Hmm, if I understand your argument correctly, DoH is bad because ISPs or network administrators will do TLS interception more often to avoid going dark, and TLS interception is bad. But I don't see how it follows, if you can do TLS interception you can also disable DoH?
-
-
This Tweet is unavailable.
-
Replying to @munin @http_error_418
No, I mean you can't enable TLS interception without Admin (either via group policy, software run with consent, modifying the image, etc). Those are also all sufficient to disable DoH in the browser settings, right?
1 reply 0 retweets 0 likes -
This Tweet is unavailable.
-
Replying to @munin @http_error_418
I'm pro-DoH, I'm trying to understand your concern
. It seems pretty arbitrary to be concerned about monitoring for exfiltration via DoH, but not arbitrary other means of tunnelling DNS (e.g. DNS over SSH), or just any other protocol.2 replies 0 retweets 3 likes -
Enterprises tend to block outbound SSH, but not bound TLS. But Twitter is a bad place for me to discuss this, as there’s a lot of nuance to the subject
1 reply 0 retweets 3 likes -
I just picked SSH at random, it can be DNS queries steganographically embedded in PDF files shared over email. Do people really argue they can prevent DNS queries from being tunnelled out of a network?
2 replies 1 retweet 8 likes -
Replying to @taviso @GossiTheDog and
*sigh* Just because DNS theoretically could be tunneled via other means doesn’t mean its in users’ best interest for a for-profit intelligence firm to have DoH & use their monopoly power to shove it into browsers to bypass everyone’s security controls so they can make more money.
1 reply 1 retweet 2 likes -
Replying to @bambenek @GossiTheDog and
We're just going in circles here. The difference is that by connecting to free coffee shop wifi, I'm not explicitly stating I want them to monitor my activity. That should not be the default.
1 reply 0 retweets 0 likes -
Replying to @taviso @GossiTheDog and
So the default should be a for-profit intelligence agency should be the only one who can do the snooping?
1 reply 0 retweets 0 likes
I think there shouldn't be any snooping going on at all. We can't enforce that technically yet, but we can enforce it by making the default an organization that's contractually bound to respect privacy. Make sense?
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.