| ▲ | cedws 7 hours ago |
| What’s the selling point of ODoH given the low uptake of ECH which means the name of the server you’re talking to is given away anyway? |
|
| ▲ | josephcsible 2 hours ago | parent | next [-] |
| By that logic, someone else would ask "what's the point of ECH since that data will just leak via DNS?" and then neither technology would ever roll out. Deploying this now despite that is exactly how you fix that chicken-and-egg problem. |
|
| ▲ | aftbit 4 hours ago | parent | prev | next [-] |
| What's the selling point of locking your front door given that you have an easily breakable window nearby? |
| |
| ▲ | cwillu 2 hours ago | parent [-] | | It's more like closing the blinds while your frontdoor is wide open. |
|
|
| ▲ | jeroenhd 6 hours ago | parent | prev | next [-] |
| It means you can use a decently fast DNS server like Cloudflare without the major privacy problems of using Cloudflare. Or DNS4EU, or any non-ISP DNS server really. Your ISP snooping on you with SNI logging is something people using normal ISPs don't need to worry about, but feeding all your data into a profit-driven company is. |
| |
| ▲ | LoganDark 6 hours ago | parent [-] | | > something people using normal ISPs don't need to worry about It doesn't matter which ISP you're using if the cables are tapped, which they pretty much are. | | |
| ▲ | jeroenhd 2 hours ago | parent | next [-] | | If you piss off any government enough that you suspect your wires may be tapped, ODoH will not save you and TOR probably will not do much better. If you live in a place with omnipresent government monitoring (China/Iran/etc.), there is no solution. Any solution to getting wiretapped with a legal order will almost certainly be an extra charge the day you do get arrested. | |
| ▲ | UqWBcuFx6NV4r 5 hours ago | parent | prev [-] | | Please don’t be intentionally tone-deaf. “a nation-state can track my shit therefore it’s not with doing” is a silly, silly, silly approach to security, and does not speak to the concerns of the vast majority of even privacy-focused people. | | |
|
|
|
| ▲ | elp 6 hours ago | parent | prev | next [-] |
| My, admittedly cynical, view of it is that the main selling point is that you share your data with the person running the ODoH server. The truth is that very very few people run their own recursive nameserver. The entirely reasonable assumption for any authoritative nameserver, like .com, is that the query is being asked on behalf of someone else and knowing that a user of your nameserver asked for the ip of sexysheep.com doesn't give them a lot of useful info. I'm think many ISPs actually sell a lot of data from their recursive nameservers, but I'm willing to bet that almost no-one bothers to sniff port 53 udp traffic going elsewhere. My vote for the best privacy option is always going to be just run pi-hole with your own recursive nameservers. |
| |
| ▲ | rdme 6 hours ago | parent | next [-] | | The relay sees IP + ciphertext, the target sees question + relay's IP. No single party gets both | | |
| ▲ | petcat 6 hours ago | parent [-] | | What if the relay and target are being operated by the same provider? The relay controls where the question is sent right? They can collude? | | |
| ▲ | rdme 6 hours ago | parent [-] | | no, you are actually telling the relay where to redirect your question from the start (because you are encrypting the question with the public key of the destination resolver) - the relay sending the question where it wants would result in the destination to not be able to decrypt it |
|
| |
| ▲ | petcat 6 hours ago | parent | prev | next [-] | | > your own recursive nameserver But then the internet can know that you are the one using your own resolvers and so they can trivially identify your traffic. Really you need to use some public resolver with a critical mass of other users in order to have any hope for anonymity. But then of course you have to trust that resolver too. | |
| ▲ | aftbit 4 hours ago | parent | prev [-] | | I'm disappointed that sexysheep.com is just a domain parking page. I'm not sure what I was hoping for, but I think that's the worst possible outcome. |
|
|
| ▲ | fc417fc802 7 hours ago | parent | prev | next [-] |
| I'd think that if you've got several leaks then patching one up is still forward progress even if it doesn't deliver a full fix immediately. |
|
| ▲ | rdme 7 hours ago | parent | prev [-] |
| They solve different things. ODoH hides your question, not who you're talking to. |
| |
| ▲ | fc417fc802 6 hours ago | parent [-] | | Sure ODoH hides your query but you then turn around and leak the question you just asked as part of the TLS handshake. | | |
| ▲ | rdme 6 hours ago | parent [-] | | I agree with you, however that's a separate problem that needs to be solved |
|
|
