jmwample
commented
2 years ago Maybe a better (more comfortable) intermediary step for browsers is something like HSTS where sites can opt in to a "strict" mode for DNS resolution. My understanding is that browsers typically shy away from policies that can allow outright failure on a large scale. An HSTS-like mechanism would provide a way for sites to indicate to the browser that a failed DoH or DoT resolution should not be retried over a plaintext transport.
I had a look at Mozilla plans to secure DNS and got annoyed when they talked about allowing companies to force browsers to fallback to unencrypted solutions, that just seems like it defeats the entire point, the internet should just not work if you block the encrypted DNS or SNI stuff, then. everyone is forced to accept it, and your security isnt completely useless by a hacker in the network simply just blocking those stuff to see everything anyway,
Thanks for watching my Ted talk, now go convince Mozilla and internet standard gods to do this