26.04.2018 - The leaky sieve of the internet
So today i came across RFC 7858, which describes how to do DNS over TLS (aka HTTPS).
Since DNS is one of the last major protocols without a secure version of itself (meaning all your requests and responses are in plain text and not authenticated), i found it rather interesting. Turns out it's as simple as connecting to the resolver's port 853 with TLS and sending a TCP mode DNS request.
Naturally, i quickly put together a proxy-like thingy that listens to UDP port 53 on localhost, takes the DNS requests, converts the modes and forwards it over to Cloudflare's brand sparking new secure resolver, then converts and returns back the result.
For a total of a few minutes it looked awesome, as i stared at the output of the traffic analyses and saw nothing but encrypted mush. Then the euphoria worn off, and the reality took it's revenge.
You see, the internet was built on the basics of friendship and collaboration, so it's lower levels are all still a septic cesspool held together by trust and twisted wire cuttings, and whatever secure protocols are there still leak like a sieve.
So the secured DNS added almost no extra privacy - the domain names you are so cleverly trying to hide are still sent in plain text in the *handshake* part of HTTPS...
This problem, in turn, is being solved in TLS version 1.3, which is still a draft and by itself bangs against a lot of internet's thoughtful features that got rusted shut and had tunnels cut through them.
Still, a progress is being made, step by little step, of making this damn sieve waterproof one privacy-leaking hole at a time.
TL;DR: You tap your screen and stuff appears. A horrifying amount of scarily complex stuff is behind making that magic happen.