| ▲ | afh1 3 days ago | |||||||
>DNS query [...] in the clear. [...] (DoH) plugs this privacy leak [...] no one on the network, not your internet service provider [...] can eavesdrop on your browsing Whoever could see DNS traffic can still see the target you're connecting to... | ||||||||
| ▲ | bscphil 3 days ago | parent | next [-] | |||||||
The promise is especially dangerous when a huge fraction of traffic doesn't use Encrypted Client Hello, [1] so the domain name is sent in the clear with the initial request to the server. A while back I wrote a quick proof-of-concept that parses packet data from sniffglue [2] and ran it on my very low powered router to log all source IP address + hostname headers. It didn't even use a measurable amount of CPU, and I didn't bother to implement it efficiently, either. I think it's safe to assume that anyone in a position to MITM you, including your ISP, could easily be logging this traffic if they want to. [1] https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypt... | ||||||||
| ▲ | kyrra 3 days ago | parent | prev | next [-] | |||||||
But if that request is going to a large provider (GCP, AWS, CloudFlare), without the hostname, the request is going to be close to meaningless for the snoop. | ||||||||
| ▲ | wander_forever 2 days ago | parent | prev | next [-] | |||||||
Correct - that would be visible via ClientHello. But Firefox also enabled ECH (when DoH is enabled) a while back - https://support.mozilla.org/en-US/kb/faq-encrypted-client-he... . | ||||||||
| ||||||||
| ▲ | ekr____ 3 days ago | parent | prev [-] | |||||||
This is correct. The right way to think of DoH is as part of a package of mechanisms (including ECH) that collectively are designed to close network-based leakage of browsing history. Used alone, it has some value but that value is limited. | ||||||||