Here we can see Mozilla's evil plan to watch everything people do online in action

I love how people are worried Mozilla can see web traffic using DNS-over-HTTPS, when they just need to snoop on the browser with a Normandy experiment if they really wanted to do that

Oh wow, DoH sucks more than I thought

"The DoH server is given with a host name that itself needs to be resolved. This initial resolve needs to be done by the native resolver before DoH kicks in."

github.com/curl/curl/wiki/DOH-

so basically, we have that:

- a DNS-over-HTTPS servers needs to be found with good old DNS, which could give out a fake IP and thus still see all of your web traffic
- a secure DoH connection still leaks which pages you visit, and its fix (ESNI) has to be supported by each web server and client
- even with a secure DoH + ESNI, you're *still* leaking which pages you visit due to an unencrypted unique ID code (sent by OCSP)

@espectalll Well, for example 1.1.1.1 has a https certificate. So one can visit https://1.1.1.1/ and it's a valid certificate. So if you enter that IP you don't need to resolve it over DNS.

Same can be done with any IP with a certificate.

@sa0bse That's a good option, but I would expect both DNS providers and many users to prefer more familiar and dynamic domain URLs. Still, it's a good fix.

Follow

@espectalll Why would you expect this? You've always configured DNS servers by IP. This is a bootstrapping issue.

I find it silly to configure your DNS in a way that require working DNS for DNS to work.

Β· Web Β· 1 Β· 0 Β· 0

@sa0bse I expect it because people want easy things, and it's easier to remember a few words than a bunch of digits (1.1.1.1 being rather an exception, and we're not even talking IPv6)

but yeah, it is silly :blobuwu:

Sign in to participate in the conversation
chaos.social

chaos.social – a Fediverse instance for & by the Chaos community