[conspire] Internet Privacy: today's vote and measures to take

Daniel Gimpelevich daniel at gimpelevich.san-francisco.ca.us
Wed Mar 29 08:45:48 PDT 2017


On Tue, 2017-03-28 at 18:36 -0700, Rick Moen wrote:
> 3.  Stop giving your ISP so much personal data.  The biggest measure
> you can take in this area -- and I keep saying it and you guys mostly
> ignore it -- is to stop using ISP recursive nameservers.  Good local
> recursive nameservers like Unbound improve your network performance
> and
> security, while requiring _no_ administration.  
> http://linuxmafia.com/faq/Network_Other/dns-servers.html#unbound

This measure only makes sense in conjunction with not passing any
unencrypted data, i.e. HTTP instead of HTTPS, and before recommending
any automated way to migrate from HTTP to HTTPS, it must be noted that
HTTPS still breaks many sites that work fine on HTTP.

Given these URLs:
1) http://www.foo.com/bar/quux.html
2) https://www.foo.com/bar/quux.html

Using your ISP's nameservers, your ISP will see something like:
1) http://www.foo.com/bar/quux.html
2) https://www.foo.com/CO1U23ksuaWSfTaaCmIwKG8L8F829sqlkXEK9YpswWxyZ7ue

If you don't use their nameservers, they will instead see:
1) http://www.foo.com/bar/quux.html
2) https://23.23.132.56/CO1U23ksuaWSfTaaCmIwKG8L8F829sqlkXEK9YpswWxyZ7ue

The #1 above is not http://23.23.132.56/bar/quux.html because the
www.foo.com part is also sent as an HTTP header.





More information about the conspire mailing list