If I set my DNS provider to use DoH or DoT, my ISP will no longer see my DNS requests. I'm confident that my ISP doesn't do DPI at scale to extract SNI, so the lack of ECH doesn't break the entirety of the privacy benefit.
The fact that they could perform DPI doesn't change the reality that most ISPs probably aren't doing it, unless mandated by law, because it's expensive and in my main country of residence they can't sell that data to offset the cost.
I'm surprised to see such lack of nuance coming from you.
Big part of why we began pushing for TLS everywhere is that ISPs were doing DPI to inject ads in web pages. There's very real precedent for this stuff, and a real market for selling information on your web habits as well. Besides the obvious value for the spooks.
It's taken a conspicuously long time to even begin to see a solution to the glaring privacy issues with SNI. Even just counting the length of time we've been aware of the problem of SNI being used for censorship and eavesdropping[1], it's over a decade, and ECH's is status is still very experimental in most web server software (and ECH is kind of a janky hack even after how long this has been discussed back and forth, the ESNI debacle, and so on).
It doesn't fix privacy but it does work around censorship. Has a court or the government ordered your ISP to usurp its enemies' DNS records? If so, you need to talk to a different resolver, not constrained by your government or courts.
There are gaps depending upon the client configuration, but "bupkis" is simply wrong or horribly obsolete.
Encrypted DNS isn't an "any day now", basically every platform and browser and provider supports it, and 100% of my household's DNS requests are opaque to anyone watching the wire. And basically every system like Cloudflare supports ECH, so SNI isn't a thing for the vast majority of sites.
If I set my DNS provider to use DoH or DoT, my ISP will no longer see my DNS requests. I'm confident that my ISP doesn't do DPI at scale to extract SNI, so the lack of ECH doesn't break the entirety of the privacy benefit.
The fact that they could perform DPI doesn't change the reality that most ISPs probably aren't doing it, unless mandated by law, because it's expensive and in my main country of residence they can't sell that data to offset the cost.
I'm surprised to see such lack of nuance coming from you.
Big part of why we began pushing for TLS everywhere is that ISPs were doing DPI to inject ads in web pages. There's very real precedent for this stuff, and a real market for selling information on your web habits as well. Besides the obvious value for the spooks.
It's taken a conspicuously long time to even begin to see a solution to the glaring privacy issues with SNI. Even just counting the length of time we've been aware of the problem of SNI being used for censorship and eavesdropping[1], it's over a decade, and ECH's is status is still very experimental in most web server software (and ECH is kind of a janky hack even after how long this has been discussed back and forth, the ESNI debacle, and so on).
[1] https://inria.hal.science/hal-01202712/document
It doesn't fix privacy but it does work around censorship. Has a court or the government ordered your ISP to usurp its enemies' DNS records? If so, you need to talk to a different resolver, not constrained by your government or courts.
> but it does work around censorship
* for the countries/ISPs that don't also hijack all DNS
https://en.wikipedia.org/wiki/DNS_hijacking#Manipulation_by_...
There are gaps depending upon the client configuration, but "bupkis" is simply wrong or horribly obsolete.
Encrypted DNS isn't an "any day now", basically every platform and browser and provider supports it, and 100% of my household's DNS requests are opaque to anyone watching the wire. And basically every system like Cloudflare supports ECH, so SNI isn't a thing for the vast majority of sites.
DoH and ECH fix that
Any moment now...