top | item 17539024

(no title)

tscs37 | 7 years ago

This is amazing work, can't wait for this to be finished and deployed on the internet. Together with encrypted DNS (DoT and DoH) we finally get fully confidential connections to a server without leaking anything other than Remote IP.

discuss

Ienuur4i|7 years ago

The encrypted DNS proposals only cover securing the route to the recursive resolver. So the recursive resolver (your ISP, google, cloudflare) will still see all the sites you're visiting.

We also need encrypted DNS for the recursive lookup itself so you can run your own resolver somewhere.

tscs37|7 years ago

The resolver is less of an issue because you have free choices there, ISP is harder to change. Plus you increase the number of parties that need to collude (ISP + RR provider) to spy on your traffic.

blattimwind|7 years ago

> So the recursive resolver (your ISP, google, cloudflare)

Why not yourself? Your ISP can still see the RR working, of course.

> We also need encrypted DNS for the recursive lookup itself so you can run your own resolver somewhere.

This would indeed be optimal but would require upgrading a significant portion of authoritative name servers, sooo... might take a while.

pol_throw_away|7 years ago

I'm actually not sure exactly what the purpose of ESNI is but if you look at the implementation if the server you connecting to is publicly known then ESNI is not private. I might be missing something, but you can just build up a database of ESNI record_digest to server name mappings. The limitation being you can only build this up for servers you know about. Also, I guess it doesn't work for SSL servers that are terminating multiple domains because they are able to use the same key for a bunch of different domains. I guess this is the purpose of ESNI :)

dogma1138|7 years ago

That only works if the server you are visiting is behind a CDN with no resources served directly from the dedicated host.

The encrypted SNI would primarily be useful to make censorship and MITM attacks harder.

rqs|7 years ago

I'm don't completely get it. How does CDN is required for this?

Let's say that I have a Nginx on my server which serves a lot's of websites, and whose web sites can only be accessed through HTTPS with SNI, not HTTP.

Now with Encrypted SNI deployed, requests from my clients can still be dispatched to it's respective virtual hosts, but any sniffers in the middle of the connection should only be able to see that my clients are accessing to my server, but not which virtual host.

Is I'm missed anything? I haven't dig deep in to this currently.

xg15|7 years ago

I think for the web to hold true to its ideas, there should have been a discussion of whether we want to have fully confidential connections on the internet. Sadly, this doesn't seem to have happened.

tscs37|7 years ago

I don't think encryption hinders the true ideas of the web, it merely blocks malicious actors, of which there are many in almost all areas and connections.

The entire set of encryption can be easily opened up for inspection and manipulation if all parties agree this is good idea.

evfanknitram|7 years ago

The Remote IP is almost as sensitive as SNI right?

bosdev|7 years ago

This proposal is generally for sites which are behind an edge network like Cloudflare. In that case your remote IP is the IP of the provider, not your actual server.

hansjorg|7 years ago

Not always, see domain fronting: https://en.m.wikipedia.org/wiki/Domain_fronting

tscs37|7 years ago

Not necessarily, think CDNs or Shared IPs for Webspaces.

XparentX|7 years ago

[deleted]

marksomnian|7 years ago

As a responsible parent, you should not be relying on filtering to educate your children. Filters have more holes than Swiss cheese, often block entirely legitimate educational resources, make your children know that you don't trust them to be responsible, and learning about proxies and VPNs is trivial for them (just try googling "proxy servers unblock websites").

If you don't trust your children to use the internet responsibly, don't let them use it. Or let them use it but only under your supervision. If you let them go wild but put up filters, they will find a way around, one way or another, and at that point the princess is in another castle.

SXX|7 years ago

As parent you can install whatever SSL CA you'd like and make full MitM of your own devices. For everyone else it's very important to not leak any private information to ISP or any other party.