Netizens who reside in the meatspce known as the US, take note.

Https:// can help.

ONI-DoH encrypts your dns requests from a server in Amsterdam that keeps no will at the very least make mass collection of web browsing history very difficult.

Also, working on a resilient backbone Cyberian VPN service, but it was shelved due to time constraints.

Time to rethink that and get it moving again.

Cyberpunk 2020 was an accurate prediction.

Show thread

@thegibson Man...I was having a nice day. At least my senators voted against this idiocy. can I help? It really feels like Wireguard is the right protocol...but how do you ensure good performance and defray the egress costs for your endpoints?

@TheGibson Thanks for setting this up, but I hope you won't mind if I regret the necessity; I'm going to miss being able to block ads using /etc/hosts. 😔

@starbreaker I understand.

FWIW, this blocks malicious sites and ads through pihole lists... I am trying to help as best I can.

@thegibson Hey @silverwizard, what's your take on this project as my go-to paranoid person?

@hypolite @silverwizard

Exit is in a datacenter in Amsterdam. GDPR is good for what we are doing.

No logging, and as such no data retention.

@hypolite @silverwizard @thegibson Thanks for the elaboration. As a rule of thumb, I do not believe "no log" claims from third-parties because I cannot verify them and even if it was true at some point, it could change without notice.

Furthermore, this seems to be trading a centralized system for another. Trading an evil I know for a potential evil I don't. It might be well intended, but I still need more information to build trust.

@hypolite @silverwizard

Then roll your own, the instructions are out there.

I don’t bank on trust either, I get that.

@thegibson @hypolite Does rolling your own solve the problem? Isn't one of the major value-adds of this that many people are putting their traffic through it disguising what traffic is you?

@silverwizard @hypolite I agree that additional entropy is a bonus, but you could roll your own and put it outside of jurisdiction.

@hypolite @thegibson My general rule is "DoH is dangerous by default"

It trades on the wire encryption for *a lot* of extra data sent to the provider. And if you are concerned that your ISP is evil, I have bad news about your ISP having CAs and the ability to lie to you about what IP you've connected to.

It's a problem where DoH requires a specific kind of paranoia that I can't get behind. Trying to use a less evil DoH server doesn't make me feel safer (though it definitely stops most of the say to day abuses of DoH - but my solution is to use an ISP I trust - which is a luxury, and also to block all DoH traffic proactively), in fact it just moves the trust to actors I trust least generally.

But this is very much a partisan stance on the DoH issue. If you're in a space where DoH has to exist, this is better.

It's like when people offer me workarounds to problems in systemd - sure, they make the problem better - but they still let the root problem exist, and I'd prefer to put my energy toward fighting the root problem.
@hypolite @silverwizard @thegibson The specific issue here is the FBI getting US private browsing data warrantlessly and opting out of it. But yeah, it would force me to trust a smaller provider.
@hypolite @thegibson Yeah - I generally recommend using DoT in places where you can - with DNSSec. But yeah - point is - I don't *trust* the providers who want to cheat with DNS to not intercept all kinds of DNS traffic - which is annoyingly possible to MitM. DoT is only trustworthy if you explicitly minimize your trusted cert, rather than just trust the pool of CAs.
@hypolite @thegibson Oh yeah - people don't have to use your DNS lookups to get your history.

"Did connection to DNS, then connected to a Google IP"
"Did a connection to DNS, then connected to a Amazon IP in the AWS block"

Evil logs are really easy to make evil
Sign in to participate in the conversation

A bunch of technomancers in the fediverse. Keep it fairly clean please. This arcology is for all who wash up upon it's digital shore.