On Tue, Sep 10, 2019 at 07:46:57PM +0200, Marco d'Itri wrote: > On Sep 09, Adam Borowski <kilob...@angband.pl> wrote: > > > With DoH: > > * the target server knows about you (duh!) > > * the ISP can read the destination of every connection > > [reading the IP header, reading SNI header] > > * the ISP can block such connections > > [blocking actual connection] > Well, no. They cannot without significantly more expensive hardware to > do DPI and a *totally different* legislative framework. > (Source: I have been dealing with government-mandated censorship in > Italy for ~15 years, both at technical and policy levels.)
I don't understand how blocking by IP would be any more expensive than blocking by DNS. It's _cheaper_: you read a field in the IP header instead of doing it in a higher level DNS server. > > * Cloudflare can falsify DNS¹ > You can use DNSSEC over DoH. If implemented. > You obviously consider Mozilla's choices of trusted resolvers (currently > Cloudflare, hopefully others too in the future) a bigger privacy risk > for generic users (the one who use the browser defaults) than their ISP, > I disagree. Currently you need to trust the ISP; with DoH you need to trust both the ISP and Cloudflare. Unless you tunnel all the data over DNS (iodine), you need to contact your actual destination over open network. > I still believe that generic users are better served by deploying more > censorship-resistant protocols than by worrying that Cloudflare (or > whoever else) would violate the privacy requirements mandated by > Mozilla. Sure, but DoH is less censorship-resistant not more. Meow! -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Your snowflakes have nothing on my socks drawer. ⢿⡄⠘⠷⠚⠋⠀ ⠈⠳⣄⠀⠀⠀⠀
