Closed Techguyprivate closed 5 years ago
See: https://github.com/ghacksuserjs/ghacks-user.js/issues/612
Librefox is based on: gHacks-user.js, pyllyukko-user.js and privaconf
Short answer, it's too soon for this... now enabling it or not, it depend you will need DNSoverHTTPS as @Atavic mentioned... using cloudflare is great but it may not comply with the privacy... at the end of the day i think the user need to have the choice and the choice need to be easy to do not over complicated config fire or so... any way i am adding this to https://github.com/intika/Librefox/issues/3 as a reminder
Thanks you for reporting it back tho :)
Don't hesitate to post back or comment ;)
I'm totally against ESNI and DNS over HTTPS. ESNI is experimental, but it is heavily pushed by Cloudflare. At current state, it seems that Cloudflare will be the main provider for it, while Mac will have its own service by Apple. These are assumptions based on the authors of this draft.
I'm for decentralization, alternatives in every layer of the net, while here we have big corporations promoting their own solutions:
This puts everyone behind the same provider in the same anonymity set
But also puts everyone open to a single bug (0-day, undisclosed or potential).
I was on the same boat few days ago. . Cloudflare's privacy policy was crappy for me. But a recent trip to China, India & Australia changed my view. We have to very careful & smart. There is nothing as perfect privacy.
The most important thing to keep in mind :
Using cloudflare dns and ESNI in firefox , I was able to visit blocked websites in CHINA & India. They are using deep packet inspection . ISP & any other third parties finally can't truely see what I am doing , what sites I am visiting. Cloudflare is fast too. The fastest . A mixture of dot, doh , esni,, dnssec, cloudflare's own security is a lot better.
Cons:
Pros :
EFF supports it. Supports for more websites are coming. It is the last nail on coffin in regards to 3rd parties knowing what websites , someone visits.
DNS over HTTPS is a hack, a workaround, i don't know why it is getting so popular; DNS over TLS is much better, faster and have a better implementation... under Linux this can be setup locally and easily with unbound... i guess DOH have the advantage of working on port 443... at the end of the day we will always need a DNS server whether DOT or DOH... Cloudflare/Google/Blahdns/Adguard... if it's used over a VPN provider it could become interesting regarding privacy
It's getting so popular because it works in web browser. For DoT and DNSCrypt v2 you need an additional client to use them.
@Techguyprivate :+1: for your report. I'm in europe, so DPI isn't involved here, allegedly... interesting info, I'm trying to follow https://github.com/ValdikSS/GoodbyeDPI and I see that there are some VPN that use advanced PAC Files, like: http://antizapret.prostovpn.org/
^A related comment: https://github.com/ghacksuserjs/ghacks-user.js/issues/619#issuecomment-457766022)
i don't know why it is getting so popular
Promoting articles popping up everywhere, that's it. Like Cloud and VPN previous cases IMHO
DoT is the future though . One good feature of DoH with ESNI is Circumventing censorship, preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks, hiding it under normal https. DoT stands out in the crowd for now. DoH have little bit better performance too.
But, yes, DoT is much better and the future too, it seems.
Preemptive counterargument to the only other anti-ESNI argument I've heard:
it would interfere with Café and University deep-packet-inspection (dpi) content monitoring systems
The browser's duty is to protect the user from attackers. TLS "interferes" with 90% of dpi, ESNI shores that up by another 5% or so.
If it becomes common practice for cafes to terminate all ESNI connections, I'm sure it would be straightforward enough to pop up some info (either in the style of TLS-error or captive-hotspot-notification) with something like
This network appears to be blocking ESNI. You will not be able to access the internet unless you disable ESNI. Click here to temporarily disable ESNI and access the network.
clicking on which yields something like
Warning: This will allow the network administrator to see the domain names of all websites you visit while connected! Do you wish to continue?
https://en.wikipedia.org/wiki/Server_Name_Indication
https://news.ycombinator.com/item?id=18250151
https://www.eff.org/deeplinks/2018/09/esni-privacy-protecting-upgrade-https
https://blog.cloudflare.com/esni/
https://blog.mozilla.org/security/2018/10/18/encrypted-sni-comes-to-firefox-nightly/
https://blog.cloudflare.com/encrypted-sni/