* Posts by Ben Tasker

2250 publicly visible posts • joined 23 Oct 2007

Freebie tier coming to issue-tracking Jira, but you'll have to cough up to unlock the good stuff

Ben Tasker

> tickets struck in the wrong status are apparently a site problem, not a Jira problem

Technically that's true.

JIRA let's you amend/modify workflows, including what statuses a ticket of a given type is allowed to transition to from other statuses.

So, if someone's set up

In Progress -> Fuck it can't be arsed

And not allowed

In Progress -> Done

Then you're going to get a bunch of tickets in "Fuck it can't be arsed" rather than "Done". Technically that's the fault of whoever set it up, not JIRA itself.

The wisdom of JIRA letting you shoot yourself in the foot in that manner, though is something else.

My JIRA's install's always worked well for me, but the crucial bit is, I do not change the default flows/settings. I've been places where JIRA's been a nightmare, though, and without fail someone's always "improved" the workflows in some way and made life hell for all the other users.

It's using the right tool for the right job though, sometimes JIRA just isn't the right tool

Tempted to play with that Chinese Zao app for deep-fake frolics? Don't bother if you want to keep your privacy

Ben Tasker

Re: Might be a good time to start reading those EULAs

> If someone doesn't believe in something to the extent that they are willing to go to prison for it, that should tell you something.

Conversely, believing that *anyone* is willing to go to jail in order to protect *you* is one of the biggest mistakes you can make.

The problem you tend to find is that no matter how strongly someone thinks they believe in something, when they're actually facing the prospect of prison, they may well find they don't believe in it quite so strongly after all.

If anything, I'd be more wary of someone with your claim than someone without. It indicates a certain naivety, and suggests their lack of experience might lead to them being more likely to make mistakes than someone who's a bit better grounded in reality.

Allowlist, not whitelist. Blocklist, not blacklist. Goodbye, wtf. Microsoft scans Chromium code, lops off offensive words

Ben Tasker

Re: Programming and computers as a casualty

Does that light-headedness lead to you thinking about a wankel?

Tesla Autopilot crash driver may have been eating a bagel at the time, was lucky not to get schmeared on road

Ben Tasker

Re: It's always a firetruck

But, Tesla's systems aren't supposed to be capable of inattention?

He _should_ have been paying attention and taken over to avert it, it's true. But why does Tesla's keep hitting a fairly routine obstruction?

Hell, the thing had lights flashing and Tesla uses cameras, so arguably had an advantage of LIDAR for detecting this stuff. Or perhaps that's the issue? That the intensity of the lights occludes the image slightly and Tesla fails to handle it?

Ben Tasker

> 2) how much attention could be have been paying off he didn't notice a bloody fire engine?!?!

There is still the question, though, of why the Tesla also failed to recognise it.

I'm not excusing him, one bit, but his screw-up doesn't change the fact that the Tesla seem to have missed a fairly basic/common - and highly visible - obstruction.

Ben Tasker

You keep arguing that people know what Autopilot on planes really does, and therefore wouldn't make the mistake of assuming Tesla's AP is anything but straight-and-level in a car.

Yet, we're commenting on yet another news story where a driver has ended up in a prang whilst doing something that's best explained by a belief that Autopilot would handle things for him. And not the worst example of it, at that.

You're arguing semantics whilst ignoring what's happening in the real world - if you're not capable of observing the real-world effects, why are you so convinced that the average joe public is sufficiently capable of observation to know what a plane's autopilot actually does?

To answer your reductio-ad-absurdum though, yes the passengers would likely object. But, how can you tell whether that objection is because they know what autopilot actually is, or because they perceive the crew as being there to respond to serious emergencies (which they can't do if they're pissed)?

Bus pass or bus ass? Hackers peeved about public transport claim to have reverse engineered ticket app for free rides

Ben Tasker

Still too expensive

Our local buses are run by First.

I'd still feel overcharged if they were free. It's "normal" for buses to be late, but with First it's far more common that they just don't turn up at all, because that run's been cancelled. Because they've not invested in the fleet for ages, if the bus does turn up there's a reasonable chance it's going to break down on the way and you'll be stuck waiting for a replacement to turn up and take you onwards (they won't generally let you off).

We used to have buses run by the council, and they were reasonably reliable (if not always there on time). First set up alongside them and eventually took over the lot. If you actually care about getting somewhere, taking a First Eastern bus is the very last thing you want to do.

Sounds like their investment in the app mirrors their level of investment in the fleet.

British Prime Minister Boris Johnson moves to shut Parliament

Ben Tasker

Re: So, to sum up. . .

Even assuming you're right, what exactly do you imagine is going to happen if and when they realise they've been lied to?

Of course, you're assuming there still is a leave majority, that they'd *all* mobilise and that our systems would do nothing to try and prevent the violence. None of which are likely true.

In the short term, though, that's exactly why the brexiters are trying to blame remainers, to attempt to sidestep the ire of their own supporters when it's revealed the unicorns are actually models made of shit.

It's an empty headed threat, andbone that's oh too familiar from the current crop of Brexit supporters.

GIMP open source image editor forked to fix 'problematic' name

Ben Tasker

Re: The name Glimpse discriminates against people who are unable to see

I felt sure Urban Dictionary would have some offensive use of Glimpse, but sadly the closest (and I wouldn't say it was offensive) is Glimple: https://www.urbandictionary.com/define.php?term=Glimple

> When you get a glimpse of nipple...

There once was a biz called Bitbucket, that told Mercurial to suck it. Now devs are dejected, their code soon ejected

Ben Tasker

Re: Atlassian!

I get on quite well with Jira... BUT... thats probably because I'm running and old self-hosted (and now well isolated) copy from before they decided to split out into Jira Software etc.

I have had the misfortune to use Jira cloud with the workflows "improved" by others.

So, I'm inclined to think you're right - Jira used to be a good tool and has grown into and overgrown and overbloated mess that no-one sane would willingly choose to use.

Chrome add-on warns netizens when they use a leaked password. Sometimes, they even bother to change it

Ben Tasker

Looking (quickly) at the paper, it doesn't look like it's the Reg screwing up either... they've got a table in there:

Extension users 667,716

Logins analyzed 21,177,237

Domains covered 746,853

Breached credentials found 316,531

Warnings ignored 81,368 (26%)

Passwords reset 82,761 (26%)

Reading the surrounding pages doesn't really explain anything additional relating to the left over balance either.

Friends, it's fine. Don't worry about randomers listening to your Skype convos. Microsoft has tweaked an FAQ a bit

Ben Tasker

Re: Schadenfreunde

> Yes. Your point?

The OP said the idiots who bought "these gadgets" deserved it.

Given that this affects Skype, the gadgets that Skype runs on includes generic laptops, phones, desktops etc.

So, my point, is, the OP is a complete prat incapable of parsing one of the Reg's simpler headlines.

Ben Tasker

Re: Schadenfreunde

What gadgets? This applies to people making Skype calls as much as it does someone talking to Cortana.

Ever made a Skype call? Then by your measure you're as much an idiot as the majority of people who'd be affected by this. Though they'd probably have managed to finish reading the headline

Ben Tasker

Re: Old Codger

> you shouldn't have any real expectation that somebody else might not be listening in.

I don't think you should have any expectation, no, but I also don't think that means you forgoe the right to complain loudly when someone is found to be listening in, particularly when it seems to be happening routinely.

In other words, you should conduct yourself as though someone were listening in, but raise holy fucking hell when you catch them doing so.

The ability to listen in is a position of power, and it's the complaints and repurcussions that are used to dissuade people from misusing that power. Every time you quietly accept it, you're one step closer to getting adverts for dildos because your old lady didn't sound too in to your dirty phone call.

PIN the blame on us, says Monzo in mondo security blunder: Bank card codes stored in log files as plain text

Ben Tasker

Re: Should have gone to Starling

Erm, did you miss this - https://www.fintechfutures.com/2019/01/starling-bank-gets-passport-to-security-issue-hell/

Some PINS available to staff they shouldn't be, in encrypted storage versus we'll publish copies of your verification documents onto the internet for anyone to grab.

And don't even talk about the response. Monzo seem to have gone with "Oh shit.. fuck fuck fuck... right, that's been addressed within 24 hours". Whereas Starling's response was " We don’t regard it as a breach or an issue for the ICO"

I know which one seems to be doing security right, and it aint Starling.

Ben Tasker

Re: Not concerned...

Nope.

Monzo uses your card's pin (and even prompts for it as a card pin)

Ben Tasker

Re: Not concerned...

> which is the only time the PIN is used.

Erm... you've been a Monzo customer since beta, but have you actually been *using* them?

The PIN is used quite frequently, with no access to the card required, the first 2 that spring to mind are:

- Create a new payment/SO - enter PIN into app to confirm

- Confirm/authorise an online transaction - enter PIN into app to confirm

That's not to say this issue is a major one, they've handled it very well by all accounts, it just surprised me to see you say that you only need the PIN when you're physically using the card, given just how much Monzo rely on that PIN for auth purposes

UK parliament sends snippy letter to Zuck and his poodle Clegg as it seems Facebook has been lying again

Ben Tasker

Re: Shocked

My guess would be that the downvoters read

> just like the rest of the Libdems.

and recognised that Hartley is likely talking out of his arse.

Clegg's Lib Dems were years ago now, and there've been multiple changes in both leadership and membership.

Not to mention it does seem a little unfair to single out the Lib Dems, rather than also pointing out we've got the worst of Tory bastards in senior Government positions, and Labour's a complete and utter shit-show too, and lets not mention the company that calls itself The Brexit Party, complete with a leader who can't be deposed and lies more easily than he shits.

I mean, I downvoted for the first reason - particularly as the Lib Dems are the only party that seem to be serious about trying to stop Brexit now that it's clear what an absolutely astoundingly fucking stupid idea it is.

Omni(box)shambles? Google takes aim at worldwide web yet again

Ben Tasker

Re: www?

As well as being convention - www serves your content to the World Wide Web, there is another reason you may not want to use the base domain.

If you decide you're going to serve your content via a CDN, and will do so by creating a CNAME out to that CDN, you're going to quickly come unstuck if you try to use the bare domain.

If a CNAME exists for a label, it must be the only record for that label, so if you do

example.com. IN CNAME endpoint.cdn.provider.com

Then you now cannot create MX records to receive mail etc. You'd need to have them created in your provider's DNS for endpoint.cdn.provider.com.

The alternative being that you delegate your DNS out to their resolvers, which entails trusting them a fuck of a lot more than you'd need to if you simply CNAME out a single label - www.

2015 database hack is the terrible gift that keeps giving for Slack: Tens of thousands of passwords now reset

Ben Tasker

> Indeed, though it's worth noting that at least the passwords were hashed so that's a lot of rainbow tables to generate but that's no longer so difficult on modern infrastructure.

Not exactly.

At the time (i.e. back in 2015) they believed that only password hashes had been stolen.

This latest revelation is that the attackers injected code into Slack's login page in order to filch plain text creds (i.e. as the user entered them).

2FA is almost always a wise addition though, yes

Ben Tasker

Re: Hold it

When they reset passwords last month, they also originally insisted that the credentials must've been gathered through malware and the breach was "100% not at Slack's end".

After repeated pushbacks and provision of information gathered in twitter threads like that one, they went back to investigate some more.

Now it seems it was rogue shit injected into the Slack login page at their end.

Boris Johnson's promise of full fibre in the UK by 2025 is pie in the sky

Ben Tasker

Re: What is a BloJob promise worth?

