Comment by fc417fc802
4 days ago
Sure ODoH hides your query but you then turn around and leak the question you just asked as part of the TLS handshake.
4 days ago
Sure ODoH hides your query but you then turn around and leak the question you just asked as part of the TLS handshake.
Leaked to different parties.
Assuming you don't have ECH, you leak the question (in practical terms) to your ISP, and you leak your question to the DNS provider. With ODoH you plug the latter leak. Plugging that first leak is then still a problem (solved separately) but it's orthogonal to the second.
Even with ECH, where you plug the TLS leak, you have many more holes to plug. IP address might not be shared or might be shared across too few properties, and then traffic profile after the initial connect (to retrieve all the sub-resources) can identify destinations.
It's not limited to the ISP and DNS provider. Thanks to being plaintext it's anyone anywhere along the network path (unless you were already using DoH of course, but sans-ECH is still the entire path regardless).
Anyway I agree with you that plugging leaks is good (notice my adjacent comment). My response there was intended to provide clarification regarding the preceding exchange.
Going off on a tangent, I wish there were more awareness of how this concentrates power to Cloudflare.
1 reply →
I agree with you, however that's a separate problem that needs to be solved