Hacker News new | past | comments | ask | show | jobs | submit login

> DoH would prevent other WiFi users from seeing which websites you visit,

This is false, and downright dangerous information. A network attacker can still see that you are visiting pornhub.com even with DoH, since you are sending the hostname in cleartext as part of the TLS handshake.

Google isn't a snake-oil security solution - they shouldn't be making such false claims.




> This is false, and downright dangerous information. A network attacker can still see that you are visiting pornhub.com

This won't be true as soon as ESNI gets implemented. (Chrome: https://bugs.chromium.org/p/chromium/issues/detail?id=908132 and Firefox nightlies have it already). However, ESNI is pretty meaningless if you're making plain-text DNS requests, so DoH is a pretty important part of the puzzle.


Browser support for ESNI is just half of the equation, you also need servers and middleboxes to support it. For example, as of December 2017, over 10% of the traffic seen by Cloudflare was still TLSv1.0: https://blog.cloudflare.com/why-tls-1-3-isnt-in-browsers-yet...


And eSNI is not even a solution to anything, it merely pushes a bit of cleartext identification data from one protocol to another, while assuming that lots of websites share a single IP address and that it's not possible to correlate what website on the IP is used by simply observing what kind of packets are sent from a machine, which is actually pretty easy (as each website comes with connections to multiple other IPs with specific sizes of data transfer generating a unique traffic pattern).


Sure it is, you just have to consider the threat model.

Working out what website I'm browsing by doing packet analysis between my client and an IP address is vastly more difficult than just reading "www.pornhub.com" out of the SSL handshake. Despite what you think, it's not "pretty easy".

Just because a security control doesn't mitigate all risks against all threats doesn't mean it's not useful.


But it's not more difficult, it's just a bit different approach, where you need to do some work besides parsing to get those patterns, i.e. visit websites. It's more work for software engineers, but not difficult work.


"It's not more difficult" is a claim that at least needs a POC.

Like, build a prototype, show it works for some set of things Cloudflare offers over eSNI today.

Otherwise this claim is hollow. If it isn't more difficult then it sure is weird that nobody does it.


You don't need a PoC, you can just go through research of traffic analysis to see what's out there. But you are welcome to fund a challenge for it or something like that.


No, see you're the one claiming it's "not more difficult" so if it now needs funding apparently I suggest you put up any funding you think it'll need. The ordinary person presumably would agree that it was "not more difficult" for them to afford a mansion than a shack if you're paying for it.

Let us know how expensive "not more difficult" ends up being. It'd be great to know that DoH plus eSNI made things "Not more difficult" by say $5M per target. I'd call that more difficult but I know you disagree.


It is absolutely true, even after ESNI is implemented. Pornhub does not share their IP with anybody else so encrypted SNI doesn't help.

So we've transitioned from telling our ISP that we're visiting Pornhub, to telling our ISP and some American corporation. Great move.

What's your solution to this? Put every website behind Cloudflare?


> Pornhub does not share their IP with anybody else so encrypted SNI doesn't help.

How do you know this? Do you work for them? Is that true for all time in the past and the future?


There are people and organizations that gather and store historical data on which websites resolved to which IP addresses at what time from where. Sometimes they run a service allowing you to freely query what other websites resolve to which IP addresses, like securitytrails.com does for example, where you can see that pornhub only hosts pornhub websites on its IPs.


"How do you know this?"

Some 5 second basic investigation.

"Do you work for them?"

No.

"Is that true for all time in the past and the future?"

No. So what? What part of my argument don't you understand?

Also, given the reduction in privacy I just demonstrated above, what's your solution? I gave you one, which was put all websites behind cloudflare. That is a shit solution. I'm hoping you have a better one...?


So if you're right, then Pornhub is a bad example. I agree that ESNI won't help.

However, the reality that a large number of domains are on shared IP addresses, because they're either on some sort of CDN, or are using some sort of cloud-based load balancer etc. For these sites, ESNI certainly will make a difference. I'm not interested in an absolutist argument about how "thing" is useless because it doesn't work for a specific case. Don't let the perfect be the enemy of the good.

> Also, given the reduction in privacy I just demonstrated above

You've not demonstrated any reduction in privacy. "Privacy" as a bare concept is pretty meaningless - Privacy from whom? If I choose to give my DNS data to Cloudflare, that's my choice. Passing plaintext DNS traffic and hostnames on the wire removes my choice to restrict who I expose that data to.

> I gave you one, which was put all websites behind cloudflare. That is a shit solution. I'm hoping you have a better one...?

People have been sharing IPs on domains long before Cloudflare was invented.


> So if you're right, then Pornhub is a bad example. I agree that ESNI won't help.

You need to replace "won't help", with "makes matters worse" for that to be correct.

> "However, the reality that a large number of domains are on shared IP addresses,"

Also, the reality is that a large number of domains are not on shared IP addresses.

> "You've not demonstrated any reduction in privacy"

Incorrect. It's pretty straight forward:

1. Shared IP before ESNI: Increases the number of companies that get to see which website I'm visiting.

2. Non-Shared IPs before ESNI: Increases the number of companies that get to see which website I'm visiting.

3. Shared IP after ESNI: Changes which company gets to see which website I'm visiting.

4. Non-Shared IP after ESNI: Increases the number of companies that get to see which website I'm visiting.

1, 2 and 4 are all making matters demonstratably worse. 3 only makes matters "better" if you think that Cloudflare is a better custodian of your browsing data than your ISP, which is not always the case now, and will not always be the case going forwards. And until ESNI is in place, we're stuck on 1 and 2. So in the short term, Mozilla are definitely definitely making things worse for their users.

> People have been sharing IPs on domains long before Cloudflare was invented.

Also, people have been not sharing IPs on domains longer before CLoudflare was invented, and will continue to do so after DOH is the default. So lets drop this "ESNI will fix it" argument, as it doesn't work unless we centralise the web.


...and you think the sequence and timing of IP addresses your machine connects to alone can't be used to easily infer the website you're browsing? Neither DoH nor ESNI will make you more secure/private, but DoH will definitely make some companies more powerful. That's not the Internet as we knew it until now.


Thankfully, today's Internet is definitely not the Internet of the early 2000s I remember – it was highly insecure and infested with virus/worms everywhere. Thanks to efforts like this Internet has gradually evolved to become more secure and more useful for real-world applications.

Both DoH+ESNI will make me more secure and private. Here's why:

Today my home ISP has deployed middle boxes that inspect my traffic to profile my browsing habits and serve me ads. They serve ads by doing click hijacking on plain http websites. yeah, it's nasty and they do it at a huge scale.

Obviously, we have some legislative gaps to address here.

Irrespective of the legal gaps, I can make it more expensive for them to do this by ensuring all of my traffic is fully encrypted (TLS 1.3 or wireguard).

They can still see IPs and do IP reverse lookup and traffic timing analysis etc. But the information leaked this way is far lesser than today and definitely not actionable immediately the way it is today.

Now, w.r.t making some companies more powerful – that is not inherent to DoH. DoH makes it possible for anyone to operate a secure and private resolver and any client is still free to choose who should be their upstream dns resolver. Client auto configuration protocols will evolve to support the ecosystem as more DoH resolvers show up.


The only reason that security conscious web sites haven't implemented any traffic analysis countermeasures is that the stuff leaks out in cleartext anyway. After DoH and ESNI are implemented, I can imagine many relatively cheap approaches that websites can use to make traffic analysis a few notches harder.


They could easily have said "DoH, combined with other future technologies, would prevent other WiFi users from seeing which websites you visit"


Drop DoH, then it could be true. As it is DoH is invented to preserve and centralize snooping on DNS.


Given that it's an open standard that anyone can implement, I'm not seeing why DoH == "Centralization and snooping"?


As opposed to letting your ISP do it.


I agree with you.

However this claim could be true in the future if/when Encrypted SNI (ESNI) for TLS 1.3 is deployed. Although ESNI is at the draft stage [1] and to the best of my knowledge is not at a deployable stage yet.

However it might be finalized and deployed by the time DoH for Chrome is finalized too ?

[1] https://datatracker.ietf.org/doc/draft-ietf-tls-esni/


This might be encrypted too in the future. https://tools.ietf.org/html/draft-ietf-tls-esni-04




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: