On Sep 09, Adam Borowski <kilobyte@angband.pl> wrote: > With DoH: > * the target server knows about you (duh!) > * the ISP can read the destination of every connection > [reading the IP header, reading SNI header] > * the ISP can block such connections > [blocking actual connection] Well, no. They cannot without significantly more expensive hardware to do DPI and a *totally different* legislative framework. (Source: I have been dealing with government-mandated censorship in Italy for ~15 years, both at technical and policy levels.) > * Cloudflare can falsify DNS¹ You can use DNSSEC over DoH. You obviously consider Mozilla's choices of trusted resolvers (currently Cloudflare, hopefully others too in the future) a bigger privacy risk for generic users (the one who use the browser defaults) than their ISP, I disagree. I still believe that generic users are better served by deploying more censorship-resistant protocols than by worrying that Cloudflare (or whoever else) would violate the privacy requirements mandated by Mozilla. -- ciao, Marco
Attachment:
signature.asc
Description: PGP signature