[deleted]
Comment on Firefox rolls out ECH enabled by default in 118
r00ty@kbin.life 1 year ago
So, currently when you visit a https secured website the initial request to the server is not encrypted. I suspect the reason for this is that say you run a web server on 1.2.3.4. But there's 4 different websites hosted on that server each with their own SSL/TLS keys.
The server doesn't have a way to know which keys/certificates to use until it knows what site you want to access. So, the initial request is encrypted with a server key, and that server key is fetched via DNS over HTTPS.
Now, here's the question. Why MUST it be DoH? For email, DKIM, SPF and DMARC settings (including public keys) are configured using standard DNS (with DNSSEC). Why do they not allow DNSSEC AND/OR DoH?
Other than that weird limitation, I think it's a good thing.
AProfessional@lemmy.world 1 year ago
lemmyvore@feddit.nl 1 year ago
Hold on, these are orthogonal technologies.
DNSSEC signs DNS records so you know they’re genuine and come straight from the authoritative nameservers for the domain.
DoH encrypts DNS traffic so nobody can eavesdrop on what domains you connect to, and masks it as HTTPS traffic so providers can’t block it to force you to use their nameservers.
r00ty@kbin.life 1 year ago
Actually, that's a pretty decent explanation of why they only want to use DoH. Makes sense to me now, cheers.
lemmyvore@feddit.nl 1 year ago
It is encrypted. This actually used to be a problem. It was impossible to host multiple different domains on the same IP over HTTPS for this exact reason. Chicken and egg: couldn’t get the domain from the host header without completing the encryption handshake, but to do that you had to know which domain’s certificate to use.
To solve the problem they came up with a TLS extension called SNI that indicates the certificate during handshake.