←back to thread

1.1.1.1: Fast, privacy-first consumer DNS service

(blog.cloudflare.com)
1895 points _l4jh | 4 comments | 01 Apr 18 12:14 UTC | HN request time: 0.696s | source
1. slowsun ◴[01 Apr 18 16:04 UTC] No.16728958[source]
> What many Internet users don't realize is that even if you're visiting a website that is encrypted — has the little green lock in your browser — that doesn't keep your DNS resolver from knowing the identity of all the sites you visit. That means, by default, your ISP, every wifi network you've connected to, and your mobile network provider have a list of every site you've visited while using them.

> Network operators have been licking their chops for some time over the idea of taking their users' browsing data and finding a way to monetize it.

The "1.1.1.1 stops ISPs/Starbucks from selling your browsing history" pitch is untrue and, given Cloudflare's expertise, seems disingenuous.

HTTPS transmits domains unencrypted in request headers, to support SNI. So even if DNS lookups are completely hidden, my ISP can still log all domains I visit by inspecting my HTTP(S) requests.

And the domain log from my web requests is more valuable than my DNS log. Advertisers and data aggregators can see the true timing and frequency of my browsing history, whereas a DNS log is affected by router/OS/browser lookup caching.

replies(1): >>16729372 #
2. QasimK ◴[01 Apr 18 17:23 UTC] No.16729372[source]
It’s a step in the right direction. Also is TLS1.3. not supposed to encrypt SNI?
replies(2): >>16729841 #>>16732113 #
3. slowsun ◴[01 Apr 18 19:00 UTC] No.16729841[source]
I agree that a non-Google public resolver, which comes with guarantees about how they'll use your data, is a good thing.

I'm taking exception with Cloudflare's announcement, which makes a pitch to end users that CF can protect your domain history from ISP snooping, then links to a two-minute setup guide for people with "no technical skill". They really can't protect your domain history, and I feel bad for people using this service who have been led to believe otherwise.

AFAIK there is nothing in the TLS 1.3 draft [1] about SNI encryption. There are other draft proposals for SNI encryption that build on top of TLS 1.3 [2]. It's a hard problem and there are no deployed solutions I'm aware of.

[1] https://tools.ietf.org/html/draft-ietf-tls-tls13-28

[2] https://tools.ietf.org/html/draft-ietf-tls-sni-encryption-00

4. djsumdog ◴[02 Apr 18 03:38 UTC] No.16732113[source]
I thought this was one of the big contentious issues with TLS1.3, that got resolved in a recent spec approval?