[LINK] Secure DNS
David
dlochrin at aussiebb.com.au
Fri Jan 17 11:18:21 AEDT 2020
On 16/01/2020 6:13 pm, Kim Holburn wrote:
>> On 2020/Jan/16, at 5:54 pm, David <dlochrin at aussiebb.com.au> wrote:
>> Even with some form of secure & encrypted DNS from clients to trusted servers, ISPs could still see each web-page URL with the host name replaced by its resolved address.
>
> That'd be very bad security. As I understand it, the encrypted stream is established first, then the URL sent encrypted. To do it the other way would be a security breach.
>>
>>> So the security agencies could still monitor an agent of interest, but selling users' browsing history would probably involve too much work to be worthwhile.
You're right, the TLS session is established first, then the HTTP session. Not thinking...
However I was trying to make this point. If an ISP client uses DNS & HTTP in the clear then it's obviously easy for their ISP to monitor their browsing history. But if they use DOH/DOT & HTTPS the ISP still sees destination IP addresses, so monitoring is still possible if the ISP is prepared to look them up, but I suspect the business model begins to collapse.
> A sensible "agent of interest" [to the security agencies] would be using a VPN no?
Yes, if they're using a VPN to a third-party intermediary and are technically aware, but I imagine the security agencies have ways of dealing with that sort of suspicious behaviour. The IP address is more reliable than the text of a URL.
David
More information about the Link
mailing list