It's terrifying that basically nothing has changed since the Snowden leaks. And most people simply don't care so governments can keep scooping up our data, sifting through it for whatever they may deem interesting.
DNSSEC doesn't encrypt anything - it's all plaintext on the wire. There are some DNS extensions that encrypt the query/response (DNS over HTTPS does this), but DNSSEC is not that.
DNSSEC is simply a way to verify that the response you get has not been meddled with in transit - it's the domain owner signing the DNS records so that you can verify that your DNS responses aren't being modified by a malicious entity (that may very well be your ISP).
The number of users of recursive resolvers that support DNSSEC vs users of browsers that use DoH? Number of companies that has infrastructure that supporting DoH compared to number of companies that has infrastructure that supporting DNSSEC? Daily users?
The right figure of merit should be "lookups protected by DoH/DNSSEC" (stipulating that DoH and DNSSEC have different definitions of "protected" and just assuming arguendo they're the same). I don't think it'd even be close; I would assume DoH exceeds DNSSEC by several orders of magnitude.
Note that this isn't lookups that happen to run through a resolver with DNSSEC enabled; to count, you'd be talking about such a lookup to a zone that had DNSSEC signatures. You can see the advantage DoH has here, since it works with all zones.
That would be the volume of traffic being sent over DoH compared to the volume of traffic from every recursive and authoritative dns servers that support dnssec.
It would interesting to see statistics. I wouldn't assume anything in that race. Some TLD's which are signed has quite a lot of traffic going through them on any given day, and most resolvers connecting to those have dnssec enabled by default. There are published statistics for this, but I can't find anything similar from either google or cloudflare.
However so many sites are using CloudFlare and other DDoS prevention and CDN services. I'm sure the NSA has fiber taps (beam splitters) at the point where the data travels unencrypted on the internal datacenter network.
CloudFlare itself might not even be aware of the taps. Or maybe only a few select employees know about it.
I think the solution to these problems is to reduce dependence on the Internet. It's now possible to torrent an entire library worth of books and have it all on your personal computer at home. 20TB HDDs are readily available, and constantly getting cheaper. Also check out https://reddit.com/r/DataHoarder. And we have local AI models, again these do not need the Internet to function.
> I think the solution to these problems is to reduce dependence on the Internet
Uh, I thought the concern is about communications (email, IM, etc), not about content consumption. Communications can't be replaced with some static archives.
I doubt any TLA cares if I read Python or Rust documentation, or if I watched Oppenheimer, or Barbie, or both. If they do - well, it's their loss, because such data is absolutely worthless at scale, as repeatedly demonstrated by the ad industry failing to extract any meaning from all the Big Data(tm) they hoard. And if they would somehow get interested in me personally - I don't think having an offline Wikipedia copy would help me any much.
The solution is to encrypt and authenticate every single byte transferred, end-to-end, with strongest known algorithms. And, well, some legislative action too.
https everywhere is literally throwing the baby with the bathwater. yeah we got a little better at hiding content, still leaking ton of metadata, and still vulnerable to all the root CAs in your browser... and lost cache and everything else that http had.
> https every[where] is literally[1] throwing [out] the baby with the bathwater[2].
1) That would be figuratively, not literally, as there's no literal baby in HTTPS-everywhere that I know of.
2) What is HTTPS-everywhere throwing out? Which part is the baby and which is the bathwater? I don't think this is the right expresion to use here, not even figuratively.
>and still vulnerable to all the root CAs in your browser...
certificate transparency makes this very risky to pull off, making it all but useless unless you're trying to catch a international terrorist or something.
you forget systems have humans in them. most online banking scams hijack bank domains and use CAs for that country gov, which usually have keys leaked or sold on the right (wrong?) places. just look at india or brazil list of small govt CA revocations. those are usually CAs signed by the CAs in your browser.
so, yeah, a gov abusing this is very bad and visible. scammers profiting from the complexity and humans in the machine, is very common.
>most online banking scams hijack bank domains and use CAs for that country gov, which usually have keys leaked or sold on the right (wrong?) places. just look at india or brazil list of small govt CA revocations
Source? If true they're grounds for ejection from root certificate programs of various OS/browsers.
karpersky writes about then from time to time. since its not the CA key but some CA signed by those CA they just revoke that one and move on and nobody cares. last year (or the one before) they discussed this at length on the mozilla chats before the meeting
The zip images? It meant that less data was being sent. Same with the cache.
The worst of it was that internet providers wanted to tamper with data, and insert this or that advert into what they sent. The absence of that is a good thing.
Something changed: government agencies are now clear that they can carry on, build more of it, and get away with it. Even try and build more of it into law (see EU). It was an expensive test but successful.
Plenty has changed. In general the technology industry cares a lot more about security these days. Things have gotten better and many services became much more secure by default. WhatsApp is the most widely used messaging platform in the world and it has end-to-end encryption. It's not ideal but the fact is never before have so many people used something this secure. It's foiled my country's courts more than once.
What we need now is to get these governments to accept defeat and stop trying to undermine our security with constant legislative assaults. The fact they keep trying is evidence that it's working.
this is not true and insulting at the same time. Individual people are powerless against organized commercial activity, and, more than one million people in the USA are on payroll with uniform services, so they cannot object.
in addition, the throw-away word "terrifying" is also useless and annoying.. really
It's absolutely an insult and frankly disheartening. And in order to get a word in edgewise you would have to rollup an entire decade of work into a simple cliche using appropriately PC keywords. Which is just as draining to contemplate as do.
Now people are focused on encrypting metadata, so things like DNSSEC took off.
There was a recent discussion about how state actors are using push notifications to spy on users. Maybe that is the next area of improvement.
https://news.ycombinator.com/item?id=38543155