Hacker News new | past | comments | ask | show | jobs | submit login

> If you use the nextdns DoH provider in Firefox you can actually configure your own adblocking domains even when you're moving around across networks.

Uh. Doesn't this prove that Firefox's DOH implementation is sending strong per-user identifying information to the server?




That’s what nextDNS offers (basically pihole in the cloud). And that only works by hitting a specific subdomain or endpoint on nextdns.io.

If you’re hitting cloudflare, it’s just hitting the regular endpoint so no user identifying information.


Ah. Thanks! Makes sense.


If you configure a personal NextDNS URL as the DoH provider then unsurprisingly NextDNS will know that URL was used, and personalise things accordingly.

If you use Firefox's defaults but pick NextDNS from the list, you don't get personalisation as NextDNS has no idea who you are.

A nice thing about DoH here: For DNS over TLS NextDNS has to hide the configuration ID in the hostname, which as a result is revealed in SNI, but for DoH they can put it in the path and so it is encrypted like everything else.


> ...for DoH they can put it in the path and so it is encrypted like everything else.

Wait: You mean to say URLs are encrypted? I thought not. There must be a reason why GET requests aren't used for secret-sharing, for instance, as opposed to POST. What am I missing?


An HTTPS URL has several parts, let's look at them in turn from left to right of a URL https://userinfo@someserver.example:1234/foo/search?term=goo...

The scheme will always be HTTPS and that isn't sent anywhere but it's implied.

The userinfo (often empty) is encrypted and delivered to the server. This could be login credentials but in the modern web it's largely unused.

The hostname someserver.example is delivered to the server unencrypted using SNI (Server Name Indication) before encryption switches on. This is used to enable virtual hosting - the server may behave differently depending on which name you want. The Encrypted SNI work (eSNI) at the TLS Working Group intends to standardise a way to encrypt this information - note that if your IP address only serves one single web site the hostname doesn't give much extra away so eSNI is mostly interested to bulk hosts, the cloud and so on.

The port 1234 is not delivered anywhere but it's implied since the connection will use this TCP port.

The path /foo/search is encrypted, this is the part NextDNS uses to distinguish one customer from another if you use their custom URLs rather than the built-in default in Firefox.

The query parameters ?term=goose are encrypted

The fragment identifier #egg is not sent to the server this is used only locally in the browser engine itself.

The reason you shouldn't design web sites to use GET for secrets is that URL ends up in the user's URL bar and gets bookmarked or shared with friends.


Thanks for the detailed reply. Appreciate it.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: