[SamuelAdams]

The push for HTTPS everywhere came directly from the Snowden revelations, and that is considered a good thing.

Now people are focused on encrypting metadata, so things like DNSSEC took off.

There was a recent discussion about how state actors are using push notifications to spy on users. Maybe that is the next area of improvement.

https://news.ycombinator.com/item?id=38543155

[Syonyk]

> so things like DNSSEC took off.

DNSSEC doesn't encrypt anything - it's all plaintext on the wire. There are some DNS extensions that encrypt the query/response (DNS over HTTPS does this), but DNSSEC is not that.

DNSSEC is simply a way to verify that the response you get has not been meddled with in transit - it's the domain owner signing the DNS records so that you can verify that your DNS responses aren't being modified by a malicious entity (that may very well be your ISP).

[tptacek]

Yes, they're probably thinking of DoH, which is much, much more widely deployed than DNSSEC.

[belorn]

How are you calculating that?

The number of users of recursive resolvers that support DNSSEC vs users of browsers that use DoH? Number of companies that has infrastructure that supporting DoH compared to number of companies that has infrastructure that supporting DNSSEC? Daily users?

[tptacek]

The right figure of merit should be "lookups protected by DoH/DNSSEC" (stipulating that DoH and DNSSEC have different definitions of "protected" and just assuming arguendo they're the same). I don't think it'd even be close; I would assume DoH exceeds DNSSEC by several orders of magnitude.

Note that this isn't lookups that happen to run through a resolver with DNSSEC enabled; to count, you'd be talking about such a lookup to a zone that had DNSSEC signatures. You can see the advantage DoH has here, since it works with all zones.

[belorn]

That would be the volume of traffic being sent over DoH compared to the volume of traffic from every recursive and authoritative dns servers that support dnssec.

It would interesting to see statistics. I wouldn't assume anything in that race. Some TLD's which are signed has quite a lot of traffic going through them on any given day, and most resolvers connecting to those have dnssec enabled by default. There are published statistics for this, but I can't find anything similar from either google or cloudflare.

[tptacek]

All traffic sent over DoH is protected. Most traffic --- the overwhelming majority of traffic --- sent through a DNSSEC-verifying resolver isn't signed by DNSSEC, because the overwhelming majority of zones --- and an even higher proportion of popular zones, by any reasonable metric of popularity you choose (I use the Moz 500) --- aren't signed.

[127361]

However so many sites are using CloudFlare and other DDoS prevention and CDN services. I'm sure the NSA has fiber taps (beam splitters) at the point where the data travels unencrypted on the internal datacenter network.

CloudFlare itself might not even be aware of the taps. Or maybe only a few select employees know about it.

I think the solution to these problems is to reduce dependence on the Internet. It's now possible to torrent an entire library worth of books and have it all on your personal computer at home. 20TB HDDs are readily available, and constantly getting cheaper. Also check out https://reddit.com/r/DataHoarder. And we have local AI models, again these do not need the Internet to function.

[drdaeman]

> I think the solution to these problems is to reduce dependence on the Internet

Uh, I thought the concern is about communications (email, IM, etc), not about content consumption. Communications can't be replaced with some static archives.

I doubt any TLA cares if I read Python or Rust documentation, or if I watched Oppenheimer, or Barbie, or both. If they do - well, it's their loss, because such data is absolutely worthless at scale, as repeatedly demonstrated by the ad industry failing to extract any meaning from all the Big Data(tm) they hoard. And if they would somehow get interested in me personally - I don't think having an offline Wikipedia copy would help me any much.

The solution is to encrypt and authenticate every single byte transferred, end-to-end, with strongest known algorithms. And, well, some legislative action too.

[begueradj]

How Some Governments Eliminate HTTPS/TLS Encryption [1]

[1]: https://www.youtube.com/watch?v=37irG5pKur8

[ksjskskskkk]

https everywhere is literally throwing the baby with the bathwater. yeah we got a little better at hiding content, still leaking ton of metadata, and still vulnerable to all the root CAs in your browser... and lost cache and everything else that http had.

[jbotz]

> https every[where] is literally[1] throwing [out] the baby with the bathwater[2].

1) That would be figuratively, not literally, as there's no literal baby in HTTPS-everywhere that I know of.

2) What is HTTPS-everywhere throwing out? Which part is the baby and which is the bathwater? I don't think this is the right expresion to use here, not even figuratively.

[dllthomas]

> no literal baby in HTTPS-everywhere that I know of

Well not anymore. We threw it out.

[jkubicek]

literally

[ksjskskskkk]

on 2: caches for one

[gruez]

>and still vulnerable to all the root CAs in your browser...

certificate transparency makes this very risky to pull off, making it all but useless unless you're trying to catch a international terrorist or something.

[ksjskskskkk]

you forget systems have humans in them. most online banking scams hijack bank domains and use CAs for that country gov, which usually have keys leaked or sold on the right (wrong?) places. just look at india or brazil list of small govt CA revocations. those are usually CAs signed by the CAs in your browser.

so, yeah, a gov abusing this is very bad and visible. scammers profiting from the complexity and humans in the machine, is very common.

[gruez]

>most online banking scams hijack bank domains and use CAs for that country gov, which usually have keys leaked or sold on the right (wrong?) places. just look at india or brazil list of small govt CA revocations

Source? If true they're grounds for ejection from root certificate programs of various OS/browsers.

[ksjskskskkk]

karpersky writes about then from time to time. since its not the CA key but some CA signed by those CA they just revoke that one and move on and nobody cares. last year (or the one before) they discussed this at length on the mozilla chats before the meeting

[verisimi]

> and lost cache and everything else that http had.

A genuine loss, and also the ability to zip imagery.

[Avamander]

Was it a loss? I don't think so. It was either ineffective, stale or a massive privacy issue. We're better off with local caches.

[verisimi]

The zip images? It meant that less data was being sent. Same with the cache.

The worst of it was that internet providers wanted to tamper with data, and insert this or that advert into what they sent. The absence of that is a good thing.