Hacker News new | past | comments | ask | show | jobs | submit login

This is already what happens. Your DNS queries have to go somewhere, and unless you control the DNS servers, there's a third party in the loop somewhere.



Not really, my DNS requests go to my ISP's DNS server. And the ISP sees the requests anyway since they are the one forwarding all the packets.

Now, Cloudfare will see them too. (if this would come to my country).


But your ISP won't see them. They'll see that some requests are being made to Cloudflare, but not anything about the content.


No I mean in my current situation if my ISP is also my DNS provider they will get the requests.

But they can already see what sites I visit because they are my ISP and carry my packets.

In Mozilla's new default implementation Cloudflare will also see them, without me ever knowing (as an average user).


With TLS1.3, encrypted SNI, encrypted DNS the ISP can only see the IP address you are connecting to, not a domain name. For Google's resources it only sees that you are connecting to Google's network, but is it Youtube or Gmail or Maps, they cannot tell (which is awesome by the way).


And down the toilet goes the (distributing and caching) Inter-Net. Long live to the new Cloud-Net. Cloudfare and Google are achieving what Compuserve and AOL could not.

Exaggerating slightly ... but not that much really. And all in the good name of privacy and security.

It is also amazing how people (Americans ?) are not willing to admit I want MY jurisdiction to apply. Not an American one. I want the choice.


Caching died with insecure HTTP, and that's okay.

> I want the choice.

Then turn it off. But the default protects more people than it harms.


Well, it's not really a choice if for security I must give up on jurisdiction ?

I don't doubt the intentions of Mozilla. But, I expect Mozilla to set the bar much higher.

> But the default protects more people than it harms. Sorry, not good enough for me. They should not be promoting a private company centralized solution. They really should be pushing for a decentralized and distributed solution that is yet secure for everyone involve and promote that.


SNI isn't super useful to profile customers by itself. Now of course encrypted SNI will be a welcome addition to the protocol, but it won't get rid of traffic profiling.

The destination IP is more than enough to build a customer profile. It's not terribly relevant if you visited Youtube or Maps. Just analyzing netflow logs will give much more information than what services you use, such as for how long you use them and if you stream any media during that time.

Should you wish to have more information than that on your customers you'd have to buy it from someone who runs code in most web pages you visit. There are plenty of those, too.


Hence your request goes to yet another party: your ISP (by necessity via IP destination in your IP headers), the site you want to go to, and to Cloudflare/Google as DNS provider and as fourth party. Whereas with regular DNS, your ISP's nameserver gets DNS queries, hence only three parties are involved. Eg what ndidi, apexalpha said.


With Tor ISP can't even see the final address, but maybe Tor has its own solutions for DNS?


Onion sites use a keypair as their "name"




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: