Meanwhile: computers doing computer things https://blog.seanmcelroy.com/2019/01/05/ocsp-web-activity-is-not-private/
Oh wow, DoH sucks more than I thought
"The DoH server is given with a host name that itself needs to be resolved. This initial resolve needs to be done by the native resolver before DoH kicks in."
so basically, we have that:
- a DNS-over-HTTPS servers needs to be found with good old DNS, which could give out a fake IP and thus still see all of your web traffic
- a secure DoH connection still leaks which pages you visit, and its fix (ESNI) has to be supported by each web server and client
- even with a secure DoH + ESNI, you're *still* leaking which pages you visit due to an unencrypted unique ID code (sent by OCSP)
@espectalll Well, for example 188.8.131.52 has a https certificate. So one can visit https://184.108.40.206/ and it's a valid certificate. So if you enter that IP you don't need to resolve it over DNS.
Same can be done with any IP with a certificate.
@sa0bse I expect it because people want easy things, and it's easier to remember a few words than a bunch of digits (220.127.116.11 being rather an exception, and we're not even talking IPv6)
but yeah, it is silly
chaos.social – a Fediverse instance for & by the Chaos community