To be fair, when he said "Do or Die" he wasn't talking about his own death so much as the death of the Conservative party as a political entity.

Which is a price I'm more than willing to pay not to Brexit and screw the country up.

Amazon's bugging of homes has German boffins worried that Alexa may be an outlaw

Ben Tasker

> Just how much more would it cost to stick an extra chip into an Alexa or similar which can recognise the "wake word" before opening the external cloudy connection?

They do. It's just that it's shit at it's job so has a habit of hearing a wake-word that wasn't said.

Just checkout what happened here - https://www.theregister.co.uk/2018/05/24/alexa_recording_couple/ - and the explanation:

The Echo woke up due to a word in background conversation sounding like “Alexa.” Then, the subsequent conversation was heard as a “send message” request. At which point, Alexa said out loud “To whom?” At which point, the background conversation was interpreted as a name in the customers contact list. Alexa then asked out loud, “[contact name], right?” Alexa then interpreted background conversation as “right.” As unlikely as this string of events is, we are evaluating options to make this case even less likely.

The couple in question were in another room talking about hardwood floors.

I won't have one in my house. That's not likely to change any time in the forseeable future either.

With heroes like BT and Openreach, who needs villains? ISP lobbyists' awards continue to vex

Ben Tasker
Joke

Re: Openreach was awarded infrastructure provider of the year !

Why not? They provide (or promise to provide) more infrastructure than any other provider.

Find me the rule that says the infra has to work

JavaScript tracking punks given a thrashing by good old-fashioned server log analytics

Ben Tasker

But the likes of Matomo are heavy on the features and costly. While Matomo starts at around $59/month for its "Essential" package and 300,000 page views monthly, Netlify is $9/month for 250,000 page views a month.

Have I missed something?

Matomo is OSS and free.

They do have premium packages and whatnot, but the free version will parse your logs quite happily all the same. In fact I've used it to do just that (though not any more)

Firefox 68 arrives with darker dark mode, redesigned extensions dashboard

Ben Tasker

Re: Push notification in Android

Depends on the version of Android you've got IIRC.

I had that a while back, so I went into Manage Apps and disabled media playback notifications for Firefox.

If you're on an older version of android which isn't that granular, you may need to just disable notifications entirely for it.

Unless it's changed, there isn't a setting within firefox itself

Ben Tasker
Thumb Up

In the new Firefox iOS (version 18), sites that you display in desktop view will always be in desktop view unless you switch back. A blue dot in the address bar indicates that you have the desktop site.

With the added benefit that you should stop being served narsty narsty AMP

DoH! Secure DNS doesn't make us a villain, Mozilla tells UK broadband providers

Ben Tasker

Re: "they can't cache static content"

Not really, it's just that the model has changed. Nowadays, the ISPs partner with various CDNs to host delivery appliances on-net so that anything served by those CDN's doesn't hit their peering bandwidth (well, origin fetches aside). Because the CDNs are, to the end user, the origin of the content they terminate SSL.

Those are also impacted by VPNs

Ben Tasker

They use DNS as a first step to block the low hanging fruit, and then use DPI to look at SNI later on (or, if you're stillon port 80, the Host header)

Ben Tasker

Re: NIMBY

Intra is DoH, while Pie's "private dns" support is DoT (i.e. tls wrapped packets to TCP 853).

Basically the difference is the protocol used.

Default is (I believe) Google's service, yes, but auto mode is different. it tries to opportunistically use DoT, so it'll try a TLS query to TCP 853 on whatever resolver it got via DHCP etc. If that fails it drops back to plain UDP 53.

That's my understanding anyway

Ben Tasker

Re: Mozilla are only partly right

I've just been catching up on mail threads and noticed this https://mailarchives.bentasker.co.uk/Mirrors/tor-talk/2019/07-Jul/msg00007.html

> Mozilla has an interest in

> potentially integrating more of Tor into Firefox, for the purposes of

> providing a Super Private Browsing (SPB) mode for our users.

Think the ISPA are upset now? Just wait until Firefox (potentially) brings Tor to the masses

Ben Tasker

Their concern is (AIUI) very much that browsers are much more of a "general" product, and so used by a greater proportion of users (as small as FF's market share as a %age might be, that's still a lot of people).

Also, it's not ultimately just going to be Firefox that supports this.

Though, if we take that first argument, Opera is a browser and I don't seem to remember them complaining when it got VPN functionality built into it.

The problem with ISPs offering their own DoH server is that (as it stands) you'd need to manually configure it, there's no way for them to push an auto-config down to you. They'd also need to be globally accessible/usable so that when you go out and about onto other networks with your mobile/laptop resolution doesn't break (because that new network can't autoconfig you either).

It's not something that can't be addressed, but does still complicate things a bit

Ben Tasker

Re: Mozilla are only partly right

The problem is more complex than that though.

As a society we accepted the introduction of CleanFeed on the basis (as you say) that stopping paedophiles from finding things online is good.

However, Cleanfeed has long since stopped being *just* about that content. Because the infra was there and capable of doing so, the ISPs were ordered to use it to block Newzbin2 (a torrent site).

At that point, Cleanfeed's effectiveness was doomed because there was now an "acceptable" reason to be discussing how to circumvent it - prior to that decision those discussions could only happen if you were interested in looking for something very, very illegal.

It's not like it's stopped there either, we're now in a position where the Govt wants providers to track who watches what adult content, and with the threat of using that same infra to block sites that fail to comply with the requirements. Their aspirations don't end there either, have a search around and you'll see plans to bring in age verification for all kinds of things.

I agree that blocking the sites on the IWF's watchlist (when they don't screw it up, anyway) is a good thing. But it is the government, and industry who've moved us into the position we're in now.

Now, you've mentioned surveys to bolster your argument. In most surveys, most Brits didn't know about the impending (now delayed) porn block. Think they'll still support censorship when they're being asked to proof of identity before watching their chosen fetish? What about when a future Govt decides that dwarves are immoral and blocks any sites carrying them?

What about the Govt's self-confessed position that the porn-block may push users onto the darknet where they may be exposed to things that are much more extreme? (and yes, that includes CP).

The IWF wants this positioned as a fight against paedophiles, but it's not that simplistic, and not by a very, very long stretch. 15 years ago, it would have been, but the courts and the Govt have perverted the underlying system and it was a given that at somepoint their tower of cards was going to come crashing down.

Just one final point:

> paedophiles should not be able to trade images online, and is happy for Cleanfeed to exist.)

You do understand that Cleanfeed does precisely nothing to prevent this, and isn't even intended to do so right?

Cleanfeed exists to stop people accidentally stumbling onto this type of content. The aim being to prevent someone who's not yet into child porn (or marginally so), stumbling upon it and then exploring looking for more.

Those who are actively seeking it out already know about Cleanfeed, as well as the risks if they're caught and so take measures to bypass it. It was *always* understood that this would be the case.

I mention this primarily because the protection of Cleanfeed isn't nearly what you're trying to portray it as. Pictures still get circulated (unfortunately) Cleanfeed just helps keep it from the sight of the general population.

Ben Tasker

Re: NIMBY

> but should use a default provided by the platform/OS

Yep, and there are solutions in the wild that allow you to do that with DoH already. For Android there's Intra (created by Google's sister company - Intra).

For desktop OS's there're stubs that accept UDP 53 and DoH it for you. Personally I like this one - https://github.com/m13253/dns-over-https - but there are things like cloudflared too.

Personally I'd never use Cloudflare's DoH service, and am similarly cagey about Google's, so I set up my own (I've linked to the docs a few times, so won't do it again here as I don't want to spam the comments :) ).

It means I've got the privacy benefits of DoH but backed by Pi-Hole filtering. That's win-win in my book.

Ben Tasker

Mozilla are only partly right

If we insert just one word into their statement, then they're wrong:

Despite claims to the contrary, a more private DNS would not prevent the use of non-consensual content filtering or parental controls in the UK

and therein lies the rub. What the ISPA is complaining about isn't that we (the users) would not be able to filter content, but that content would not be able to be filtered without our consent (or at a basic level, knowledge).

Which, oddly, sounds like exactly the kind of authoritarian bollocks that brought things like DoH about in the first place.

Get rekt: Two years in clink for game-busting DDoS brat DerpTrolling

Ben Tasker

Re: Not Hacking?

> Since DDoS attacks usually use botnets, they involve hacking; even if the direct victim isn't hacked in the usual sense of the term, other victims are being hacked to make the attack possible.

Only sort of true.

*Building* a botnet involves compromising victims, so would fall under the broad term "hacking".

But, you can *rent* time on a botnet and then trigger a DDoS. No building your own botnet involved. In fact it's big business.

Would you call someone a systems engineer because they ran wget on AWS? Probably not, because there's a distinction drawn between the platform (AWS/Botnet) and the service being run/launched from it.

So even given the murky ass background of the term hacker, and the increasing use of rented botnets and booter/stresser services in general, I think it's fair to say that (as a rule) the act of DDoS involves no hacking, though it may be launched from a platform built by it.

Shall we strip price caps from .org, mulls ICANN. Hm, people seem really upset... OK, let's do it

Ben Tasker
Joke

Re: An alternative

Something.... something... something... blockchain

If anyone wants to invest, I hear blockchain attracts a fortune...

DeepNude deep-nuked: AI photo app stripped clothes from women to render them naked. Now, it's stripped from web

Ben Tasker

Re: "chiefly women, it doesn't work properly on men"

> What's that supposed to mean?

Vice also did a write-up after they'd tried it on male pictures. "Doesn't work properly on men" in this case apparently means that if you run it on a picture of a man, he'll end up with a vulva.

Open-heart nerdery: Boffins suggest identifying and logging in people using ECGs

Ben Tasker
Joke

Does that mean

It's solved the problem of password re-use, in that I'll have a completely different log-in to my bank than that of a porn site....

EE-k, a hundred grand! BT's mobile arm slapped for sending 2.5m+ unwanted texts

Ben Tasker

> We’re committed to ensuring our customers are fully aware of their options throughout the life of their contract

Even those who've told us not to....

Chrome ad-blocker crackdown preview due late July. Here's a half-dozen reasons why add-on devs are still upset

Ben Tasker

Re: The performance concern is real

The thing is, even if he's right - there almost certainly are delays incurred - that's a trade-off I'm 100% willing to accept in order to block all the privacy sucking shit that I use these extensions to block.

And that's completely ignoring the obvious, which is that you still end up with a faster load because you're now not sucking in a ton of tracking javascript.

Kids can be so crurl: Lead dev unchuffed with Google's plan to remake curl in its own image

Ben Tasker

Re: Google has a vision

> There's also the problem that Google's UI's really tend to be mediocre at best.

I opened Google Calendar the other day to add something.

They've changed the default view to only showing 4 days at a time. No notification, nothing.

There's a dropdown to change the view, but because of their crap design choices it doesn't stand out in amongst all the other white boxes on a white background. So it took a minute or so to correct.

By which time I'd completely forgotten what the hell I was going to add to the calendar.

The main point of this grumble though - who the fuck wants their calendar to show just 4 days a time, and by default? Week view or GTFO

Brave urges UK's data watchdog to join Ireland in probing claim Google adtech breaches GDPR

Ben Tasker

Re: Without going into the legal nitty-gritty...

Depends, as GDPR factors in whether you can be identified by tying a bit of information with other available information.

A fairly extreme example follows:

So, your publicly routable IP 1.2.3.4 identifies that you work at Acme Corp.

The targetting their doing on their ads identifies that you regularly browse

- Furry sites

- Ebay classic motor parts

- Costume shop

So they can now say that "you" are most likely the person who works at Acme Corp who drives a Daimler DE7 and spends their weekend dressed as a squirrel.

They've not got your name (assuming you haven't googled yourself), but that's still sufficient to identify you to within a reasonable margin of error.

All that though is fairly moot as GDPR stats IP addresses should be considered as personal data as it counts as an online identifier. The exact topic that was assessed was dynamic IPs. The conclusion was that because the web-host's (in this case Google) data _could_ be joined with the ISPs records to identify the person, it counted as personal data even though the chances are small as the ISP would need to comply with GDPR when disclosing.

That's no different to your case really, Google are still Google, and the ISP is your company IT Dept.

TL:DR IP addresses are PII under GDPR, and all the what-ifs we love to argue about have already been considered - the advice is to err on the side of caution and treat all IP's as PII.

Meet the new Dropbox: It's like the old Dropbox, but more expensive, and not everyone's thrilled

Ben Tasker

Re: Dropping dropbox

FWIW I moved to using Nextcloud a little while back, and haven't looked back.

There are some minor niggles/annoyances depending what you're storing. In particular, the way it generates thumbnails for images is dumb and frustrating when you're trying to flick through a folder of images that you haven't viewed in the Nextcloud app before (there are ways around that though).

I use it to sync some documents, my password locker DBs and for automated upload of photos taken on my phone (so that they're backed up without having to gift them all to Google).

Granted I don't need some of the features Dropbox is offering anyway, but I wouldn't touch them with a bargepole nowadays.

No Telegram today, protestors: Chinese boxes DDoS chat app amid Hong Kong protest

Ben Tasker

Re: Democracy is an eternal uphill battle

But unfortunately it's so, so much easier to say "It could never happen here" whenever someone raises concerns, so most people do exactly that.

Yes, that power could be misused by an authoritarian Government, but we've never had one so why would be worried.... usually said while ignoring things like the powers having been pushed through despite widespread opposition.

Top websites screwed over in WordPress.com super-outage: VIP Go? More like VIP No Go

Ben Tasker
Joke

Re: Improvement

Unfortunately The Sun is one of them, so there's still the content to contend with

When it comes to DNS over HTTPS, it's privacy in excess, frets UK child exploitation watchdog

Ben Tasker

Some do, yeah.

Other's only target services they've heard of.

That said, a lot of the complaints about DoH leading to over-centralisation are somewhat overblown too, and stem from a lack of understanding of how ISPs tend to behave (badly). There are a good chunk of ISPs that expose DNS servers to their clients, but have those servers configured just to act as caching forwarders, sending queries onto Google, Level3 and Cloudflare (amongst others).

Some of those ISPs don't even provide any affinity to a service for a given zone, so you'll get a completely different A record back for CDN names if the ISP uses Google (supports ECS) than if they use Level3 (doesn't support ECS).

Ben Tasker

Re: DNS, SNI or certificate snooping

> Even once this is done the server sends back the certificate in plain text, which again provides the web site name, unless it too is protected by eSNI

You're convoluting 2 different things here.

In TLS1.3 the cert is sent back encrypted. Before 1.3 it was indeed sent in the clear.

eSNI is not part of TLS1.3, but will be in the future. Certain providers like Cloudflare have already implemented support for it as an extension to TLS, but eSNI has nothing to do with whether the cert is sent back encrypted or not.

US border cops confirm: Maker of America's license-plate, driver recognition tech hacked, camera images swiped

Ben Tasker

Re: Subcontractor’s network compromised?

Well, CBP *didn't* name the contractor, so they were unnamed

> While a CBP spokesperson declined to name the subcontractor at the heart of the kerfuffle

This Free software ain't free to make, pal, it's expensive: Mozilla to bankroll Firefox with paid-for premium extras

Ben Tasker

Re: OSS isn't Free Software

If I say you're a free man do I mean you don't charge, or that you live free of restrictions?