[LINK] Secure DNS

Kim Holburn kim at holburn.net
Fri Jan 17 12:03:45 AEDT 2020 


> On 2020/Jan/17, at 11:18 am, David <dlochrin at aussiebb.com.au> wrote:
> 
> On 16/01/2020 6:13 pm, Kim Holburn wrote:
> 
>>> On 2020/Jan/16, at 5:54 pm, David <dlochrin at aussiebb.com.au> wrote:
>>> Even with some form of secure & encrypted DNS from clients to trusted servers, ISPs could still see each web-page URL with the host name replaced by its resolved address.
>> That'd be very bad security.  As I understand it, the encrypted stream is established first, then the URL sent encrypted.  To do it the other way would be a security breach.
>>>> So the security agencies could still monitor an agent of interest, but selling users' browsing history would probably involve too much work to be worthwhile.
> 
> You're right, the TLS session is established first, then the HTTP session.  Not thinking...
> 
> However I was trying to make this point.  If an ISP client uses DNS & HTTP in the clear then it's obviously easy for their ISP to monitor their browsing history.  But if they use DOH/DOT & HTTPS the ISP still sees destination IP addresses, so monitoring is still possible if the ISP is prepared to look them up,

Except for many websites on multi-site hosts.  It becomes very hard to tell.  Some servers host hundreds and even thousands of websites.

> but I suspect the business model begins to collapse.
> 
>> A sensible "agent of interest" [to the security agencies] would be using a VPN no?
> 
> Yes, if they're using a VPN to a third-party intermediary and are technically aware, but I imagine the security agencies have ways of dealing with that sort of suspicious behaviour.  

Do tell.  Many people have started using VPNs for a variety of reasons, mostly to do with privacy.  Many VPNs don't log connections and many are in other legal jurisdictions.

> The IP address is more reliable than the text of a URL.


But there is not necessarily a simple mapping between IP and website. 

-- 
Kim Holburn
IT Network & Security Consultant
T: +61 2 61402408  M: +61 404072753
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request

More information about the Link mailing list