insightful) by Anonymous Coward on Monday November 04 2019, @11:05PM
Maybe I like choice in my DNS providers? Giving all to cloudflare and google is hot garbage. One of those two is know to datamine the hell out of everything. The other probably does too despite what they tell us. Then they want to make me think my ISP is up to no good? Well guess what they are too! Which is why I like being able to set it and it uses my DNS resolver. I can block who I like. I can decide some DNS provider is not doing what I want (not fucking with the results) and change it. If I have to end up recompiling firefox just to change 1 setting I am going to be pissed off. Which is not a long journey at this point.
Net neutrality was just to pit the ISPs against the providers. Giving us a false choice of one or the other. When *BOTH* these jackasses are scumbags trying to double monetize us.
If they were serious about security they would have basically made DNSSEC the only ones they would respond to. 3/4ths of the internet would basically change overnight. Instead they invented yet another protocol that does the same thing. Leaving the rest of our devices to figure out what is going on.
Oh yeah this is SO much better. /s
(Score: 0) by Anonymous Coward on Monday November 04 2019, @11:08PM
Only allow packets to ip addresses where the OS did the DNS lookup?
(Score: 2) by Azuma Hazuki on Tuesday November 05 2019, @12:00AM (8 children)
Now might be a good time to find the IP addresses of the sites you like, write them into /etc/hosts or somewhere similar, and start preparing a switch away from the mozilla/alphabet ecosystem.
Yeah, it sucks. The most popular browsers are getting systemd'd more or less. And no, Midori and Falkon and company aren't up to feature parity yet. But this may be the impetus we need to get them there, or even better, get them to a *better-featured* state, one that does what the user wants, not what some giant company wants. This is what F/OSS is supposed to be for.
I am "that girl" your mother warned you about...
(Score: 0) by Anonymous Coward on Tuesday November 05 2019, @12:21AM (2 children)
Ironically falling back to 8.8.8.8 when DNS was misconfigured was one of the first things that put systemd-bad on my radar.
In their case I think they genuinely did it to provide a reliable fallback in the case of a system administration error.
Then they WONTFIXEd all the privacy complaints from sysadmins.
It seems all roads lead to
RomeChrome these days.(Score: 2) by Azuma Hazuki on Tuesday November 05 2019, @01:00AM (1 child)
...Jesus. I had no idea. SystemD is an endless labyrinth of horrors isn't it? Like a fucking Lament Configuration of a program.
I am "that girl" your mother warned you about...
(Score: 1) by fustakrakich on Tuesday November 05 2019, @03:20AM
SystemD is an endless labyrinth of horrors isn't it?
It's the only way to get emacs.service
La politica e i criminali sono la stessa cosa..
(Score: 2) by jasassin on Tuesday November 05 2019, @05:42AM (3 children)
Will Chrome or Firefox even use the hosts file? Good question.
jasassin@gmail.com GPG Key ID: 0xE6462C68A9A3DB5A
(Score: 2) by Runaway1956 on Wednesday November 06 2019, @06:28PM (2 children)
Hmmmm. That question makes me wonder if you know how hosts files work. The application in use doesn't 'use' the hosts file. The application, let's say Firefox, tells your network that it wants to talk to blah-blah IP address. Your network does whatever you have configured it to do - check the hosts file, or not, use this proxy or not, use that proxy or not, use a VPN, or not. Firefox doesn't know anything about your network. Unless there are any addresses hard coded into the application, it only knows how to talk to your computer's network interface.
But, you know all of that, right? So - the purpose of your comment is to make us think? Hmmmmm. Oh-kay, I'm thinking. We already know that Microsoft has hardcoded addresses into it's new operating systems. Windows update and windows telemetry isn't going to be blocked by a simple hosts file, unless that file is on the router. So, maybe. I can see Chrome hard coding addresses into it's browser. I suppose that Firefox might follow suit one day, for reasons. Both of them may hard sell the concept as a safety feature. "If your network is corrupted, Firefox can still help you to log into your xxxxx.xxx account for support."
Whether you maintain your blocked sites list and/or hosts file manually, or with a script, those blocks really should be on your router, not on your daily driver computer(s).
(Score: 2) by jasassin on Thursday November 07 2019, @03:25AM (1 child)
I know how hosts files work. I understand how DNS works (you sounded insulting BTW).
That was my whole point.
jasassin@gmail.com GPG Key ID: 0xE6462C68A9A3DB5A
(Score: 2) by Runaway1956 on Thursday November 07 2019, @03:16PM
Didn't mean to be insulting - was just kinda thinking out loud there.
(Score: 2) by darkfeline on Tuesday November 05 2019, @06:52AM
Nothing stops you from running your own recursive resolver, except either a lack of technical knowledge (but then why are you commenting on things which you are ignorant about?) or a motive to spread FUD.
Just because one browser locks in DoH by default (Chrome only enables it if your DNS is already set to the same as a whitelisted DoH provider). is no reason to panic about DNS.
Join the SDF Public Access UNIX System today!
(Score: 0) by Anonymous Coward on Tuesday November 05 2019, @01:10AM (1 child)
Here when I first heard of DoH, aside from Homer Simpson, I didn't really didn't give a single damn about the whole thing.
