Hacker News new | ask | show | jobs
by tialaramex 2312 days ago
If you configure a personal NextDNS URL as the DoH provider then unsurprisingly NextDNS will know that URL was used, and personalise things accordingly.

If you use Firefox's defaults but pick NextDNS from the list, you don't get personalisation as NextDNS has no idea who you are.

A nice thing about DoH here: For DNS over TLS NextDNS has to hide the configuration ID in the hostname, which as a result is revealed in SNI, but for DoH they can put it in the path and so it is encrypted like everything else.
1 comments
ignoramous 2311 days ago
> ...for DoH they can put it in the path and so it is encrypted like everything else.

Wait: You mean to say URLs are encrypted? I thought not. There must be a reason why GET requests aren't used for secret-sharing, for instance, as opposed to POST. What am I missing?

link
tialaramex 2311 days ago
An HTTPS URL has several parts, let's look at them in turn from left to right of a URL https://userinfo@someserver.example:1234/foo/search?term=goo...

The scheme will always be HTTPS and that isn't sent anywhere but it's implied.

The userinfo (often empty) is encrypted and delivered to the server. This could be login credentials but in the modern web it's largely unused.

The hostname someserver.example is delivered to the server unencrypted using SNI (Server Name Indication) before encryption switches on. This is used to enable virtual hosting - the server may behave differently depending on which name you want. The Encrypted SNI work (eSNI) at the TLS Working Group intends to standardise a way to encrypt this information - note that if your IP address only serves one single web site the hostname doesn't give much extra away so eSNI is mostly interested to bulk hosts, the cloud and so on.

The port 1234 is not delivered anywhere but it's implied since the connection will use this TCP port.

The path /foo/search is encrypted, this is the part NextDNS uses to distinguish one customer from another if you use their custom URLs rather than the built-in default in Firefox.

The query parameters ?term=goose are encrypted

The fragment identifier #egg is not sent to the server this is used only locally in the browser engine itself.

The reason you shouldn't design web sites to use GET for secrets is that URL ends up in the user's URL bar and gets bookmarked or shared with friends.

link
ignoramous 2311 days ago
Thanks for the detailed reply. Appreciate it.
link