My network:
  Ribbonfarm section
  Youtube channel
  Livejournal (R.I.P.)
  SW forum (R.I.P.)
  Spaceway (R.I.P.)
 Random thoughts
 Random stories
 Sound camera (RF)
 Timelapse camera
 MicroBook reader
 Multiband camera
 Multiband camera (RF)
 Tesla coils
 Soviet calculator
 3D printer
 Quadrotor UAV
 Box of sunshine
 Molten salt battery
 LCD curtains
 Aprom OS
 METEOR M decoder
 Spaceway (R.I.P.)
 M.A.X. Remake (R.I.P.)
 Rocket Land
 Random games
Artwork & photo:
 Time lapses
 Concepts - Rhego
 Concepts - Pella
 Random Art
 Lunar eclipse
Orbiter addons:
 Collision SDK
 Orbiter Shipyard
 Shukra Station
 OSH gallery
 Shukra gallery
 Orulex gallery
 OGLAClient gallery
 Ship Generator
 Shipgen manual
 Orbiter flight gallery
   26.04.2018 - The leaky sieve of the internet

So today i came across RFC 7858, which describes how to do DNS over TLS (aka HTTPS).

Since DNS is one of the last major protocols without a secure version of itself (meaning all your requests and responses are in plain text and not authenticated), i found it rather interesting. Turns out it's as simple as connecting to the resolver's port 853 with TLS and sending a TCP mode DNS request.

Naturally, i quickly put together a proxy-like thingy that listens to UDP port 53 on localhost, takes the DNS requests, converts the modes and forwards it over to Cloudflare's brand sparking new secure resolver, then converts and returns back the result.

For a total of a few minutes it looked awesome, as i stared at the output of the traffic analyses and saw nothing but encrypted mush. Then the euphoria worn off, and the reality took it's revenge.

You see, the internet was built on the basics of friendship and collaboration, so it's lower levels are all still a septic cesspool held together by trust and twisted wire cuttings, and whatever secure protocols are there still leak like a sieve.

So the secured DNS added almost no extra privacy - the domain names you are so cleverly trying to hide are still sent in plain text in the *handshake* part of HTTPS...

This problem, in turn, is being solved in TLS version 1.3, which is still a draft and by itself bangs against a lot of internet's thoughtful features that got rusted shut and had tunnels cut through them.

Still, a progress is being made, step by little step, of making this damn sieve waterproof one privacy-leaking hole at a time.

TL;DR: You tap your screen and stuff appears. A horrifying amount of scarily complex stuff is behind making that magic happen.


  ADSE 0.9.3   2005-2023