1. 24

  2. 24

    DoH doesn’t actually prevent ISPs user tracking

    The article argues that DoH is pointless because the ISP can still read HTTP and the SNI part of TLS.

    While that’s true… HTTP is become more rare and SNI is getting an upgrade to be encrypted.

    Where it does actually help is in non-HTTP related requests (ie DNSSEC, SSHFP, TXT, CNAME)

    DoH bypasses enterprise policies

    DoH can be configured via GPO on Windows (for Firefox atleast)

    DoH weakens cyber-security

    Same as above but this time it’s about “how terrible our shitty middle boxes can no longer smear shit all over the connection”. DoH works with local CA’s so your shitty middlebox can still crack open DoH.

    DoH helps criminals

    See all of the above, if you already have a middlebox then you can crack DoH like any other HTTPS traffic, otherwise criminals could have been using this tech for ages without any issue. Malware has also been using Tor over Bridges and other methods to avoid detection, I doubt this is an issue with DoH any more than before.

    DoH shouldn’t be recommended to dissidents

    Is it?

    DoH centralizes DNS traffic at a few DoH resolvers

    Only if nobody ever uses DoH but just today Microsoft wrote that DoH will be supported by windows; known DoH resolvers will automatically upgrade to DoH and prevent cleartext lookups (if DHCP uses as a DNS server for example). They argue that if DoH becomes widely supported, more DNS servers will support it.

    1. 22

      Helps criminals and shouldn’t be recommended to dissidents is a paradox, dissidents are people who have committed the crime of political dissidence.

      1. 5

        You’re doing a strawman here:

        • it “helps criminals” because it’s simply an alternative avenue that some system administrators aren’t aware of yet; e.g., an extra way for malware to avoid detection;

        • it couldn’t be recommended to dissidents because it’s just bad engineering and a partial/incomplete solution, and very easy to block and circumvent.

        The points may seem contradictory when taken out-of-context, but it’s not really controversial at all once you actually do look at the context here.

      2. 13

        Came here to post several of these. “Bypasses enterprise policies”, “weakens cyber-security”, and “helps criminals” all seem basically like unalloyed good things to me. Shitty enterprise middleboxes and the culture of corporate serfdom they support need to die yesterday.

        1. 5

          While that’s true… HTTP is become more rare and SNI is getting an upgrade to be encrypted.

          Does encrypting SNI actually help? If I see you connecting to 2620:0:862:ed1a::1 I know you’re visiting Wikipedia, or 2a03:2880:f10a:83:face:b00c::25de means you’re on Facebook. ESNI only hides requests to large MITM-concentrators.

          1. 3

            eSNI makes it a lot more difficult, especially if you have a CDN, cloud hoster or shared host on the other end. If the other end is an AWS/GCS/Azure IP then you haven’t learned that much.

            1. 6

              CDN: Yes, for a CDN or MITM-proxy, you may be able to hide the name. Although subsequent requests to 3rd party resources may leak information about the site you’re visiting.

              Cloud hoster: Possible, but not necessarily; try visiting this random IP: - or just check out the reverse.

              It seems that eSNI only provides privacy in very specific situations. I wouldn’t say it’s good protection if it misses most of the cases. This feels like “something has to be done, eSNI is something so it has to be done”

              1. 3

                Various papers have been published on the topic. Correlating ip addresses with websites is extremely effective. More than 90% of websites don’t change ipaddrs often and don’t share the same addrs with other websites.

                1. 1

                  90% would still be better than the current 100%.

            2. 5

              These “shitty middleboxes” are keeping our country’s Critical Infrastructure like our power grid secure. Your comment reads as written by someone who has never worked a day in their life in security.

              1. 10

                From experience, 99% of middleboxes are bad and decrease security overall. There are a few exceptions that work well and those will likely not have any trouble with DoH.

                1. 5

                  These “shitty middleboxes” are keeping our country’s Critical Infrastructure like our power grid secure.

                  Not sure if this is serious, considering the average (desolate) state of software infrastructure done by hardware companies.

                  1. 1

                    I’ve actually worked in security for Critical Infrastructure. Some of this data collected by shitty middleware boxes was exported to Homeland Security, for example.

              2. 7

                have been advertising DoH as a way to prevent ISPs from tracking users’ web traffic and as a way to bypass censorship in oppressive countries.

                But many learned people say this is a lie.

                A lie? Thus far DoH in Firefox has been pretty effective at helping me bypass my Indonesian ISP’s block of sites like Reddit and Netflix.

                I agree that “DoH shouldn’t be recommended to dissidents”; but I just want to watch some Netflix and browse /r/golang. I’m not a “dissident”, and I think most people bypassing their government or ISP’s blocks aren’t.

                There are many other things wrong with this article. If you expect DoH to be a replacement for a VPN then you’ll indeed be sorely disappointed. But it’s not intended to be; it’s just trying to improve one piece of the internet protocol puzzle and provide “good enough security” for the average person without too much hassle.

                The article isn’t even internally consistent by the way, because first it claims that DoH is “useless” and won’t improve any security, and then it goes on to claim that it will be “a nightmare” for enterprises, security software, and government monitoring since it will be too hard to monitor and impose control. You can’t really have both.

                1. 3

                  The one real concern I have about it is Mozilla moving to default all US users to Cloudflare DNS exclusively. Even if you trust a publicly traded company that you aren’t paying with your privacy, that is a huge amount of power to give them and presently it doesn’t seem like it will be adequately conveyed to users that Firefox will start giving this one external company the entirety of their DNS history in the near future.

                  We do not build resilient systems by centralizing. I’d like to see a dialog upon upgrading to select which DoH provider to use, if any, and links to each provider’s privacy policies presented to the user.

                  1. 2

                    I did not find it hard to set up my own DoH server at home. I already run my own DNS at home, and it was relatively straightforward to write a CGI script to run under Apache to handle DoH requests (since I’m resigned to Firefox using DoH if I want it to or not).

                    1. 2

                      Realistically, what percentage of users do you think will do that?

                      1. 1

                        Zero. But what’s stopping someone from making a simple executable (say in fasionable Go) that can run on a home system that accepts a DoH request and uses regular DNS reolution and releasing it so those that can’t, can?

                  2. 1

                    Most ISPs that I’ve encountered advertise their own DNS via the router to home users. If the ISP then stands up a DoH implementation, Google Chrome will send DoH traffic to the ISP’s servers.

                    …doesn’t that mean that the ISP is just as capable as before of surveilling traffic and meddling with it?