[nullwasamistake]

Hah! This is the most insane justification I've seen in a while. Even better than when all the tech giants smash competition because "security".

Cloudflare (which has somewhat shady ties to us govt maybe) is pushing hard for DNS over secure channel and it's pissing off ISP's. Because they won't be able to sell personalized browsing history if is catches on....

Control/view of DNS requests is worth A LOT of money to advertisers/ISP's because it's currently immune to ad blockers and ties a user directly to their IP and real info. It's even better than browsing history because it includes everything a user does outside the browser as well, protocol agnostic, cross device.

It's the perfect example of "metadata" that various companies and agencies collect for all sorts of shitty reasons. It's the last cleartext frontier of activity monitoring.

[yholio]

But if Cloudflare is the point of aggregation and the ISP can no longer distinguish between what, according to UK law, is legal and illegal traffic, then... surely the legal onus of performing the filtering will fall on Cloudflare?

When they are providing internet content to UK customers, they must respect UK law. It's a dangerous chicken game to think UK will not be able to enforce it's laws against Cloudflare.

The villain here is the UK govt. ISPs should applaud the technical developments with all their hearts since they are legally off the hook.

[munk-a]

I would be okay with showing all of the UK a "Sorry it doesn't appear your government supports modern common sense. Please consider upgrading your government for full site functionality."

[HeWhoLurksLate]

Man, I would hate to block off support for a bunch of the things that people need for their daily work, but if it makes things obvious to everyone who's at fault, then it might just work, and I'd be willing to take a hit for that to happen.

[Analemma_]

This doesn’t make any sense. Your ISP still knows your browsing history even if they can’t see your DNS requests.

[nullwasamistake]

No they don't. TLS has encrypted sites for a long time. And with encrypted SNI they get no info about browsing history. This is a blatant attempt to stymie the last cleartext protocol that can be used to record browsing history.

[nathanaldensr]

Not if your traffic is HTTPS+TLS. They will only know--if they are the target DNS server--what IP you are connecting to. The secure channel protects against them knowing more than that.

[ianlevesque]

SNI leaks the domain name you are requesting. It's pretty shocking.

[snek]

Firefox also supports ESNI! These crazy villians shakes fist at Mozilla

[cesarb]

There is already work on encrypted SNI. Last time I looked, it uses information from DNS, so encrypted DNS is a prerequisite.

[perfmode]

how? wouldn’t they just see TCP packets?

[derefr]

They see the destinations of those packets, so they know what sites (IP addresses) you're interacting with, on what ports.

They don't get the domain names, but for the very popular web properties that all these analytics care about calculating your relationship to, they don't need them; the IP is enough to discern which site you're visiting.

[GauntletWizard]

Yes, and the IP addresses there are public, and reverse DNS entries are easy to find. There's some ambiguity, but not much. Your isp doesn't care about the difference between fbcdn.net and Facebook.com when selling your traffic history.