Comment by jiveturkey
4 days ago
Leaked to different parties.
Assuming you don't have ECH, you leak the question (in practical terms) to your ISP, and you leak your question to the DNS provider. With ODoH you plug the latter leak. Plugging that first leak is then still a problem (solved separately) but it's orthogonal to the second.
Even with ECH, where you plug the TLS leak, you have many more holes to plug. IP address might not be shared or might be shared across too few properties, and then traffic profile after the initial connect (to retrieve all the sub-resources) can identify destinations.
It's not limited to the ISP and DNS provider. Thanks to being plaintext it's anyone anywhere along the network path (unless you were already using DoH of course, but sans-ECH is still the entire path regardless).
Anyway I agree with you that plugging leaks is good (notice my adjacent comment). My response there was intended to provide clarification regarding the preceding exchange.
Going off on a tangent, I wish there were more awareness of how this concentrates power to Cloudflare.
Between so many service operators intentionally purchasing MitM as a service from the cloud providers and the ever increasing proliferation of centralized captcha solutions that work via fingerprinting the entire situation seems increasingly hopeless.