[JoshTriplett]

I agree with your frustration, and just fundamentally disagree with your attribution of blame. Security is a feature. Software that works against its user is an awful thing. Security features that help secure software for the benefit of users do not become bad just because they also help secure software that works against the user. The solution there is not running software that works against its user.

Eliminating buffer overruns across the entire industry will also make it harder to e.g. jailbreak game consoles or iOS devices. That doesn't make it bad to eliminate buffer overruns; the problem is with devices requiring jailbreaking in the first place, rather than serving their users.

If you believe that TLS and DoH do more harm than good, you may be in a bubble where e.g. things like pihole are common, rather than being obscure tools used by highly technical users who tolerate and debug breakage.

[benreesman]

Maybe we agree and maybe not, I'm unsure.

I don't think there is any justification for shipping software with exploitable security problems on purpose, and it sounds like I maybe gave you the impression I do. I think all software should be as secure as it's feasible to make it.

But I don't think that security should ever operate against the person who bought the device and is sitting in front of it. I don't think anything on my device or anyone's should be able to phone home in a way that is secure from me: and so I am very happy with things like eBPF that make root mean root.

I think that there are certain things you do not do as a professional, as a moral person, as a person who wants to be proud of what you've done. And both TLS and DoH are now routinely used by vendors to do things that users don't know about, don't want, wouldn't consent to if they knew, and I think people should go to jail over it.

I worked in big consumer internet during the period when it was beloved, and during the period where it was starting to get sketchy, and at some point I walked away from millions in unvested stock because a line had been crossed.

Near as I can tell a lot of us with reservations left, and those that remain are those with few if any qualms of any kind.

[JoshTriplett]

> I think all software should be as secure as it's feasible to make it. But I don't think that security should ever operate against the person who bought the device and is sitting in front of it.

I don't think that software, in general, should place the interests of the software author above the interests of the user.¹ I just don't think that's specific to TLS or DoH; it's a general problem of running software that doesn't operate in your best interests. And I feel like laying the blame for that on TLS or DoH, rather than on the software author working against the user's interests, has the net result of making it harder to make software more secure, because it contributes to pushback against those technologies in general.

¹ Modulo some reasonable caveats and subtleties like following standards, which place one interest of the user above another interest of the user.

I think TLS and DoH are net wins in the world, due to all the positive benefits they have, despite the fact that they (like many many other technologies) are also sometimes used for anti-user purposes.

And, of course, if you control a device that includes controlling the software running on the device, which includes arbitrarily debugging, intercepting, or modifying it. I'm glad to see people who legitimately control a device using whatever technologies they desire to prevent software from working against their interests. (Though I continue to believe the right solution there is to not run software that runs against your interests in the first place, whenever possible.)

[benreesman]

Well fortunately for user choice there are people like me who are going to build and distribute software that is not prescriptive about what certificate authorities users should be compelled to accept as net wins as well as people like you who apparently are willing to navigate a twisty rhetorical maze before arriving back at: status quo, intact.

my intention is to render your net win calculation irrelevant by letting users decide and educating them about the implications of trusting people like you.

[JoshTriplett]

> not prescriptive about what certificate authorities

This seems like a non-sequitur. DoH does not specify particular certificate authorities; it just uses a secure connection, rather than plaintext DNS.

Is your complaint specifically about certificate pinning in proprietary applications, as opposed to using the system CA store?

> twisty rhetorical maze

That is an excessively reductive description of an argument you disagree with.