> Il 21 agosto 2018 alle 16.47 Philip Homburg <[email protected]> ha > scritto: > > > > If I got it well, what you are trying to bypass is your ISP's > > security filter that prevents you from connecting to malware or to > > illegal content (e.g. intellectual property violations and the > > likes). > > As a user, I think there is little reason to trust an ISP. > > If you take a mobile device, do you trust every hotel, bar, etc. where you > may connect to the wifi? Are they all competent? Are you sure none of them > will > violate your privacy?
Sure, roaming at hotels and cafes is a good use case for encrypted DNS, though for many people it is not the typical Internet access situation (not everyone travels to conferences all the time). Most people here in Europe either access the Internet at home or at work through DSL or fiber, or access it on their mobile phone using the mobile operator's data network. In fact, roaming wi-fi connections, while still relevant (especially for international tourists), are getting less and less used, since everyone now gets several gigabytes of EU-wide mobile data per month included with their base mobile fee. Still, I'm all in favour of encrypting and authenticating DNS connections when you are in that situation. However, this should not be done in a way that breaks many other use cases. > If you have only a few ISPs to chose from, do you trust that ISP? How many browsers can I choose from? Definitely many less than the possible ISPs, and not a single one from the jurisdiction I live in. > There are many ISPs that try to do the right thing for their customers. > There are quite a few ISPs that have court orders to do things that go > against the interests of their customers. Yes, but that's the law. I still don't get how is it possible that the IETF is releasing a technology openly designed to allow people to break the law. In my part of the world, this is ethically unacceptable, and possibly also illegal. > And the are quite a few ISPs that are positively evil. > > You need to have options in case you can't trust the ISP. Why would you ever use an ISP that you don't trust and that is positively evil? > > build a sort of "nuclear bomb" protocol > > that, if widely adopted, will destroy most of the existing practices > > in the DNS "ecosystem" > > There is no reason why DoH has to be deployed as a 'nuclear bomb'. Ok, this is the real issue. There is no reason why, but this is how it is being deployed, starting with Mozilla. And I have yet to see a statement from the DoH community that Mozilla's idea of making DoH the default and disregarding whatever resolver is being configured in the system via DHCP is not a good one. Actually, during the discussions in Montreal there were people talking about centralized DNS operators paying the browser makers to get their DNS traffic, and then monetizing it to get back the money. How can this be presented as "more privacy" is baffling. Perhaps what we are missing is just a set of policy guidelines on how DoH should be deployed by operators and application developers, though I do not know how you could then enforce them. > Hosts can still default to using the resolvers offered by DHCP only switching > to public resolvers when directed by the user. No, they can't, if the application defaults to its own resolvers, possibly not even letting the user choose different resolvers unless they click into three-level-deep configuration menus. > The big difference is that when the user does decide to bypass the ISP's > resolvers, there will be no way for the ISP to interfere. Good luck explaining that to several hundred governments that rely on mandatory DNS filters to enforce gambling, hate speech and pornography regulation. Regards, -- Vittorio Bertola | Head of Policy & Innovation, Open-Xchange [email protected] Office @ Via Treviso 12, 10144 Torino, Italy _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
