[philip1209]

I think the bigger hole is DNS. Full-tunnel VPNs to primarily TLS-encrypted sites seems like overkill. Encrypted DNS plus an "HTTPS Everywhere" plugin should obfuscate enough info for most people without significantly affecting latency.

[jordanthoms]

The ISP can still read the SNI information to see which sites are being used, so there's not so much value in encrypting the DNS.

[staticsafe]

DNSCrypt + HTTPS everywhere solves the latency issue but it doesn't solve some of the other issues.

You still need the technical know-how to set up a DNSCrypt recursive resolver. The resolver then talks to the respective recursive chain in plain text as DNSCrypt is not something that is widely adopted.

[philip1209]

Hosting a private DNS server has its own issues. Many CDNs rely on DNS server to determine which POP to route you to. Pretty common for Australian internet users who switch their DNS to have videos streamed from Southeast Asia rather than Australia. That would cause huge perceived latency issues. Third-party DNS providers solve this with private agreements [1].

[1] https://community.akamai.com/docs/DOC-4219

[eli]

Wouldn't it be fairly trivial to guess most of the domains you're visiting by looking at what IP addresses you connect to?

[philip1209]

Yes. To be fair though, many sites are on shared hosts, and lots of traffic goes through a handful of CDN networks.

I think that the SNI note below is probably the bigger hole.

[staticsafe]

You can guess some of it trivially, cloud services such as AWS are popular and mask the ORG using the IP addresses.

Example: any traffic to 17.0.0.0/8 = user probably has an Apple device

[modeless]

The IP addresses are still there in the clear. VPNs for everyone for everything is the only long term answer to this problem and others like anticompetitive zero rating practices.