undefined | Better HN

0 pointsbad_user1y ago0 comments

Excluding leaks, the ISP does not see the hostnames, what it sees are the IPs you're connecting to. 20% of internet traffic goes through Cloudflare, so at least for those, the IPs are meaningless.

Both privacy and security are layered, and perfect is the enemy of good. Securing the DNS is an obvious first step, forcing the Internet to HTTPS by default was another. Google and Mozilla have contributed to better privacy. People that want more privacy, depending on needs, can also use a VPN or for the more extreme cases, something like Tor.

Not sure what you mean about having to trust Google or Mozilla. I'm not using either Google's or Mozilla's DoH servers. But yes, I would trust them more than my local ISP. Google, at least, proved quite competent in handling whatever data they collect.

0 comments

dingaling1y ago

> Excluding leaks, the ISP does not see the hostnames

Unfortunately they can, either through the unencrypted hostname passed in SNI or in the cert returned by the server .

codedokode1y ago

In TLS 1.3 server certs are encrypted. And while browsers support ECH (Encrypted Client Hello) to encrypt SNI, almost no server supports it. Cloudflare has ECH disabled globally for some "issues" they do not disclose [1].

[1] https://developers.cloudflare.com/ssl/edge-certificates/ech/

j / k navigate · click thread line to collapse