From be57b4edab56c727f86a08345ac21ff78ce95e9b Mon Sep 17 00:00:00 2001 From: curben <2809763-curben@users.noreply.gitlab.com> Date: Tue, 24 Sep 2019 23:08:06 +0100 Subject: [PATCH] post: add new reference --- source/_posts/doh-tls-privacy.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source/_posts/doh-tls-privacy.md b/source/_posts/doh-tls-privacy.md index 132bf4e..2da5267 100644 --- a/source/_posts/doh-tls-privacy.md +++ b/source/_posts/doh-tls-privacy.md @@ -12,11 +12,11 @@ Recently I stumbled upon this [bug report](https://lists.zx2c4.com/pipermail/wir ISP still knows what **IP address** you are connecting to. Even with HTTPS and DoT/DoH, ISP currently can sniff the website domain you are visiting/visited including the complete URL due to a security weakness in the [Server Name Indication](https://en.wikipedia.org/wiki/Server_Name_Indication). This weakness can be fixed by using [Encrypted SNI](https://blog.cloudflare.com/esni/) (ESNI). -But even with all that, I repeat, ISP still *knows* what IP address you are connecting to. A simple reverse DNS lookup or even just by visiting the IP address can reveal what website it belongs to. Reverse DNS lookup is indeed not as easy as ten years ago due to the current proliferation of content delivery network (CDN) like Cloudflare. But it is still possible. For example, A `dig startpage @9.9.9.9` returned `216.218.239.2`. When you go to the IP through a web browser, it redirects to startpage.com. Going to gitlab.com's IP resulted in SSL warning with gitlab.com shown as the valid hostname. +But even with all that, I repeat, ISP still *knows* what IP address you are connecting to. A simple reverse DNS lookup or even just by visiting the IP address can reveal what website it belongs to. While reverse DNS lookup is not as easy as ten years ago due to the current proliferation of content delivery network (CDN) like Cloudflare, yet it is still possible. For example, A `dig startpage @9.9.9.9` returned `216.218.239.2`. When you go to the IP through a web browser, it redirects to startpage.com. Going to gitlab.com's IP resulted in SSL warning with gitlab.com shown as the valid hostname. {% image '20190404/gitlab-ip.png' 'Reverse domain lookup through browser' %} -Websites that are behind Cloudflare can be harder to lookup. For example, `dig is.gd @9.9.9.9` returned `104.25.23.21`, but going to that IP resulted in a Cloudflare error page. So, every website should use Cloudflare, I guess? +Websites that are behind CDN can be harder to lookup. For example, `dig is.gd @9.9.9.9` returned `104.25.23.21`, but going to that IP resulted in an error page. Even then, with sufficient dataset, it is still [possible](https://blog.apnic.net/2019/08/23/what-can-you-learn-from-an-ip-address/) to infer a website from an IP. Anyhow, DoT/DoH helps to address DNS spoofing issue by preventing the DNS query/answer from being maliciously modified. It makes it *harder* for the ISP from recording your browsing history because it prevents them from doing DNS logging. But they can still continue doing **IP logging**. Not to mention DoT/DoH resolvers also can log DNS traffic. Even [DNSCrypt](https://en.wikipedia.org/wiki/DNSCrypt) cannot prevent that.