fsebugoutzone.org:9999

       Post 9oVvucJrss7qTIQTxI by cynicalsecurity@bsd.network
 (DIR) More posts by cynicalsecurity@bsd.network
 (DIR) Post #9oVvubQvBAAnisibJI by cynicalsecurity@bsd.network
       2019-11-01T00:43:16Z
       
       0 likes, 0 repeats
       
       Hot take: DoH proponents all happen to work for DoH providers and/or other major network concentrators.Allow an old man to tell you that this is one fight worth fighting for.:flan_set_fire:
       
 (DIR) Post #9oVvubvPLoYlFQywpU by phessler@bsd.network
       2019-11-01T06:11:15Z
       
       0 likes, 0 repeats
       
       @cynicalsecurity it was really hard not to step in and reply to that :birdsite: thread with &quot;that&#39;s because you are being paid not to understand&quot;
       
 (DIR) Post #9oVvucJrss7qTIQTxI by cynicalsecurity@bsd.network
       2019-11-01T06:16:31Z
       
       0 likes, 0 repeats
       
       @phessler I know, I have been privately thanked by so many people I was amazed.To be honest, as someone who well remembers downloading HOSTS.TXT, I find the whole DoH argument totally unacceptable and a clear misrepresentation of facts under the guise of protecting “people at risk”. As if a Saudi prince &amp; friends of similar inclinations are going to be put off by DoH…
       
 (DIR) Post #9oVvucfqZ9hrZSi2DI by phessler@bsd.network
       2019-11-01T06:22:21Z
       
       0 likes, 0 repeats
       
       @cynicalsecurity &quot;we object to this being centralised&quot;&quot;have you considered that it is encrypted?&quot;&quot;Not relevant to my objection&quot;&quot;why do you hate security you luddite&quot;&quot;no, seriously, don&#39;t centralize this service&quot;&quot;insecure luddite!!!!&quot;&quot;Centralization makes us less secure overall&quot;&quot;i work at google/cloudflare so checkmate&quot;
       
 (DIR) Post #9oVvud3FAAQCk1eigK by niconiconi@cybre.space
       2019-11-01T06:46:25Z
       
       0 likes, 0 repeats
       
       @phessler @cynicalsecurity The root issue is that DNS is not point-to-point encrypted, DNSSEC is only an integrity check, no encryption; DoT/DoH is only a last-mile solution. Ultimately the traffic is sent in clear over the Internet backbone. It&#39;s not possible to self-host an encrypted recursive resolver at home, you have to choose whom to trust... If one&#39;s concern is just spying in the middle and not NSA, using CF and G&#39;s server makes sense in the short term...But with a disastrous long-term outcome.
       
 (DIR) Post #9oVvudOrrlidp5lzO4 by cynicalsecurity@bsd.network
       2019-11-01T07:36:04Z
       
       0 likes, 0 repeats
       
       @niconiconi @phessler This is a profound misconception.Privacy is not something you obtain /only/ via encryption, similarly with anonymity. Let’s forget the US for a second which, by several standards, is between feudalism and fascism. Consider Europe and consider your ISP logging your DNS queries: if it did so without notification and without consent it would open itself to major fines under the GDPR (and even under the older Privacy Directive from 1996). Europe does not have FISA courts, …
       
 (DIR) Post #9oVvudjQdKAKqrOPR2 by cynicalsecurity@bsd.network
       2019-11-01T07:39:21Z
       
       0 likes, 0 repeats
       
       @niconiconi @phessler if there is a mandate then, and only then, will you be monitored. There was a case in Italy where Telecom Italia’s Tiger Team started intercepting phone calls and reselling the info outside the judicial system. They were caught and went down hard, very hard, proper jail sentences and all. Why would an ISP do it on DNS for relatively low-value data (which, unlike the US, they cannot resell)?Not only, if you want anonymity you need to lose yourself in the masses: do you…
       
 (DIR) Post #9oVvueJEUCo0du90F6 by cynicalsecurity@bsd.network
       2019-11-01T07:42:08Z
       
       0 likes, 0 repeats
       
       @niconiconi @phessler think Mossad operatives on a mission use custom Android phones with a secure OS? Of course not: they go naked in naked out, buy everything local to blend in (in cash).With DNS your queries at an ISP are lost in the masses: your local resolver caches responses (the router, for example) ensuring that data within the TTL is not transparent on the wire, the ISP’s resolvers do the same for masses of queries, all of this loses you in the midst.DoH creates a unique 1-1 map…
       
 (DIR) Post #9oVvuep8ZaKIEr4TyK by cynicalsecurity@bsd.network
       2019-11-01T07:44:15Z
       
       0 likes, 0 repeats
       
       @niconiconi @phessler between a specific user of a specific browser on a specific machine to the DNS queries being made, it creates a complete record and mapping of a user’s behaviour which /cannot/ be lost in the midst of anything ‘cos “one browser one DoH channel”.This is *terrifying*.Never mind the transparent subversion possibilities it creates and all the associated technical weaknesses.Resist! Resist! Resist!Ⓐ
       
 (DIR) Post #9oVvufWjxTCkQ5TIw4 by niconiconi@cybre.space
       2019-11-01T07:55:58Z
       
       0 likes, 0 repeats
       
       @cynicalsecurity @phessler Okay, let me summarize your comments before I continue.1. Due to local caching, nslookups within TTL are cached, i.e., router caches ISP&#39;s, ISP caches nslookups from all customers. As a result, a significant amount of lookup is answered by the resolvers in middle and not sent to the upstream.2. Illegal for ISPs to track lookups due to privacy legislation.3. A DoH server operated by an upstream can track nslookups, one client at a time.Is it correct? Did I miss something?
       
 (DIR) Post #9oVvug3hytZm4KtdK4 by h3artbl33d@bsd.network
       2019-11-01T08:21:29Z
       
       0 likes, 0 repeats
       
       @niconiconi @cynicalsecurity @phessler DoH has more flaws that allow tracking and violate privacy. Bert Hubert, founder of PowerDNS did a writeup about it: https://blog.powerdns.com/2019/09/25/centralised-doh-is-bad-for-privacy-in-2019-and-beyond/There is also a talk from him available at the red streamer.
       
 (DIR) Post #9oVvugfzgYCVz4oCzw by cynicalsecurity@bsd.network
       2019-11-01T08:27:04Z
       
       0 likes, 0 repeats
       
       @h3artbl33d @niconiconi @phessler the one single fact that each DoH connection provides a 1-1 mapping between a single browser user and their DNS traffic is sufficient to declare it a folly which must be stopped. Everything else is just icing on the cake.
       
 (DIR) Post #9oVvuhQmsZdCKChZw0 by niconiconi@cybre.space
       2019-11-01T09:08:35Z
       
       0 likes, 1 repeats
       
       @cynicalsecurity @h3artbl33d @phessler Thanks for the reply. I&#39;d like to continue checking whether I understand the arguments here...&gt; each DoH conn provides a 1-1 mappingWhen you said this, you meant,1. DoH is operated by central 3rd-parties, so it given them the capabilities do that. (Unlike plain UDP, which is stateless and metadata-free.)2. DoH leaks additional metadata due to TLS.Is it the entire argument?