Comment by creata
1 day ago
The points here aren't technically wrong, but it still feels like disabling DoH would be a reduction in security. For example:
> Cloudflare gets all your DNS queries.
That's true, but Cloudflare is more trustworthy than my ISP, and probably most people's ISPs.
> Complexity is the enemy of security.
That's true, but that's no reason to go from an imperfect solution to a nonsolution.
> there is DNS over TLS
That doesn't solve most of the issues that the author brought up.
> How does a modern company in the IT business earn money? By selling data.
Maybe I'm naive, but I thought they made money by using all the data they collect for better threat prevention, and from their paid services.
My ISP is bound by robust privacy, telecommunications interception and other legislation.
Cloudflare, on the other hand is based in a foreign jurisdiction that offers none of these protections.
> My ISP is bound by robust privacy, telecommunications interception and other legislation.
It really depends on which jurisdiction are you in, unfortunately. US ISPs are selling everything they can hover (including DNS information) to advertisers, and it is impossible to switch to another one unless you're lucky (because the monopoly is essentially maintained).
So is Cloudflare, which is a US ISP....
6 replies →
And until TLS is made secure they'll continue to rape privacy by scraping your https traffic.
The most important part of DoH, etc is that it allows you to make a choice. You can choose a vendor in your country. As a Canadian, I might want to use the service offered by my national TLD operator https://www.cira.ca/en/canadian-shield/configure/firefox/
Many ISPs explicitly sell DNS data, and are also advertising vendors.
Cloudflare, on the other hand, doesn’t share or sell data and retains minimal data: https://developers.cloudflare.com/1.1.1.1/privacy/public-dns...
> The most important part of DoH, etc is that it allows you to make a choice.
So does UDP based DNS, and TLS based DNS. It’s all the same in that regard.
3 replies →
In addition, your ISP can also extract whichever metadata it wants from your communications, incl. a very likely perfect guess of the hostnames you visit at which times _even if you don't use DNS at all_, just by looking at IP traffic metadata such as addresses and packet sizes.
So you already have to trust your ISP anyway -- but there was no need to trust Cloudflare *. DoH to Cloudflare is almost certainly a net loss in privacy compared to using your ISP's DNS over clear text.
* Right until they became hosters of half of the WWW. So Cloudflare can pretty much also guess your activity even if you don't do DNS with them anyway.
> In addition, your ISP can also extract whichever metadata it wants from your communications, incl. a very likely perfect guess of the hostnames you visit at which times _even if you don't use DNS at all_, just by looking at IP traffic metadata such as addresses and packet sizes.
Big CDNs and ECH make that impossible.
9 replies →
> IP traffic metadata such as addresses and packet sizes.
Even if you use a VPN?
2 replies →
ISP regularly captures NXDOMAIN.
They know your government id when you subscribe to their service.
CloudFlare, otoh, never have your identity. They only have the metadata
Change it to mullivad like i did then?
> That's true, but Cloudflare is more trustworthy than my ISP, and probably most people's ISPs.
Based on what?
> Based on what?
The bar is real low, mostly for the fact that ISPs are mandated by law in most if not all countries to track traffic flowing through their pipes.
Cloudflare provides relatively better privacy guarantees for the public DNS resolvers it runs: https://developers.cloudflare.com/1.1.1.1/privacy/cloudflare...
CF certainly less trustworthy than my isp which is shibboleth compliant. Or my vpn provider.
CF issues are dealt with “hope to get a post on HN trending”.
In the UK you can typically pick from a dozen ISPs, some of which are more trustworthy
All of which have infrastructure already in place to hand over all DNS queries if requested by HMG.
And you don't believe that Cloudflare has a similar infrastructure in place? :-(
1 reply →
Can you also choose which company provides the physical infrastructure that connects to your home?
If you live in a city or other urban area, typically you have the option of the decoupled telco (BT Openreach) that more or less everybody has, the entity which bought all the cable television companies (Virgin Media) and usually a fibre-for-purpose Internet company that decided to do your city or region.
If you live in a rural area where people are co-operative, there might be a community owned fibre operator plus Opeanreach, otherwise just Openreach.
If you live somewhere very silly, like up a mountain or on your own island, your only practical option will be paying Openreach to do the work.
Edited to add, Notably: Only Openreach is usable by an arbitrary service provider. So if you want to pick your service provider separately, the actual last mile delivery will always be Openreach. And if they're small it won't just be last mile, Openreach also sell backhaul to get your data from some distant city to the place where the ISP's hardware is, you're buying only the, like, actual service. Which is important - mine means no censorship, excellent live support and competent people running everything, but the copper under the ground is not something they're responsible for (though they are better than most at kicking Openreach when it needs kicking)
1 reply →
If you are lucky, yes. For example, I have a choice between CityFibre (XGS-PON), Openreach (GPON) and Virgin Media (DOCSIS) as well as 2 different 5G networks. It is rare for a property to only be covered by a single wired network these days in the UK.
> That's true, but that's no reason to go from an imperfect solution to a nonsolution.
This is textbook politician's fallacy. Yes, it may be preferable to continue with a "non-solution" if the solution proposed is stupid enough.
No it's not. I'm saying don't let the perfect be the enemy of the good.
DoH does solve a problem for many people. Many large ISPs will sell your DNS requests, use them for targeted advertising, tamper with responses for various reasons, etc., and so DoH is an improvement over the status quo--not for everyone, but for many users, and I'd guess most users.
You're right, DoH might not be worth adopting if it were "stupid enough", but... it's not stupid enough.
Your ISP already has all this metadata and more from other sources, so it is pointless to switch to DoH in this case, and if you do you willingly give this metadata to Cloudflare, which (for the majority of users) may even be in a better position to do evil.
2 replies →
In the Politician's Fallacy, the chosen solution doesn't solve the problem. In this example, DoH solves many of the problems, perhaps not optimally, but better than the "do nothing" choice.
So it doesn't really solve the problem, and may generate more (privacy) problems of its own. "doing nothing" may be the better solution here, which was the entire point made in the original episode.
To save some googling the Politicians Fallacy is this one:
We must do something. This is something. Therefore, we must do this.