What’s stopping your PiHole or DMS adblocker from functioning as a MITM proxy? You’d just terminate HTTPS at the PiHole and perform the filtering there, right?
Regardless, it’s a tiny thing to give up for more privacy.
Running a MITM HTTPS proxy means running a CA, means the proxy gets to decide what to do about certificate errors instead of the client, means maintaining a whitelist of sites that can't be MITM'd, means segregating all the devices that I can't put a CA signing certificate on, and is just in general an ugly thing that should be avoided wherever possible.
Mozilla's method of implementing this has also created a blueprint for malware to avoid network-level detection.
I don't like it. In my view, what's being given up is significant and the privacy gain minimal.
(Right now, Mozilla has a DNS-based killswitch, but how long until all the 'bad actors' Mozilla is targeting have implemented it? I know of one public DNS provider already doing that. They'll take away the killswitch, then all the 'bad countries' will force their populations to install MITM certificates [along with the UK] and the world is going to end up worse off thanks to Mozilla)
Thanks. I was also thinking... how does DoH prevent an ISP from spying on you? Even though the DNS requests and responses are encrypted, content requests are still routed via the ISP, right?
So the ISP still has a log of which IPs you’ve visited. They can resolve this back to site names and get the same information on you they had before.
I hate to respond to low-effort snark but will do so here to remind people that Google's plan doesn't default you to Google's servers, will honor your own nameservers, and will upgrade you to DoH if any of those servers support it. It's really hard to see what more you could ask for.
Regardless, it’s a tiny thing to give up for more privacy.