Unencrypted DNS queries was something everyone (at least tech) knows about but tucks away in the back of their minds because you basically have to concede and trust your ISP who everyone hates and knows can't be trusted. (Please don't bring up something something VPN -- just stop already with this absurd argument too. ::cough:: NordVPN ::cough:: )
However after further considering and this recent news, it is quite disturbing the strong stance and the amount of effort the ISPs have taken on this to the point that it's clear there is valid need for more concern.
Nobody gets this much butthurt to the point of turning something tech to something political with Congress and lawmaking critters who don't even know how to use email -- IF they didn't have something big to lose be it monetary or power/control. It is clear if they are putting forth this much effort, then the ISPs (probably government also) have something considerable at stake, and that is definitely reason for concern.
The sad thing is I don't trust *any* of these entities to do what is best for the individual, Mozilla, definitely not Google, and especially not Cloudflare which can go fuck itself.
At least initially, shifting all the DNS queries from the ISP and over to a (currently) limited amount of encrypted by still centralized DoH servers is arguably worse than just sending unencrypted queries to your ISP. I don't get the sense the browser makers have truly thought this through all the way, especially implications within businesses and even the government which moves so slow. All I can envision is more bullshit and technical problems, due to the overhead needed by the encryption, key changes, certificates, compatibility problems. Problems with people that can't even work the current interwebz where the computers TCP/IP stack's resolver uses traditional DNS and works fine, but their browser's DoH is borked for some stupid ass reason but the browser's failsafe doesn't have a failsafe, which we KNOW, WE DAMN WELL KNOW, this will happen (or worse -- Google will just hardcode the bullshit into Chrome like Microsoft did with Windows 10.)
(Score: 3, Interesting) by takyon on Tuesday November 05 2019, @01:42AM
No, we should bring up VPNs. Your typical ISP is the most likely in the chain to log everything, rat you out to the authorities, and give you a hard time for illicit file sharing. For NordVPN or any similar service, getting compromised is bad for their business. They don't want it to happen.
Even if you assume there are VPN honeypots that lie about keeping logs and hand everything to the FBI, you can shop around based on the VPN's host country. Which is probably more than what the majority of customers will do.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 4, Interesting) by Snotnose on Tuesday November 05 2019, @01:17AM (6 children)
I try to connect to www.whatever.com. With encrypted DNS eavesdroppers see that as xo1@#$#@@#.&(*, likewise the reply I get.
A second or two later I connect to aaa.bbb.ccc.ddd, which those selfsame eavesdroppers see.
Seems to me you need to use a VPN with encrypted DNS to get anywhere.
When the dust settled America realized it was saved by a porn star.
(Score: 1, Funny) by Anonymous Coward on Tuesday November 05 2019, @02:23AM
Yes, but the Interlopers still don't know *which* of the names you are trying to access on that server operated by PornHub LLC.
(Score: 2, Informative) by Anonymous Coward on Tuesday November 05 2019, @05:30AM (2 children)
Worse than that. You connect to aaa.bbb.ccc.ddd and then say "Hello, I'd like to start a TLS 1.2 connection with the server for domain.example and here is the info necessary to communicate with me." So any eavesdroppers get to find out what website you are connecting to anyway.
(Score: 0) by Anonymous Coward on Tuesday November 05 2019, @06:36PM (1 child)
But wait, how did you know www.whatever.com and domain.example have the same IP address?
(Score: 0) by Anonymous Coward on Tuesday November 05 2019, @07:22PM
OK, I'll back up a bit in case anyone was confused by my switching domain names to stick to the proper IETF TLD. First step in connecting to a website is your DNS resolution, where you (basically) ask your resolver "what are the IP addresses for domain.example." and the resolver will respond with, "The addresses are a.b.c.d based on my recursive search." Now note that if that is encrypted, no one other than you and the resolver know the site you are looking for at that point.
But, you then send a message to a.b.c.d that can take one of two forms. Unencrypted, you send a message that says "I want to do X with the resource located at this path from the Host domain.example and here is the data necessary to do that," where X is different HTTP "methods" and the Host header obviously changes to whatever server you are actually trying to contact. If your message is encryped, you instead say "I'd like to start a TLS 1.2 connection with the server for domain.example and here is the info necessary to communicate with me," where the server name indication (SNI) changes depending on what server you are actually trying to contact.
Note that in either case, any hop or eavesdropper knows exactly what HTTP website you are trying to connect to, whether you use TLS or not. In fact any connection in any protocol wrapped in TLS will usually contain an SNI in the handshake to identify who you want to connect to; not to mention most protocols especially older ones will contain some sort of identifier in the handshake that you can see when not encrypted.
(Score: 2) by jasassin on Tuesday November 05 2019, @05:59AM
I never even thought about this. DNS encryption is completely fuckin pointless. Thanks for enlightening me. I just want SUP unencrypted DNS. Fast and low resources. Encrypted DNA is stupid and fuckin cloudflair and fuckin google if I can't set Chrome to my ISP's DNS without encryption.
Thanks again for the insight.
jasassin@gmail.com GPG Key ID: 0xE6462C68A9A3DB5A
(Score: 0) by Anonymous Coward on Tuesday November 05 2019, @06:00AM
What you are missing is that this fixes the "last mile" of DNSSEC for lazy clients.
(Score: 0) by Anonymous Coward on Tuesday November 05 2019, @11:40AM
chrome will check your dns setting, PHONE HOME to mothership, tag and store it and finally, graceshusly check if it's DoH-able.
this is just harvesting personal dns settings on a global scale ...