Hacker News new | ask | show | jobs
by comex 2408 days ago
> I disagree. I'm of the opinion that DoH brought with it a security problem that is difficult to resolve. It does provide additional security in another area, but that's not something that couldn't have been done using a more reasonable approach that didn't hamper my ability to control what's happening on my own machines.

How do you distinguish, at a technical level, your ability to control what's happening on your own machines versus someone else's machines? Assuming that you're referring to using your control over the network, and given that it's very common for people to connect to networks controlled by entities they don't trust.
1 comments
JohnFen 2408 days ago
I genuinely don't understand your question.

I don't need to distinguish between the two because I'm talking about my own network and machines, not other people's.

link
comex 2408 days ago
I mean, how does a browser distinguish the two. How does it know that it's running on a device owned by the network operator, as opposed to the (probably more common) case that the device owner distrusts the network operator.
link
TeMPOraL 2408 days ago
It can't, but it is a strange reality in which we absolve users of responsibility to manage their own network in order to protect them, in a way that exposes the users to new threats that even responsible ones can do very little about.
link
comex 2408 days ago
So it's irresponsible to connect to public Wi-Fi? Or, for that matter, to directly connect to a cellular network or any commercial ISP's service, without a router in the middle?

I don't buy it. Even if you do route all DNS through a resolver on your router, that's hardly "protected", unless that resolver is itself using DNS over HTTPS (or TLS). Do you trust your ISP? I don't, and like most of the US I'm not in much of a position to switch. But even if I did trust my ISP, I wouldn't trust that the entire path from me to whatever DNS server the router is contacting (whether it's a recursive resolver or an authoritative one) was free of intelligence agency taps. In fact it seems much more likely that there is a tap somewhere.

link
JohnFen 2407 days ago
I still don't understand. Why would the browser need to do such a thing? The issues I have with DoH have nothing to do with the browser.
link