Hacker News new | past | comments | ask | show | jobs | submit login

> With encrypted DNS, Comcast sees that you connected to your DNS provider and Cloudflare, which isn't exactly valuable.

Comcast also sees SNI in plain text, sees all the other connections to other IPs for 3rd party resources on that domain, also with SNI, and sizes of all the responses of course. And just the IP addresses and response sizes give enough information to figure out what domain is visited, never mind seeing it in plain text in SNI.




In combination with Encrypted SNI in TLS 1.3 (https://blog.cloudflare.com/encrypted-sni/), they won't be able to see that.


DoH + eSNI + TLS 1.3 won't prevent seeing IP sets. See this thread https://news.ycombinator.com/item?id=21340671 and my other comments here.

There are only detrimental effects from DoH on privacy, because extra party sees lots of stuff about you and your ISP still sees everything.


Good point. Hopefully encrypted SNI will gain traction, as well.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: