Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> Much of the web is moving over to https

Yes, but US consumer ISPs, to the best of my understanding, still have this nasty habit of tracking and injecting code whenever they feel like it. HTTP is still a thing.

Also, if the point is to avoid an ISP snooping on metadata for profiling, HTTPS adoption is good, because it encrypts real session data, but it does not stop data collection.

Remember that DNS goes in the clear, until browser and OS vendors decide to turn on DNS over HTTPS by default on consumer devices. The ISP industry, being assholes, have already started to make DoH appear somehow controversial, and they're probably going after google on antitrust grounds. [1] [2]

But even with DoH, we're still going to be stuck with SNI, which spells out the target domain of every HTTPS connection in the connection metadata. And whenever encrypted SNI is in place, services on the internet that aren't behind a CDN are still going to have identifiable IP addresses.

That's user data perfect for profiling and reselling.

So, to really give ISPs the finger, the user must use a VPN.

> VPNs are hit-or-miss on whether they route DNS requests

Major consumer VPNs, even clowns like NordVPN, have gotten pretty good at ensuring sane confs in their provided clients. I wouldn't rely on their kill switches etc for serious opsec, but it's enough to give the finger to an ISP.

On the other hand, the point of a VPN router is precisely to have everything go over a tunnel, including DNS.

It's not ideal to tunnel everything, but it's up to US consumers to make that choice. My suggestion would be to campaign to drive up VPN use on consumer broadband connections, just to fuck with the ISPs.

> That, and you're trusting the VPN to not sell your data.

This is an important point, and also why one would choose a VPN that relies on a reputation of not selling data.

> Browser fingerprinting is still an arms race, but if you're actually concerned about something, either do whatever Torbrowser does or use the most popular iPhone.

Yes, it's an arms race, and the point is to make life as hard as possible for the tracking industry. Nothing is perfect.

Tracking cookies don't go anywhere in a convenient to use browser setup, despite the shoddy claims from clowncar VPN companies.

While Tor is great, it's slow and not advisable as a daily driver browser connected to the user's normal online identities. For most users, sane use of Tor Browser would be special purposes, like researching medical concerns you don't want tracking companies to connect to you, and similar.

1 - https://arstechnica.com/tech-policy/2019/09/isps-worry-a-new...

2 - https://crsreports.congress.gov/product/pdf/IN/IN11182



Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: