Mozilla DNS-over-HTTPS may be a trojan horse (Conspiracy)

submitted ago by allahead

The protocol claims to allow people to get around censorship by letting them look up DNS names anonymously. It doesn't matter though because you will still be seen connecting to the actual web site.

The ISP can block websites by more ways than just blocking DNS lookups. DNS just gives you the IP address to connect to. If ISP's want to block access to a website, they can just firewall the IP's, any remotely competent admin knows this.

The problem is that instead of "trusting" (I use the term loosely) some authoritative ISP DNS or any of the commonly used ones like googles 8.8.8.8, you will be using whatever DNS the app maker supplies. If you install an application, and it also modifies the certificate authorities on your computer or phone, the application can now possibly hijack all the DNS queries from your computer and since they have a Cert Authority installed also they can proxy/decrypt all of your SSL traffic.

I don't think we are better off with every sneaky little app maker putting up their own DNS in a closet and pointing it at whatever they fancy at the moment.

You are viewing a single comment's thread.

view the rest of the comments →

libman ago

We need multiple DNS mechanisms and metalink-style links / bookmarks between sites. If the target site is down, you try mirror locations (including through Tor, Namecoin, etc), and then the last static snapshot via IPFS/etc as a last resort.

We also need better automated Web archiving mechanisms (like archive.fo but decentralized and dumped to common storage like IPFS). They would then try blocking by checksum, but won't be able to due to crypto.

allahead ago

It's really hard to get started securely. You basically put all your trust with the certs that come with the OS or browser.

Sites change so often, checksums become a popularity contest. If you control DNS and Cert Authorities (CA's) you can masquerade as anyone.

Do you think blockchain could be tied to DNS someway to make it decentralized and authoritative? At some point you have to eyeball the bits or throw your hands in the air and say good enough i guess.

Horrux ago

Personally I would love to see a DNS blockchain.

handsignals ago

the thought of how slow it would be makes me want to puke. blockchain is the answer to nothing(for most use cases), because its prohibitively slow. to make it faster defeats its purpose (proof of work).

libman ago

Updating a blockchain (ex. registering a name) is slow. Searching a blockchain is as fast as searching any other data file.