This won't be true as soon as ESNI gets implemented. (Chrome: https://bugs.chromium.org/p/chromium/issues/detail?id=908132 and Firefox nightlies have it already). However, ESNI is pretty meaningless if you're making plain-text DNS requests, so DoH is a pretty important part of the puzzle.
Working out what website I'm browsing by doing packet analysis between my client and an IP address is vastly more difficult than just reading "www.pornhub.com" out of the SSL handshake. Despite what you think, it's not "pretty easy".
Just because a security control doesn't mitigate all risks against all threats doesn't mean it's not useful.
Like, build a prototype, show it works for some set of things Cloudflare offers over eSNI today.
Otherwise this claim is hollow. If it isn't more difficult then it sure is weird that nobody does it.
Let us know how expensive "not more difficult" ends up being. It'd be great to know that DoH plus eSNI made things "Not more difficult" by say $5M per target. I'd call that more difficult but I know you disagree.
So we've transitioned from telling our ISP that we're visiting Pornhub, to telling our ISP and some American corporation. Great move.
What's your solution to this? Put every website behind Cloudflare?
How do you know this? Do you work for them? Is that true for all time in the past and the future?
Some 5 second basic investigation.
"Do you work for them?"
"Is that true for all time in the past and the future?"
No. So what? What part of my argument don't you understand?
Also, given the reduction in privacy I just demonstrated above, what's your solution? I gave you one, which was put all websites behind cloudflare. That is a shit solution. I'm hoping you have a better one...?
However, the reality that a large number of domains are on shared IP addresses, because they're either on some sort of CDN, or are using some sort of cloud-based load balancer etc. For these sites, ESNI certainly will make a difference. I'm not interested in an absolutist argument about how "thing" is useless because it doesn't work for a specific case. Don't let the perfect be the enemy of the good.
> Also, given the reduction in privacy I just demonstrated above
You've not demonstrated any reduction in privacy. "Privacy" as a bare concept is pretty meaningless - Privacy from whom? If I choose to give my DNS data to Cloudflare, that's my choice. Passing plaintext DNS traffic and hostnames on the wire removes my choice to restrict who I expose that data to.
> I gave you one, which was put all websites behind cloudflare. That is a shit solution. I'm hoping you have a better one...?
People have been sharing IPs on domains long before Cloudflare was invented.
You need to replace "won't help", with "makes matters worse" for that to be correct.
> "However, the reality that a large number of domains are on shared IP addresses,"
Also, the reality is that a large number of domains are not on shared IP addresses.
> "You've not demonstrated any reduction in privacy"
Incorrect. It's pretty straight forward:
1. Shared IP before ESNI: Increases the number of companies that get to see which website I'm visiting.
2. Non-Shared IPs before ESNI: Increases the number of companies that get to see which website I'm visiting.
3. Shared IP after ESNI: Changes which company gets to see which website I'm visiting.
4. Non-Shared IP after ESNI: Increases the number of companies that get to see which website I'm visiting.
1, 2 and 4 are all making matters demonstratably worse. 3 only makes matters "better" if you think that Cloudflare is a better custodian of your browsing data than your ISP, which is not always the case now, and will not always be the case going forwards. And until ESNI is in place, we're stuck on 1 and 2. So in the short term, Mozilla are definitely definitely making things worse for their users.
> People have been sharing IPs on domains long before Cloudflare was invented.
Also, people have been not sharing IPs on domains longer before CLoudflare was invented, and will continue to do so after DOH is the default. So lets drop this "ESNI will fix it" argument, as it doesn't work unless we centralise the web.
Both DoH+ESNI will make me more secure and private. Here's why:
Today my home ISP has deployed middle boxes that inspect my traffic to profile my browsing habits and serve me ads. They serve ads by doing click hijacking on plain http websites. yeah, it's nasty and they do it at a huge scale.
Obviously, we have some legislative gaps to address here.
Irrespective of the legal gaps, I can make it more expensive for them to do this by ensuring all of my traffic is fully encrypted (TLS 1.3 or wireguard).
They can still see IPs and do IP reverse lookup and traffic timing analysis etc. But the information leaked this way is far lesser than today and definitely not actionable immediately the way it is today.
Now, w.r.t making some companies more powerful – that is not inherent to DoH. DoH makes it possible for anyone to operate a secure and private resolver and any client is still free to choose who should be their upstream dns resolver. Client auto configuration protocols will evolve to support the ecosystem as more DoH resolvers show up.