[conspire] Internet Privacy: today's vote and measures to take
Daniel Gimpelevich
daniel at gimpelevich.san-francisco.ca.us
Wed Mar 29 08:45:48 PDT 2017
On Tue, 2017-03-28 at 18:36 -0700, Rick Moen wrote:
> 3. Stop giving your ISP so much personal data. The biggest measure
> you can take in this area -- and I keep saying it and you guys mostly
> ignore it -- is to stop using ISP recursive nameservers. Good local
> recursive nameservers like Unbound improve your network performance
> and
> security, while requiring _no_ administration.
> http://linuxmafia.com/faq/Network_Other/dns-servers.html#unbound
This measure only makes sense in conjunction with not passing any
unencrypted data, i.e. HTTP instead of HTTPS, and before recommending
any automated way to migrate from HTTP to HTTPS, it must be noted that
HTTPS still breaks many sites that work fine on HTTP.
Given these URLs:
1) http://www.foo.com/bar/quux.html
2) https://www.foo.com/bar/quux.html
Using your ISP's nameservers, your ISP will see something like:
1) http://www.foo.com/bar/quux.html
2) https://www.foo.com/CO1U23ksuaWSfTaaCmIwKG8L8F829sqlkXEK9YpswWxyZ7ue
If you don't use their nameservers, they will instead see:
1) http://www.foo.com/bar/quux.html
2) https://23.23.132.56/CO1U23ksuaWSfTaaCmIwKG8L8F829sqlkXEK9YpswWxyZ7ue
The #1 above is not http://23.23.132.56/bar/quux.html because the
www.foo.com part is also sent as an HTTP header.
More information about the conspire
mailing list