On 16/01/2020 6:13 pm, Kim Holburn wrote:
On 2020/Jan/16, at 5:54 pm, David <[email protected]> wrote:
Even with some form of secure & encrypted DNS from clients to trusted servers,
ISPs could still see each web-page URL with the host name replaced by its resolved
address.
That'd be very bad security. As I understand it, the encrypted stream is
established first, then the URL sent encrypted. To do it the other way would
be a security breach.
So the security agencies could still monitor an agent of interest, but selling
users' browsing history would probably involve too much work to be worthwhile.
You're right, the TLS session is established first, then the HTTP session. Not
thinking...
However I was trying to make this point. If an ISP client uses DNS & HTTP in the
clear then it's obviously easy for their ISP to monitor their browsing history. But if
they use DOH/DOT & HTTPS the ISP still sees destination IP addresses, so monitoring
is still possible if the ISP is prepared to look them up, but I suspect the business
model begins to collapse.
A sensible "agent of interest" [to the security agencies] would be using a VPN
no?
Yes, if they're using a VPN to a third-party intermediary and are technically
aware, but I imagine the security agencies have ways of dealing with that sort
of suspicious behaviour. The IP address is more reliable than the text of a
URL.
David
_______________________________________________
Link mailing list
[email protected]
http://mailman.anu.edu.au/mailman/listinfo/link
