←back to thread

1.1.1.1: Fast, privacy-first consumer DNS service

(blog.cloudflare.com)
1895 points _l4jh | 5 comments | 01 Apr 18 12:14 UTC | HN request time: 0.203s | source
Show context
ajross ◴[01 Apr 18 12:37 UTC] No.16727942[source]
This is the Cloudflare resolver, right? What's the "privacy-first" part about? It's just another third party DNS host. They haven't changed the protocol to be uninspectable and AFAIK haven't made any guarantees about logging or whatnot that would enhance privacy vs. using whatever you are now. This just means you're trusting Cloudflare instead of Comcast or Google or whoever.
replies(8): >>16727953 #>>16727957 #>>16727960 #>>16727965 #>>16727968 #>>16727969 #>>16727975 #>>16727978 #
tialaramex ◴[01 Apr 18 12:41 UTC] No.16727975[source]
"We will never log your IP address (the way other companies identify you). And we’re not just saying that. We’ve retained KPMG to audit our systems annually to ensure that we're doing what we say."

Now, audits are generally not worth very much (even, perhaps even especially, from a Big Four group like KPMG), but for this type of thing (verifying that a company isn't doing something they promised they would not do) they're about the best we have.

replies(5): >>16728151 #>>16728245 #>>16728729 #>>16728817 #>>16732561 #
1. runningmike ◴[01 Apr 18 13:26 UTC] No.16728151[source]
Where is the technical audit report published? Open access url please.
replies(1): >>16729235 #
2. bostik ◴[01 Apr 18 16:57 UTC] No.16729235[source]
Having dealt with KPMG recently (which I do at least once a year...), I would not expect to see the report.

KPMG's risk department - the lawyers' lawyers - appears to be violently allergic to their customers disclosing any report to outside parties. Based on my experience you can get a copy, but first you and the primary customer need to submit some paperwork. And among the conditions you need to agree with is that you don't redistribute the report or its contents.

Disclosure: I deal with security audits and technical aspects of compliance.

replies(1): >>16730000 #
3. jlgaddis ◴[01 Apr 18 19:34 UTC] No.16730000[source]
> KPMG's risk department - the lawyers' lawyers - appears to be violently allergic to their customers disclosing any report to outside parties.

Isn't that the entire point of such an audit? To be able to present it to outside third-parties?

For examples, Mozilla (CA/B) requires audits for root CAs. The CA must provide a link to the audit on the auditor's public web site -- forwarding a copy or hosting it on their own isn't sufficient.

replies(2): >>16730626 #>>16742460 #
4. tialaramex ◴[01 Apr 18 21:42 UTC] No.16730626{3}[source]
You'd think, but it's surprisingly difficult to get the real full audit report. Mozilla's root policy _does_ require that they be shown the report, and has a bunch of extra requirements in there to ensure they're more detail, rather than some summary or overview document the auditors were persuaded to produce for this purpose. But the CA/B rules would allow just an audit letter which basically almost always says "Yes, we did an audit, and everything is fine" unless the auditors weren't comfortable writing "everything is fine". And almost always they feel that a footnote on a sub-paragraph buried in a detailed report is enough to leave "everything is fine" as the headline in the letter...

If you've ever been audited for some other reason, you'll know they find lots of things, and then you fix them, and that's "fine". But well, is it fine? Or, should we acknowledge that they found lots of things and what those things were, even if you subsequently fixed them? The CA/B says you have several months to hand over your letter after the audit period. Guess what those months are spent doing...

5. dx034 ◴[03 Apr 18 07:03 UTC] No.16742460{3}[source]
Auditors will confirm the result of the audit but usually not disclose the content of the audit report.