Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?
On Tue, Sep 10, 2019 at 07:46:57PM +0200, Marco d'Itri wrote:
> On Sep 09, Adam Borowski <kilobyte@angband.pl> wrote:
>
> > With DoH:
> > * the target server knows about you (duh!)
> > * the ISP can read the destination of every connection
> > [reading the IP header, reading SNI header]
> > * the ISP can block such connections
> > [blocking actual connection]
> Well, no. They cannot without significantly more expensive hardware to
> do DPI and a *totally different* legislative framework.
> (Source: I have been dealing with government-mandated censorship in
> Italy for ~15 years, both at technical and policy levels.)
I don't understand how blocking by IP would be any more expensive than
blocking by DNS. It's _cheaper_: you read a field in the IP header instead
of doing it in a higher level DNS server.
> > * Cloudflare can falsify DNS¹
> You can use DNSSEC over DoH.
If implemented.
> You obviously consider Mozilla's choices of trusted resolvers (currently
> Cloudflare, hopefully others too in the future) a bigger privacy risk
> for generic users (the one who use the browser defaults) than their ISP,
> I disagree.
Currently you need to trust the ISP; with DoH you need to trust both the ISP
and Cloudflare. Unless you tunnel all the data over DNS (iodine), you need
to contact your actual destination over open network.
> I still believe that generic users are better served by deploying more
> censorship-resistant protocols than by worrying that Cloudflare (or
> whoever else) would violate the privacy requirements mandated by
> Mozilla.
Sure, but DoH is less censorship-resistant not more.
Meow!
--
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Your snowflakes have nothing on my socks drawer.
⢿⡄⠘⠷⠚⠋⠀
⠈⠳⣄⠀⠀⠀⠀
Reply to: