Hacker News new | past | comments | ask | show | jobs | submit login
A few simple steps to vastly increase your privacy online (thetoolsweneed.com)
290 points by kaxline 31 days ago | hide | past | web | favorite | 206 comments

Cough, cough...

> A non-profit giving away free software makes sense. Some of the biggest companies in the world giving away free software is suspicious.

followed by...

> Fortunately, you can tell your computer which DNS to use. The company Cloudflare has a publicly accessible DNS at the address that they claim is encrypted and secure.

So wait, you suddenly forgot the axiom you used just a few paragraphs back? Clouldflare is a for profit company and they give something for free but hey, this time it's not suspicious? Strange standards you live by...

I don't think the author forgot the axiom; they seem to acknowledge that they just don't know of anything better in that case:

> That's about the best you can ask for with a centralized infrastructure for the internet. A recurring theme in this quest for data ownership and privacy is that you can only take it so far before you have to ultimately trust a company or entity to do what they say they're doing.

It doesn't take a huge amount of research to learn of altenatives like uncensoreddns.org so I think it is a little lazy to just go with Cloudflare.

> UncensoredDNS is the name of a DNS service which consists of two uncensored DNS servers. The servers are available for use by anyone, free of charge.

According to the article, "free of charge" is suspicious.

> This node is hosted at AS9167 in Copenhagen, Denmark.

Denmark belongs to the Nine Eyes.

Given this information, why uncensoreddns? Are there better alternatives?

"they seem to acknowledge that they just don't know of anything better in that case"

They don't know you can run your own DNS server ?

It's technically trivial (for this audience) and it's basically free (very low traffic and resource instance or droplet or VM ...).

I disagree that it's technically trivial for the audience this article is written for. The suggestions on the page are all as simple as using a particular browser, search engine, or browser plugin.

Where would you point the upstream? Doesn't it just push the problem up one server?

If you run your own recursing DNS server, your "upstream" is ICANN and the various registries that run the top level domains.

suppose a local government blocks a global gambling or betting platform, will ICANN happily serve the IP one seeks to a end-user installed DNS server? What is then the legal perspective? Is ICANN then in contempt of local law?

Because of how recursing works[1], ICANN only serves the IP for the dns server responsible for the tld. I doubt that would run afoul of any laws because ICANN doesn't even know what the actual domain you're looking up is.

[1] https://en.wikipedia.org/wiki/File:Example_of_an_iterative_D...

> I doubt that would run afoul of any laws

Sure it does. If the law says that domain X is not accessible in country Y, then ICANN has to scrub domain X from the list of domains when queried from country Y. Whether country Y has the jurisdiction to demand ICANN comply with their laws is a different matter, but I believe that technically serving "blocked" domains is probably against the relevant laws.

>Sure it does. If the law says that domain X is not accessible in country Y, then ICANN has to scrub domain X from the list of domains when queried from country Y.

But thing is that ICANN doesn't have a list of domains. All it has is a list of tlds and the dns servers for them. So if www.example.com. was blocked in some random country, the conversation with ICANN would go something like this:

    client: what's the IP for example.com?

    ICANN: I don't know, but you should ask verisign (the operator of the .com TLD)
You could argue that ICANN should have responded with "I don't know" (which will cause the recursion to stop), but that's sort of pointless because if you really wanted to know, you could ask ICANN to resolve some random.com domain and you would get the response that you need ("go ask verisign"). The company you want to block/sanction/threaten here is verisign (the actual company that controls the .com zone), not ICANN (the company that controls the root zone).

how much daily traffic does running your own DNS server generate? (to keep up to date with the domain-IP binding?)

I am really interested in trying this...

The DNS requests corresponding to typical HTTP traffic would be negligible compared to that HTTP traffic. DNS servers generally don't generate any traffic except when you perform a query.

Should be <512 bytes per request and after a particular domain name is queried it doesn't need to be queried again for some time (depending on TTL).

so its really only somewhat anonymizing if many people use it? is there some kind of distributed DNS table through TOR or something?

If you were to run your own recursive DNS resolver, you'd probably do 3-10x more DNS traffic than you did before, due to the number of requests increasing from 1 to multiple.

That said, each DNS request & response is usually under 1KB, so the background traffic doesn't really stop being negligible.

Don't run your resolver open to the wider internet, however. Only accept recursive requests from your local network segment, or you'll unwittingly become part of DNS amplification attacks.

oh, I thought a DNS server meant I would be storing my own copy of table of URL's to IP adresses?

So the privacy enhancement is tracking by the DNS server? but if my local DNS server forwards these requests, how exactly does it improve my privacy if it does not store a bulk "DNS table" in my amateur speak?

DNS servers deal with domain names, not URLs. For an HTTPS request, the rest of the URL (path etc.) is only ever sent to the target site, over an encrypted connection. From an information privacy perspective, DNS is a weak link in this mechanism.

The reason running your own DNS improves your privacy has to do with how centralized or decentralized your DNS traffic is, and who gets to see it as a result.

If you use a DNS controlled by someone else, the DNS operator can see, and therefore (in principle) track, all of the domain name lookups you make that aren't served by your local machine or router's cache.

In contrast, if you run your own DNS server that's not just a slave to e.g. an ISP's server, then external domain lookups are made directly against the authoritative DNS servers for the domain you're looking up. There's no longer a single central server, other than your own, that's seeing all your lookups.

So if you look up news.ycombinator.com, and the name isn't already in your cache, the request goes direct from your DNS server to an AWS DNS server, because that's who hosts the ycombinator.com DNS. Your non-cached DNS requests are thus spread out across all the DNS servers for all the different domains you're accessing, and the only DNS servers that see your requests are the servers for the domain you're accessing.

There are some caveats to this.

First, if your ISP is unscrupulous, it can examine your DNS traffic anyway, since most DNS traffic is currently unencrypted (this is changing, but slowly.) To get around that you'd need an encrypted DNS proxy hosted outside your provider's network.

Second, large DNS providers like Verisign, GoDaddy, AWS etc. will tend to get a large subset of your requests anyway. However, most of those big companies are publicly focused on information security, and it would be big news if it turned out they were tracking your DNS lookups. Some of them provide audited guarantees that they don't do this.

Let's say you look up "porn.example.com" and "dissidents.github.io".

. (the ICANN DNS root) sees "io" and "com".

com sees "example.com" but not which subdomain or anything to do with io.

io sees "github.io" but not which subdomain or anything to do with com.

example.com sees "porn.example.com" but doesn't know anything about "dissidents.github.io".

github.io sees "dissidents.github.io" but doesn't know anything about "porn.example.com".

You leak the same total information, but no single entity has a convenient list of every DNS request you make.

That's wrong though, the ICANN sees the whole domain, dissidents.github.io and replies with "I don't know, but ask the owner of .IO which is xx.xx.xx.xx"

Well, unless the servers implement https://tools.ietf.org/html/rfc7816, which is experimental and quite recent.

Unbound seems to support it, which is great (and that makes you right, actually, if the user installs this software). I don't know for others.

Actually, this appears to be implementation-specific? The resolver I looked at a while ago[0] did something like:

  @. io NS -> ns1.io # (for example[1])
  @. ns1.io A -> x.x.x.x
  @x.x.x.x github.io NS -> ns1.github.io
  @x.x.x.x ns1.github.io A -> y.y.y.y
  @y.y.y.y dissidents.github.io A -> z.z.z.z
  return z.z.z.z
caching every step of the way. Admittedly, I don't know that it wasn't going out of it's way to avoid leaking, but this was circa 2012 or so, so it predates rfc7816 at least.

0: found by googling "dns recursive resolver example code" or something to that effect

1: There's actually several NS entries, with retrying/failover.

"Cloudflare has promised not to log individuals' DNS traffic and has hired an outside firm to audit that promise." -- https://arstechnica.com/information-technology/2018/04/how-t...

Ultimately you have to rely on such promises, because there's no way in a distributed internet to be completely self-reliant.

of course there are ways, but they need to be improved and catch on, consider for example namecoin... in theory each client could perform DNS queries locally...

Nice point!

Hey, Mozilla, Apache, etc. - want to run a secure DNS service for us techies to use?

Worked supporting 2 of the 13 core internet root NS and the major TLDS and it's safe to say you can't escape DNS surveillance.

Cloudflares customers benefit from their users having fast worldwide DNS too.

Google benefits from their users having a fast browser (chrome) too, but that doesn't say anything about privacy (both google or cloudfare).

There’s a reason these “how to privacy your browser” changes are all are not bundled with browsers — because the capability to maintain them as they are today is a one in a thousand skill or less. Maintaining this collection of changes is a significant burden that requires an ongoing investment and a willingness to deal with the technical fallout of these choices every day. So:

Please don’t apply these steps to non-technical people’s browsers. They will result in an endless litany of broken banking websites, annoying support calls, memory issues, and in general a terrible user experience for others.

Guides like these are why my most common technical support first response for experts having browser issues is to have them reset their browser settings and remove all addons and try again. Non-experts rarely require that, unless they tell me that an expert “made it better” for them. Don’t be that expert.

Yes. I've tried implementing some of these on my wife's laptop after using them myself for some time and not having any problems. Then quickly learned that the sites she comes across while browsing are far far more likely to break with these tools than the sites that I (a computer geek) visit.

I've had to dial it back significantly. Disconnect is the only blocker that has passed the wife test. I originally discounted it because the UI for dealing with breakage is worse than Privacy Badger or Ghostery (The default UI doesn't list blocked conent, the graph is harder to see host names at a glance, and the button to temporarily disable all blocking is not as obvious). But the fact that it is more conservative in what it blocks to begin with makes up for it. I still wouldn't enable it for people I don't live with though.

I was also shocked at how frequently HTTPS Everywhere breaks things. I stopped using that myself (and I use uMatrix, with stricter than default base rules).

I'm testing out Decentraleyes right now. It claims to be 100% non-breaking, and so far that appears to be the case. The problem it is addressing (tracking browsing habits via JS libraries) isn't one of the biggest privacy concerns out there, but if it doesn't break anything, and decreases bandwidth to boot, why not!

Pihole is the only blocker I have found that passes the wife test. Every thing else I've tried on her computer has ended in frustration.

I just wish they were everywhere, it’s so excellent. What sort of percentages are you blocking and how extensive is your block list? I’ve got about 1 million domains blacklisted and get about 15-20% of traffic blocked.

you can host your pihole in the cloud, and access it everywhere with an adblock split-tunnel VPN. here's a self-hosted howto https://ba.net/adblock/vpn/doc/howto.html

    > Please don’t apply these steps to non-technical people’s browsers.
There's a fair amount of stuff in the article. You are right that it would be hard to manage if someone implemented all of the recommendations. But there's some solid advice in there.

An ad-blocker like ublock-origin is a must-have ESPECIALLY for so-called nontechnical folks.

I make sure to put that on the browsers of my extended family whenever I visit and inevitably get asked to "clean" computers. Does it help prevent malware? Hard to say but I think yes.

The guide does not offer the nuance you suggest, and instead follows the standard approach of such guides, recommending all possible steps without any criteria by which to filter them for usability or other.

An ad-blocker like uOrigin can break online courseware and banking sites. If you install it on a student’s machine, and the ad block you consider ‘mandatory’ damages their experience, they might decide to drop (or fail) their course if they can’t figure out how to undo the damage you’ve done to their browser.

Non-experts cannot repair the issues caused by experts inflicting these steps on their computers. Don’t be that expert.

A non-expert also can't locate and avoid phishing ads on sketchy sites. Even ignoring the performance/UX improvements entirely, I would still argue that for most non-technical users, ad-blockers are a strong net benefit. Very, very few sites will break, and even those downsides are vastly outweighed by the security gains.

Imagine if this was the early Windows XP days, and someone was saying, "don't install virus protection or anti-malware on a Windows box, because some programs will be falsely flagged." Yes, sometimes safety valves trigger prematurely or block things they're not supposed to. That doesn't mean inexperienced electricians should remove all of their fuse protectors.

And the risks of breakage here are honestly really minimal. If a student taking an online courseware site notices breakage, 9/10 times they'll call up the person that set up their program and ask for help, and then that person will explain over the phone how to whitelist that one specific site. Or worst case scenario they'll file a support ticket and the support person will explain how to do that. They're not going to just say, "well, I guess I fail" and drop out of school.

DO be that expert. We should be practicing an ounce of protection. It is far easier to prevent viruses and phishing attacks for a nontechnical user than it is to recover from them. I firmly believe that anyone who can't be taught how to disable an adblocker should not be allowed to browse the web without one.

Please, ublock has a big fat off button. Also, it is trivial to have am instance of chrome or safari available if your locked down firefox is blocking your course work

Honestly, I would considers users who run Chrome or Safari without extensions to be safer than users who run Firefox with this guide's "few simple steps" applied. I'd rest more easily at night knowing they're protected by someone who's making judgement calls appropriate for non-technical users who have no support if something goes wrong.

But again, most users that can't operate an adblocker also cannot be trusted to browse the Internet without one.

You're describing this setup like it's a choice between complicating someone's life or giving them a simple browser that just works. Phishing attacks are nasty. No matter what choice you make, a new user is going to have a complicated element they need to be educated about. You either have to teach them to use an adblocker, or you need to teach them Internet security best practices.

To jump back to the same comparison I made earlier, this is like wiring a house without circuit breakers because the owner is too scared to mess with the little switches. Is it simpler? Sure, but it stops being simpler when their house burns down.

Nontechnical users click on things; they particularly click on flashing banners that tell them they've won prizes, and they particularly click on images with scary fonts that tell them that their Facebook has the virus and needs to be updated. If you're going to give a nontechnical user a browser without an adblocker, you need some kind of other defense against phishing attacks, fake download links, cryptocurrency miners, and compromised Ads/CDNs that scrape credentials out of payment forms.

Do you have an alternative defense? If not, then I really feel like for someone as tech-illiterate as you're describing, giving them a bare browser is roughly the equivalent of throwing them naked into a hostile environment.

The example I provided, about school courseware and a browser damaged by an expert and the student dropping the class, wasn't a made-up example.

I have to follow up on this though -- Did the person in question just not have your phone number or email?

Disabling uBlock Origin is literally two clicks. I understand someone not knowing how to do that -- I don't understand not being able to explain how to do it.

And even in the crazy case where someone drops a course, that's still a preferable scenario to me over helping an Uncle remove a keylogger because a big scary box told him to click it on it.

When I set up a computer for someone I either need to teach them how to whitelist a site, or I need to teach them Internet security, which is not always possible to do. I think it's irresponsible to put someone online who's not an expert without at least some protection to keep them safe.

I was posting business cards offering my repair services on university posting boards at the time, and due to the volume of requests during the new semester I couldn't schedule the visit before they had to make the drop decision. (No, I wasn't the 'expert' who damaged their browser before they called me.)

I have noticed very, very few essential websites (like banking, University, Government sites, ...) breaking when using the standard lists of uBlock origin.

Sites that break are almost always fishy.

But I have started telling people that, when a site is not working properly, they may be able to fix it by clicking the shield button and then the big power button to turn the blocker off. That's usually enough.

You are being a bit over-dramatic here I think. Most younger people are smart enough to try a different approach (eg using the phone or tablet instead).

I’ve been doing personal computer support for family and friends since the 90s. My views derive from my experiences supporting them. I spent forty-five minutes teaching someone to press the home button on an iPad last year. You greatly overestimate the lower bounds of competence of unskilled folks.

And the lower bounds of confidence too.

A lot of people I've encountered are quite scared of computers, and experience a significant amount of anxiety when asked to use a computer in front of someone. What to us is as natural as reaching for something, is to them a task to be feared, anticipated with dread, embarrassment and shame.

All IT related people should spend time with such folks, as you did. It would definitely help the industry if we were all a lot more open and sympathetic to people who are mystified, scared, or angered by computers and software.

You do bring up an interesting point.

I could never teach my grandmother what an ad blocker is and how to disable it if a site is not working. That would be far beyond her reach. Some basic Youtube browsing and email reading/writing is the peak for her.

I was mostly commenting on the <=45 crowd where some basic computer literacy is usually there and can be beefed up, in my experience.

Yet our older generations are probably the ones that would need an ad blocker the most to prevent them from ending up on fishing/scamming sites etc.

I think you're being a tad dramatic if we are talking about uBlock Origin. If configured correctly, with the blocklists selected erring a bit on the conservative side, the benefits dramatically outweigh the drawbacks even for the most basic of users.

I am that expert for a very large number of non-expert users. I taught them how to troubleshoot it in case something goes wrong (worst case: click the button to disable it on this page). I've asked them about their experience. There was no breakage and no complaints whatsoever.

I would say it definitely passes the wife test.

To be complete, yes, I do instruct the users how to turn off ublock origin. Most users, even those in my extended family, are able to understand the concept of ad-blocking as well as turning it on and off when someone takes the time and attention to explain it to them. Ublock is especially user-friendly for all the most basic use-cases.

They're better off with adblocking, seriously.

No one is actually going to fail an online course because of adblocking.

If someone who does online banking can't handle the most basic concepts of computer hygiene to the point of turning off an adblocker and knowing when it's safe to do so-- they probably should stick to brick and mortar banking.

As bad as some web-browsing inconveniences are, these pale in comparison to having a computer beset with malware.

> If someone who does online banking can't handle the most basic concepts of computer hygiene to the point of turning off an adblocker and knowing when it's safe to do so-- they probably should stick to brick and mortar banking.

I do not at all agree that we should banish people unable to navigate adblocking from the Internet altogether. They are not 'lesser' people. They do not deserve to be denied access. They simply need more help than you and I.

I definitely agree that we should tax all Internet businesses to pay for the libraries, library computers, and librarians that help one-third of American citizens operate the Internet safely.

It's not about anyone being "lesser" than anyone else. It's about not putting someone into a dangerous situation until they're prepared to enter those situations.

My grandmother is an amazing, intelligent person. I would not give her a potentially dangerous device if I wasn't also willing to sit down and talk to her about how it worked. Heck, with really nontechnical people I print out illustrated instructions so they can file them next to the computer.

That's what giving help means. Educate people about how their browser works. Teach them computer hygiene so they can use an adblocker. If you can't do that, then giving them a barebones browser with zero protections is not helping them.

No one's talking about banishing people from the Internet. We're saying that if they can't handle the most basic concepts of computer hygiene, they are not ready to do online banking yet, and they should wait until someone helps them get ready or until someone installs some safeguards on their computer to keep them protected in the meantime -- even if those safeguards make their lives less convenient every once and a while.

If someone can't work their turn signals, I don't think they should be banned from driving, but I do want to help them figure that part out before they start the car, and they should probably walk or be chauffeured in the meantime.

There’s a huge span of skill between, say, the typical HN contributor and a dementia-addled 80-year-old. But some of you are talking like that’s the only two skill levels of users in the world.

Most adults are able to understand the basics of computer hygiene. It is not that hard to explain the what an adblocker does and how to use it to most people.

The sad thing is browser makers aren’t willing to help out the people who really need it because doing so would impact clickbait revenue.

Instead, that task is left to us. It’s not an ideal situation but have you seen what happens to PC’s in the hands of folks that don’t have a concept of computer hygiene?

Yes, I have seen malware-infected PCs in the past three decades of supporting non-technical people using computers.

>An ad-blocker like uOrigin can break online courseware and banking sites. If you install it on a student’s machine, and the ad block you consider ‘mandatory’ damages their experience, they might decide to drop (or fail) their course if they can’t figure out how to undo the damage you’ve done to their browser.

Click ublock logo > click big obvious shutdown symbol. That's it.

This requires a lot of things which aren't obvious:

1) the person to realize the site is broken because of something on their end (as opposed to the site being broken because of something "on the internet")

2) the person to realize the cause of the breakage is ublock

3) the person to be able to find the ublock logo (not always obvious; some browsers hide extensions, sometimes people don't know where to look, sometimes they don't know "the little red shield" == "the ad blocker causing my problems")

4) the person to understand what the big power symbol does - if you only click the ublock logo, it's not obvious to a layperson that the power symbol is a button

5) the person to be comfortable clicking the button, and not more afraid of "breaking the internet" than they are desiring to fix the issue

I do informal tech support for family members who could not get past steps 1 or 2, even if I've explained it to them. We who spend our lives on the Internet take a lot of the things we grok about it for granted, but someone who only occasionally uses a computer won't necessarily have the foundation to make the connections we do when faced with a problem like this.

At multiple paying day jobs with HN-class expert technical users, I have found that 2) is precisely correct here: it simply doesn't occur to them that [non-advertising non-tracking site feature] could be breaking because of [advertising tracking blocker]. The most recent instance of this was Tuesday.

>They will result in an endless litany of broken banking websites, annoying support calls, memory issues, and in general a terrible user experience for others.

This is some FUD you got going on here. Changing DNS will break notjing. Neither will blocking referrals, blocking trackers, blocking ads. In the rare case it does, you're one click away to disable everything! Neither will your system get slower, much to the contrary you will save memory, network data, and battery.

A few minutes ago, my ad blocker broke the login form of my cellphone provider. A non-technical user would probably not think to turn off the ad-blocker, and would assume that the website is broken. Not being able to log into your phone provider (or bank) is a pretty serious inconvenience which should not be taken lightly.

If a login form breaks because of an ad-blocker then the site is broken. Ad-blockers have a bigger market share than most browsers!

I agree that the website is the thing that is broken. Their code looked like this:

The first line threw an exception. They should have surrounded that line with a try/catch block. And they should have tested against popular adblockers as well as popular browsers. But it's also within their right to not care about adblockers, and live with the consequences of upset customers. Unfortunately, very few customers will complain, so this becomes an externalized cost which the website owner never sees.

Practically speaking, if I install an adblocker on my friend's computer, and their mobile provider website stops working, then I personally feel some responsibility for making my friend's web experience a bit worse.

>Ad-blockers have a bigger market share than most browsers!

Browsers adhere to standards. Meanwhile, there are hundreds/thousands of filter subscription combinations that people use, along with several adblocking extensions.

>Changing DNS will break notjing. Neither will blocking referrals, blocking trackers, blocking ads. In the rare case it does,

>break notjing

>In the rare case it does,

Aside from the obvious contradiction in those two sentences, there's also the issue that adblockers work so well that most people won't think of it when stuff's broken. This problem's only exacerbated by the other addons such as httpseverywhere (known to break sites and show scary warnings).

Cloudflare's DNS server has recurring trouble with the (non-Cloudflare) CDN used by Macy's for their website and mobile apps. I last observed this failure in February 2019. Changing DNS absolutely can break things.

Agreed. I have a subset of these installed and it forces me to switch to an unblocked Chrome multiple times per day.

It does force me to evaluate whether I really need access to something, but it's a hurdle.

I installed just privacy browser and HTTPS everywhere on my wife's computer and that alone was enough to break things to the point she asked me to turn them off.

Firefox now has basic ad-blocking built-in using Disconnect's lists, which is very cool.

I use ublock in combination with privacy badger. In ublock I block all third-party requests and enable sites one by one. I had to leave Safari on my laptop with only the basic ad-blocking since my wife can't use my Firefox's ultra hard blocking situation.

I searched but couldn't find anything suggesting they're ad-blocking by default -- what they do have, eg https://nakedsecurity.sophos.com/2019/01/30/firefox-makes-ad..., is ability to block trackers. But it's only default enabled in "private" mode.

Could you backup your statement?

Mozilla got a huge sum of money from Google last time I checked (a few months ago), so it would be amazing if they were allowed by Google to enable ad-blocking as a default (unless there was whitelisting that included Google).

The information is right in the article you posted. I never used the word 'default'.

> Please don’t apply these steps to non-technical people’s browsers. They will result in an endless litany of broken banking websites, annoying support calls, memory issues, and in general a terrible user experience for others.

I apply these solutions on a shared laptop, but I do so precisely because it shouldn't be used for things like banking. It doesn't get heavily used for web browsing anyway, and having these extensions installed is more than likely to save me (as the resident IT guy) tons of headaches in the long run. It's not a binary thing; there are shades of gray where this is highly appropriate.

ETA: I also used to do this on my spouse's laptop. Didn't cause too many issues once we got past the initial hurdles.

Whenever I come across one of those articles promoting "use Firefox instead of Chrome" I wonder if I'm the only one having those huge performance issues with Firefox on macOS. I seriously tried to make the switch from Chrome to Firefox a few times in the recent years because of all the dark patterns Google is pushing upon its userbase with Chrome, version after version. But Firefox feels significantly slower, makes the MBP fans go crazy and drains the battery like hell.

I've come to the conclusion that at this point it's no option for me to make the final switch to Firefox, as much as I'd like to. But I try to cut off Google's prying eyes from my browsing behaviour as much as possible:

- uBlock Origin + Privacy Badger is all you need to block the most nasty privacy invaders, seriously.

- I don't use the sync feature.

- I don't use Gmail, so there's no reason to login to my Google account, ever.

- I used Youtube's thumbs-up button as sort of bookmarks for my favorite videos, now I have a bookmarks folder for Youtube videos, which is ok for me, but might not be for everybody.

- automatically clear browsing data after quitting Chrome.

My dream browser would be Firefox with Chromium under the hood, but that's not very likely to happen...

On Linux it simply flies. macOS is known to have issues with GPU performance

It's not macOS, it's Firefox on macOS.

>It's not the OS, its the Software only on that OS

You're not the only one. Firefox uses way too much GPU power on MBPs. Supposedly fixes are in the works, but I doubt they will happen any time soon. I've learned to tune out the 'improvements to performance' claimed by Firefox releases because never actually do anything for MBP users.

Like you, it is one of the main things keeping me to Chrome (although pinch-to-zoom and casting are nice, too).

My solution for Chrome's privacy issues are similar to yours, except I use the full sync for bookmarks, but then I switch to a private window for actually using any Google site (except for search). At the end of the day, it's still a huge compromise. I might try going full Chromium for a while and trying your bookmarks method, although plugins are a bit of a PITA.

The only reason I'm not using Chromium is that 1Password is not trusting it as a "secure browser".

1Password is closed source app. KeepassXC is better, and Keychain for syncing.

then use Brave... (un-Googled and you can use Chrome extensions.)


> all you need to block the most nasty privacy invaders

The most known invaders. NoScript is the only real protection against zero-days.

I've had the same issue as well. I use Firefox at my home Windows 10 machine and really never miss Chrome. But for work I run macOS and find Firefox slightly intolerable. It's really unfortunate because Tree Style Tabs is a game changer for me, and it'd be even more useful at work than home.

> huge performance issues with Firefox on macOS

Why not Safari? It has ITP2 built in, Private windows, plus I use Ka-Block and VPN.

I really wanted to have Firefox work for me on macOS, but if you use more than 1 OS user concurrently, Firefox regularly locks up when switching between them, or when the computer comes back from sleep. Having to constantly reboot the browser was a deal breaker for me.

> But I try to cut off Google's prying eyes from my browsing behaviour as much as possible

Check out https://brave.com/download/

Un-Googled and supports Chrome extensions.

> now I have a bookmarks folder for Youtube videos

FWIW, you could use youtube-dl to download videos once from the terminal, and then don't need to visit that google site again.

Video performance is particularly awful with huge amounts of dropped frames on YouTube and Twitch.

I have no issues with the latest Firefox on my 2012 MBP.

Is it a retina model? All retina models are affected. Also, you likely wouldn't notice unless you are using the battery.

If you care about privacy, you shouldn't be on a Mac anyway. Their privacy policy amounts to "you can trust us".

Privacy is always about trust. I trust Apple (more than others) because they never gave me the impression they are doing anything shady with my personal data behind my back. Unlike Google.

Privacy is only about trust when you can't know what software does. That's only a concern with closed source software and services. Much of Apple's software is closed, much of Apple is based on services. The one thing you can trust is that, at some point, something they do with data they have will displease you. Software that doesn't even try to collect data is the only acceptable kind of software.

Using services obviously requires trust as far as data your client software exposes, but if you choose closed source clients, you've given up on privacy at a fundamental level.

As opposed to…Google's?

So, the dns server of my provider against Cloudflare DNS it is. That seems to be a good idea for people in unfree countries like iran.

But since my provider knows every ip i connect to, they already have everything they need in the first place, even if i dont use their dns.

So handing over the dns requests to a third party seems to be a rather not so smart move to me.

edit: oh, and the cloudflare dns servers are located within the 5 eyes states? nice...

> But since my provider knows every ip i connect to, they already have everything they need in the first place, even if i dont use their dns.

If you connect to something fronted by CloudFlare your ISP can see you connecting to CF, if they provide your DNS then they can see what you're connecting to that's fronted by CF. A subtle yet important distinction.

Ignoring that, switching from your ISPs DNS prevents all kinds of shit they like to do like redirecting to ads on an unknown domain.

>Ignoring that, switching from your ISPs DNS prevents all kinds of shit they like to do like redirecting to ads on an unknown domain.

That's like saying base64 encoding your texts prevents your carrier from snooping on them. DNS packets aren't encrypted. There's nothing preventing your ISP from intercepting your DNS packets and redirecting them back to their servers. All you're doing is making it slightly harder on their end.

> redirecting to ads on an unknown domain

I can cleary see that, in states like iran or china, getting redirected to somewhere you did not chose to go is really problematic, but getting redirected to ads by your own provider, does this happen in your country?

In germany, i guess, this would be quite illegal for a provider to do and be considered as attacking the ingetrity of the dns system for personal gain.

>If you connect to something fronted by CloudFlare your ISP can see you connecting to CF, if they provide your DNS then they can see what you're connecting to that's fronted by CF. A subtle yet important distinction.

Well, most of the time, you would connect to ips that are not fronted by CF servers, so theres nothing to gain there.

In the cases where I’ve seen this happen, the DNS provider is rewriting NXDOMAIN responses. So, when you make a typo, you hit a “helpful” error page that has ads and tracking in it.

DNS hijacking is extremely common with ISPs.


> That seems to be a good idea for people in unfree countries like iran.

Cloudflare is better in quite technical aspect, ping to their DNS - 10-12ms vs 25-30 for Google (Europe).

If you're ambitious, you can run your own DNS resolver and route all your traffic through that.

Your ISP routes all your DNS lookups anyway, so they can see what they are even if you don't use the ISP's DNS server.

They get to see every single unique name you look up, they just don't get to see how often you do it if you use a caching resolver.

You'd need to VPN to somewhere else in order for your DNS queries not to be visible to your ISP.

This is not correct anymore since dns over tls. Well most routers do not support this yet, but its possible within your distro.

AFAIK you can't recurse using dns over tls. You have to use a provider such as google/cloudflare, at which point you're back to square one.

You still need to talk to upstream servers at some point.

Indeed, but much less frequently.

True. Using DNS at all means trusting one of the root servers at some point.

If you're not actively targeted, it's much less likely they're logging all of your traffic (or even new TCP connections or UDP 'connections') as it's expensive to do that for every customer in a non-sampled manner (like with Netflow).

My only remark is that changing dns to an external server is detrimental to privacy, speed, and arguably security. I'll focus on privacy because that's the article's focus.

The power of tracking comes from a central organisation being able to follow almost everyone. Having a birthday calendar on your toilet that your friends can also look at is not creepy, but a worldwide central birthday database might be creepy depending on how private you consider the information. Similarly, changing all our DNSes to is giving Cloudflare, the NSA, and anyone who hacked Cloudflare or any intermediate router (such as your ISP's internal routers and backbone Internet routers), the ability to track our dns requests. If you leave it set to the default, probably your ISP, then someone would have to hack all ISPs on the planet to track all of it.

Furthermore, if you're not paying for it... I'm paying my ISP, but not Cloudflare. Unlike XS4ALL, the ISP I have a contract with, I have no legal guarantees regarding what happens to the data from Cloudflare.

On the other hand, Cloudflare doesn't know me from Adam but my ISP has my billing information. It basically depends on your threat model. I'm pretty sure I'm way down the ladder for the NSA, but maybe I don't want an employee at my local ISP getting in a tizzy about me because I frequent sites they don't like. And who knows in today's world what websites might outrage them? I live in a small town. This might actually be a thing I need to worry about.

This discussion is prompting me to look into dnscrypt as a short-term solution.

your ISP can see your internet traffic regardless of which DNS server you use.

By using Cloudflare you are sharing your internet history with yet another company.

In the United States, there are probably three or four ISPs that together serve a majority of the population. So there's not much difference there.

Exactly. And most consumers do not have a choice what ISP to use. So their options are either a) Use comcast's DNS [comcast has had a history of doing questionable things] or b) use another DNS like cloudflare that claims to be safe / secure / morale.

Short of running your own DNS server, there's not exactly a lot of options.

Install a PiHole (https://pi-hole.net/) and redirect all port 53 (DNS) traffic to it. One of many guides:

Every device on your network now fails to resolve any advertising/tracking/etc. URL. Great system, and "just works".

I did this a while ago, but don't see a huge difference with ads. I confirmed that around 13% of traffic is getting blocked.

Add some more lists, I’m slowly ramping up my blocking and sit a little higher than you in terms of %. I see a big spike in blocking when other users are around - obviously it depends heavily on where you go. Are you using an ad blocker on your device too?

It won't change much on a desktop device if you're already running things like uBlock Origin. But on mobile, where your options are a bit more limited, it can make a huge difference.

Right now I'm sitting around 68% blocked queries with two Smartphones connected to my Pihole.

Except for YouTube and a bunch of other websites which are specifically targeting "pi-hole"-ed devices.

I haven’t heard about this, can you provide a link with more info? I ask because I run a simple local DNS recursor with a blacklist and I haven’t run into any issues with YouTube.


The problem is that YouTube sends the ads on the same IPs that the video is streaming on.

The hostnames are randomly generated based on user and also location so you can't use lists from other users who successfully blocked out adverts.

If you block out all IPs the video won't load, also, if you successfully block out an IP that sends advertisements, the YouTube app will hang, because it tries to load the advert. In the past it just skipped if the IP wasn't reachable, now it's requesting in an infinite loop.

I reached to a point when I tried to buy a YouTube Premium, just not to see the ads, but it's not available in my country. So f Google. Currently YouTube is unwatchable to me, it's worse than traditional TVs.

>I reached to a point when I tried to buy a YouTube Premium, just not to see the ads, but it's not available in my country. So f Google

...or you know, whitelist youtube use a browser based adblocker instead?

This or discover the magic of youtube-dl. Of course I think OP aid having these issues on mobile. But I will add I don’t get ads using safari to watch YouTube on my iPhone with ad blockers installed.

Can you provide more detail? Are you talking about pre-roll type ads in YouTube, or something else?

Yeah, I wrestled with including this step, but I wanted to keep it mostly straightforward for relatively non-technical users. I have a different network level ad blocker and love it.

Yup, absolutely. The "install PiHole" line makes much more sense in the context of HN than in the context of a "a few simple steps".

Publish your own DNS in the DHCP lease? That's transparent for the end-users... I wrote lightly about that [0,1]

[0] https://try.popho.be/byeads.html

[1] https://try.popho.be/securing-home.html#dns

Not all products will use the DNS they are told, though.

Anything other than Chromecasts come to mind?

There seems to be a theme here.

> I have a different network level ad blocker and love it.

If you don’t mind sharing, what is it? Pihole is so good, but if you’ve chosen something you see as better, I’m all ears.

"Just works" until you walk out of wifi range.

also, disable third-party cookies.

Switched back to Firefox since the Quantum release and I'm very happy with it. On mobile I still use Chrome, but I'm gonna check out how FF works on mobile :).

Firefox mobile on android is a vastly better experience. The number one reason is you can run adblock which turns many mobile sites from ad-filled disasters to readable sites.

I use Firefox Focus on mobile for most browsing, and regular FF for sites that I need to be logged in to. Very happy with both. Focus in particular is astonishingly fast.

One of the great things about ff on mobile is ability to use desktop extensions, like ublock origin.

i use "firefox focus" on mobile. i like it because using it is like using a kiosk -- after you're done, it deletes everything and starts fresh. also it's choc-full of content blockers. it's good for privacy and, more importantly for me, it encourages me to just use my phone for looking up information rather than casual time-wasting browsing.

it also doesn't support multiple tabs, though (at least on iOS, i don't know about android). i've gotten used to it, and it helps to enforce my phone-as-a-tool mentality, but i can see how that could be a deal-breaker for most people.

If your fine with no tabs, and privacy is your top priority, on mobile I'd highly recommend "Privacy Browser" (android) - disclaimer: I know the author.

It's pretty cool. It has a well thought interface for toggling settings (javascript, 1st party cookies, 3rd party cookies, block lists, etc.) and comes with pretty aggressive defaults.

IIRC, the author has plans to add tab support, I'm not sure when though.

Edit: Personally, at this point I'm using Firefox + uBlock origin. I've tried chrome too, but prefer Firefox. As soon as it gets tab support though, I'll be switching to privacy browser.

Mobile isn't so bad! No complaints so far after about a month.

I am using a Firefox derivative called Fennec along with uBlock and am never going back to anything else. It can be installed from F-Droid.

Use Brave browser mobile

This misses out on the fact that ISPs regularly employ Transparent DNS Proxies and your DNS requests may never actually reach CloudFlare.

Using something like DoH or DNSCrypt is the only real solution for now till OS support for DoH or DoTLS rolls out.

This is very solid advice (although I'm not familiar with all those browser extensions and can't endorse them).

To go a step farther, I make two suggestions:

(1) using the uMatrix extension and disabling javascript by default. This completely blocks fingerprinting. If a site doesn't work, you can always re-enable JS in two clicks.

(2) Use a VPN or Tor Browser to better hide your site browsing behavior from your ISP.

Not completely related, but

(3) Be very careful what software you install on your computer, tablet, and phone (especially apps).

"Be sure to turn off uBlock Origin and Smart Referer for sites that you value"

No. Anyone that cares are privacy should have a strict no-whitelisting policy. Find a way to advertise without third-part scripts, find some other way to make money, stop trying to monetize all together, or just stop existing.

I believe this is a personal choice to potentially give up privacy for sites a person values and/or trusts. It's fine for you to believe that no site should make money via advertising, but others can have a different view and act on that opinion.

> find some other way to make money

In this day and age of things like Patreon, there's really no excuse. I've taken the initiative and pay for Youtube Premium, on top of which I pay through Patreon to channels I view a lot. I also pay for ad-free music streaming.

Here is a quote from the Smart Referer section:

It's kind of a dick move to the sites you like since it removes valuable analytics for them, so you can (and should) whitelist domains that you want to keep sharing data with.

Why removing that information a "dick move"? When I visit a bank, restaurant, or grocery store, those places don't know where I came from before entering the store unless I have merchandise from other places. The most they can gather is that what clothing I'm currently wearing and if they keep tabs on my previous visits.

I'm thinking more of media sites that rely on ad dollars to pay the bills. Unless they have a direct subscription option or other way to pay for the service, you're eating into their bottom line. The real world analog would be newspapers and the ads they run.

Even then, newspapers either run ads without needing to know who their customers are, or solicit this information from their customers voluntarily. People like my parents don't know that a referer is involved unless it is explicitly pointed out to them.

I've been using the Brave browser for the past week or so. It feels like Chrome, without the ads and spying. This article recommends Firefox. Are there good reasons to choose one over the other?

Brave seems more focused on their crypto currency than making a browser. And their ad-replacing shenanigans do to not exactly inspire trust[0].

[0]: https://en.wikipedia.org/wiki/Brave_(web_browser)#Critical_r...

"Brave Rewards" is opt-in. Unless that changes, you don't have to participate if you don't want to.

I am interested to see how it works out.

> "Brave Rewards" is opt-in.

For users, but not for creators. Until Brave stops taking money in creators' names without their knowledge and permission, I won't consider (and certainly would never recommend) Brave.

Yeah, it is optional, but it might indicate that their priorities lie in something other than making the best privacy focused browser. Time will tell.

My understanding is that the two things go hand-in-hand. The ad-blocking is for users, while the cryptocurrency is to remove the incentive that sites have to show ads in the first place. Without the cryptocurrency component, you’d just see sites implementing anti-Brave’s-adblock features in a never-ending arms race, like we have with regular browser-extension ad-blockers today. With it, sites affected by Brave’s ad-blocking have something else they can choose to implement (a crypto paywall just for Brave users) that will give them even higher ROI than anti-adblock features would. It’s an “economic approach” to privacy.

I recommended Firefox mostly because it's been around longer and people have probably heard of it. For your average person, the steps in this article are already asking a lot so I wanted to keep things as familiar as possible. Even if someone doesn't use Firefox currently, they've probably heard of it, and that decreases the friction of taking actions to switch.

Brave uses Chromium under the hood, so if you're paranoid you could assume that Chromium has some kind of backdoor integrated.

Also, to my knowledge Brave Software Inc. is a For-Profit organisation.

Despite those facts I am personally using Brave. In my opinion you already cut out most of the "bad stuff" of Chrome with this choice.

If you're paranoid, you could read the source of Chromium and confirm it doesn't have a backdoor integrated.

I take your point, but it's really not practical.

Any large codebase is nearly impossible to scour for this kind of thing, particularly a web browser which is an immense mound of source. There's so many ways to build in a backdoor, so many ways to build a way for you to later load a back door, that it's not plausible, even for a seasoned developer, to reliably find it.

You have to stop such things with source control. The surface area of a new fix or feature is much easier to analyze for vulnerabilities, intentional or not. I do this on a daily basis, and it takes work.

well if you don't trust chromium, as a consequence you cannot trust any apps built on electron (slack, github desktop, etc) and you can't trust a single thing on android. that's pretty steep.

Yeah let's just spread conspiracies because you don't want to put in the time to prove them.

why brave over opera (also based on chromium)?

it seems that brave is setting the table for its own advertising once it has enough market share. the roadmap includes "opt-in" ads which will "respect your privacy". so clearly an advertising model is their source of revenue - exactly what people are switching from chrome to get away from. i personally don't buy into the idea that ads (which in the modern world are targeted) and privacy are compatible.

I made the switch to Brave this week. I had tried it last year and ended up moving back to Chrome. But now that it is using Chromium under the hood the move from Chrome to Brave is very easy. It feels like the same browser and everything functions in the way I expect it to.

I also started using Firefox recently as well. And the latest updates to it are good as well. It doesn't feel so foreign like it did in the past when I tried moving from Chrome. But, I prefer Brave for now.

Aside from what others have mentioned, Firefox also has the Tree Style Tabs extension, which is not privacy related but for me has changed the way I browse the internet.

Using Brave for some months now, mostly satisfied.

Just my personal story: Moved away from FF because of their privacy concerning unwanted plugins and marketing campaigns.

> Just my personal story: Moved away from FF because of their privacy concerning unwanted plugins and marketing campaigns.

How did they violate your privacy?

How does switching to a third party DNS increase privacy? might as well use your ISP's server since they already know what sites that you visit (unless you use a VPN and this article doesn't talk about that)

> You don't have someone following you around from store to store writing down every product you touch or look at, and then block you from entering other stores until you watch an ad.

Great point. Online advertising is creepy.

> You don't have someone following you around from store to store writing down every product you touch or look at, and then block you from entering other stores until you watch an ad.

Give this time, honestly. Stores are explicitly moving towards this to the extent that it's possible.

In-store analytics are a pretty big thing. They are operated by companies that run the sensors and so they can track you as you go from store-to-store.

They don't block you from entering though, although with some stores it's impossible to get in without seeing a giant billboard.

There were a lot of questions about VPNs in response to this post, so I addressed them here: https://thetoolsweneed.com/one-sorta-simple-way-to-vastly-im...

Also recommend facebook container for firefox, for those using facebook. i've been using it for a long time and it hasn't intefered with my browsing.

"Firefox is developed by a non-profit company, Mozilla, explicitly dedicated to users' needs. Google and Microsoft make money off of users in different ways and we can never be sure that their business decisions are going to align with what we would want as users."

This gives short shrift to what is a complex set of interdependencies.

All these browsers rely on the existence of web advertising, including Firefox.

Are web ads among "users' needs"? Who decides what comprise users' needs? Users?

The reality is that whatever Mozilla defines as "users' needs" will also, at least in part, represent the needs of the company authoring the competing web browser. That is because the Firefox authors are paid indirectly from the coffers of their competitor.

Mozilla Foundation cannot take a stand against web advertising because its competitors rely on web advertising to make money. And Mozilla Foundation in turn relies on money from its competitors to pay its employees. Mozilla is aligned to some extent with the business decisions of its competitor.

Ideally employees of Mozilla Foundation would be volunteers and Mozilla Foundation would pay them solely from donations from users. This is not what happens.

Mozilla Corporation (for-profit) can, e.g., sell access to Firefox users' searches to Mozilla's competitors. e.g., Google. The profits might then be used to pay Mozilla Foundation employees. Some of those employees might leave and go to work for Google to start a competing browser.

Firefox may be the lesser of multiple evils, but let's be honest it is not solely dedicated to users' needs. It has its own needs -- paying 100's of employees -- and, given the current arrangement, it must to some extent serve the needs of its competitor in order to meet them.

If for example there was a user who did not wish to support the web ads business then Mozilla's decisions could never align 100% with what that user would want because she does not want to support the web ads business. Mozilla is paying employees by doing business with a competitor that gathers user data and sells access to users to advertisers.

I am not downplaying the value of Mozilla. I am only pointing out that they are probably not 100% aligned with all users. They are also partially aligned with their competitor who is selling ads in order to make money.

Great points, thanks for posting. I'll try to incorporate this nuance in future posts.

I tried to switch to Firefox several times, and each time I go back to Chrome because I use Google Sheets and it doesn't work offline on Firefox, which is a must for me. :'( I guess I should quit Sheets, but my spreadsheet cannot be easily converted to Excel or LibreOffice.

I run both. They allow me to mentally partition things on desktop.

On Android, FF is my default and I open Chrome when I need to. Firefox on Android supports uMatrix / uBlock.

Google allows their products to be incompatible with Firefox to promote Chrome. Google is anti-competitive and must be broken up and regulated.

If you're going to install uBlock Origin then I recommend looking at uMatrix (same author) which does all the same thing but gives you much, much more control.

It can be annoying and force a lot of refreshes, but it blocks a lot more things more consistently than anything else.

The most important and easiest step is installing NoScript and going temporary whitelist only.

> DNS > Cloudflare

How about dnscrypt? The DNS servers offered through dnscrypt are much more trustworthy IMHO. Also it is trivial to setup n DNS servers and to randomly select a different server on each request, removing a bulk of that centralized nature of DNS.

De-install all your X509 trust anchors and only re-install the ones you understand.

Never heard of Startpage before. How trustworthy is it compared to DDG?

At least they're not Google. So even if they are collecting data about what you're searching for, they have less data to link it to and probably less power to use it than Google does.

The canvas and referrer plugins are new to me. This is great. I always wondered why canvas is enabled by default. The ratio of useful to tracking uses has to be 1:10.

How safe is using Cloudflare from a EU perspective? Is it a big improvement, if some day the American government might just request it to hand over all the logs?

What's the current state of the art (i.e., lowest setup time and least maintenance) for downloading the entirety of Wikipedia and browsing it locally?

https://www.opennic.org/ DNS servers are better than

Use Apple devices and software as much as possible?

Apple's walled garden is not one I want to play in. I will not trade one corporate master for another.

You are conflating two completely independent points due to personal preferences, which of course are very valid.

The point still stands - with the current and known track record, Apple devices are likely more trustworthy than Google, Microsoft or <insert Asian manufacturer here>.

Ignoring my personal preferences and acknowledging that Apple is the most privacy-conscious for-profit corporation in the arena:

_Apple is still a for-profit corporation._

> _Apple is still a for-profit corporation._

Whose profit model is aligned with promoting user privacy, rather than against it.

Exactly, but purely in terms of privacy it seems to be the best bet unless you would like to manufacture your own smartphone.

Apple's profit, to date, relies less on user data than any of the other companies.

You're assuming I need a smartphone.

I think the comment applies to other off-the-shelf hardware too. What do you use?

Wait for the Librem5 instead?

For DNS, Quad9 is a better choice than Cloudflare, as it is a not-for-profit public-benefit organization, CF is for profit company

I believe that at one stage the Quad9 resolvers were owned by IBM. A brief look at the site indicates it was transferred to CleanerDNS, which is a 501(c)(3). Do you know how much involvement IBM still has in the project, if any?

The guide was fine until "Switch DNS to".

The real solution is to use your own DNS resolver (I've been running Bind on my laptop for years with no issues). If that's not an option, it's still far better to keep using your ISP's resolvers -- yes, your ISP may be evil, but at least you're their customer. When a separate for-profit company provides a "free" service, how can the product be anything but your personal data?

The argument for switching to Firefox seems weak. I don't doubt there are very solid reasons to do so, however the author's argument comes down to "I, personally, just trust this one more, and I'm lazy and don't want to worry about it." Okay.... that's nice.

Chrome tracks you even if you're not logged into your Google account. Another good reason to support and use Firefox is that we don't want to end up with only one browser engine, giving Google complete control over the future of the web and the rest of the internet.

See, that's a perfectly valid and logical reason right there. Unfortunately, the author didn't go into that and just left it at personal preference.

I always assumed Mozilla has too much of a little brother relationship with Google to trust that they are truly independent.

I use Brave and it's good enough for my browser expectations.

>The company Cloudflare has a publicly accessible DNS at the address that they claim is encrypted and secure.

For it to be "encrypted and secure", the client would have to be configured to use DNSSEC, yeah? As far as I'm aware, most clients don't come with DNSSEC enabled (in OOBE configurations), so isn't this a bit misleading?

DNSSEC doesn't encrypt DNS traffic at all. "Encrypted and secure" DNS presumably refers to DoH, which doesn't rely on DNSSEC.

I don’t think so. Instead you would want DoH (dns over https). DNSSEC is designed to protect against MiTM and is not really effective at anything else.

Fair enough. Cloudflar's promotional site for seems to tout DNSSEC pretty heavily and only mentions DoH once, I believe.

Still, clients still need to be configured for DoH, yeah?

You do need client support but these days that’s not uncommon: Android Pie, Chrome, Firefox, and curl all have built-in support and there are apps for iOS and Android, and once you’ve enabled it it will work almost everywhere. I believe most clients default to dual resolution so it won’t break if you’re on a network which interferes (e.g. a ton of Cisco captive portals used that address in error) unless you’ve enabled hard-fail mode.

Correct - third party software is needed (as far as I know) for DoH.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact