zlacker

[return to "Why does 1.1.1.1 not resolve archive.is?"]
1. nindal+K6[view] [source] 2019-10-04 07:08:50
>>stargr+(OP)
This link and the two answers within demonstrate something important, broader than the DNS related issue at hand.

Both make implicit assumptions. One assumes the worst of Cloudflare and thinks “what’s the worst reason Cloudflare could have for doing this. How do they profit off this?” And the other assumes that Cloudflare has good intentions.

Neither answer is technically wrong. Both flow logically from their initial assumptions. But it shows how different our conclusions can be depending on where our initial biases lie. For the person who believes the first answer and says “prove to me that Cloudflare isn’t doing something nefarious”, it’s not possible. The analysis is correct and can’t be challenged unless the initial assumption is challenged. And for people who strongly believe that Cloudflare has bad intentions, nothing can be done to change their mind.

In this example it’s Cloudflare but it applies to any person or organisation that we feel strongly about.

◧◩
2. chesch+F8[view] [source] 2019-10-04 07:34:53
>>nindal+K6
The second one is not an assumption, it's Cloudflare's official position. For a person who is against Cloudflare, I feel like this would only serve to reinforce the confirmation bias as there's seemingly no person except a Cloudflare employee willing to step up and defend the action.

So, yes, good observation.

◧◩◪
3. nindal+k9[view] [source] 2019-10-04 07:44:53
>>chesch+F8
Arguably, no one except a Cloudflare employee could know the reason why they took this decision. A random person speculating “maybe they did this for privacy reasons” doesn’t strike me as better than Cloudflare saying “we did this for privacy reasons”.

And while the second answer is a statement, not an analysis the rest of what I said holds. You will only accept their statement as the truth if you assume good intent of them.

◧◩◪◨
4. 113+s9[view] [source] 2019-10-04 07:47:09
>>nindal+k9
Corporations operate for profit.
◧◩◪◨⬒
5. tedk-4+Q9[view] [source] 2019-10-04 07:52:05
>>113+s9
Indeed - but there are other ways to make money than to sell of your personal information to the highest advertising bidder.
◧◩◪◨⬒⬓
6. jgraha+ob[view] [source] 2019-10-04 08:11:25
>>tedk-4+Q9
Such as, in Cloudflare's case, selling our service (the DDoS protection, the caching, the firewalling etc.) to companies that pay for that service because it helps them.

While at the same time working to preserve people's privacy with things like giving out SSL for free, pushing for eSNI, running a public DoH server, building a service that makes sure all data from your phone to us is encrypted etc. etc.

◧◩◪◨⬒⬓⬔
7. cnst+0i[view] [source] 2019-10-04 09:49:33
>>jgraha+ob
It's been shown that Cloudflare's DoH service is a lot ado about nothing, and is actually worse for privacy, not better:

* https://news.ycombinator.com/item?id=21071022

Likewise for 1.1.1.1 — when taking into consideration the local caching appliances that the ISPs have invested in, the lack of ECS would make the clients go all the way through the internet for the same content that's already cached locally by the ISP for users of all other decent resolvers — this will only contribute to increased costs for the individual ISPs, extra latency for users, and more competitive advantage of your products due to you diminishing the technological advantages of your competitors, without regard to the actual user experience of the users, or the reliability and scaling of the internet infrastructure at large.

Not to mention that such Netflix/YouTube usage, when going directly through transit providers and through the whole internet, would also subject the users to a greater chance of surveillance at large compared to users of resolvers that would access local copies on the caching appliance.

◧◩◪◨⬒⬓⬔⧯
8. andrea+sg1[view] [source] 2019-10-04 17:31:55
>>cnst+0i
It has been argued, I wouldn't say that it has been shown. Both my ISPs operate a DNS blacklist. So did my previous ISPs, in the country I previously lived in. And in a third country, where I was on holiday. ISPs even in the USA are gnashing their teeth at the prospect of losing visibility into DNS. Why would they care if they weren't using that data? Why do they need a subscriber -> [domain] mapping? Routing tables don't care about domain names. Edge caching of web content doesn't work with https. I might care about DNS caching if the ISPs haven't demonstrated time and again that they will abuse my privacy for a buck, after I've already paid them for the privilege.

I trust Cloudflare much more than I trust any ISP I've had to deal with, including American ISPs when I lived there. I trust Google much more than any ISP, and I'm not particularly charitable towards Google.

Centralized DoH isn't perfect, but it's better than the status quo. The SNI hole is shrinking. My threat model does not include defending against the Mossad doing Mossad things with my email^H^H^H^H^HDNS[1].

[1] https://www.usenix.org/system/files/1401_08-12_mickens.pdf

[go to top]