
What you’re revealing to your ISP, why a VPN isn’t enough and ways to protect it - xvolter
https://medium.com/@ben.hutchins/what-youre-revealing-to-your-isp-why-a-vpn-isn-t-enough-and-ways-to-avoid-leaking-it-503816542951
======
DrScump
All of the exposure vectors described here are in effect RIGHT NOW and have
been since 2015, when FTC authority over this was killed.

The rule that the Obama administration created (just last December!) that
restores some (not all) elements of privacy DOES NOT TAKE EFFECT UNTIL
DECEMBER 2 2017 at the earliest. All of the privacy exposures detailed here
are CURRENTLY LEGAL and have been for almost 2 years already and, if the Obama
rule goes unchanged, would continue through December at least.

What this bill actually does is codify the current rule as statute law,
meaning that the current and future administrations can’t change this stuff by
simple fiat rule change — a passed and signed bill would be necessary.

What privacy activists should be demanding is that a statute enforce privacy
across all service providers and major content distributors, including Amazon,
Hulu, Netflix, etc.

------
iAm25626
DNSSEC does not help in the privacy regards. It does not prevent ISP from
seeing what domain name you lookup. Running your own DNS server is relative
simple: there is a bind/named docker image. However with DPI; it's still
subject to snoop.

~~~
feld
that's why you use dnscrypt-proxy

~~~
iAm25626
Right; but in the article the author mentioned using DNSSEC as a way to gain
privacy. Just want to point that out.

~~~
xvolter
Correct. I recommended the use of DNSCrypt first specifically for this reason.

DNSSEC alone primarily helps prevent DNS spoofing, phishing, and MITM attacks.
All useful, but DNSCrypt gives you encrypted DNS queries. Maybe I should have
clarified this more.

~~~
tptacek
DNSSEC doesn't prevent DNS spoofing attacks, at least not the kind that occur
in the real world. DNSSEC is a server-to-server protocol. From client to
server (like with the requests from your browser to your ISP's DNS server, or
to Google's DNS server, or whatever you use), there is _no cryptography
whatsoever_ protecting the requests. Just a single bit in the header, saying
that someone else did the cryptography for you.

------
woodandsteel
I am wondering what people think of cliqz as a solution to these problems.

