48
Is a VPN needed with DNS over HTTPS and Encrypted Client Hello? (feddit.nl)
submitted 1 year ago by joaojeronimo@feddit.nl to c/piracy@lemmy.dbzer0.com
13 comments fedilink hide all child comments

I was wondering if a VPN would add any kind of security or privacy if one is connecting to a host with a client/browser that supports DNS over HTTPS and that host supports encrypted client hello. Is there a way for the ISP or anything in between to shape traffic or even know what is being accessed? The only thing that should be visible is traffic between two IP addresses right?

all 14 comments
sorted by: hot top controversial new old
[-] jet@hackertalks.com 21 points 1 year ago* (last edited 1 year ago)

Depending on your threat model, if you know your ISP is tracking everything, then a reputable VPN doesn't add risk. If you have guaranteed observation and recording at your ISP level, which is most people: then using a VPN, paid with cash or crypto, probably gives you more privacy. At worst case it's the same level of observation.

In your scenario, using a browser with encrypted hello, using fully encrypted DNS, the only thing the ISP would see is your connection to the web server. If that web server, like cloudflare, serves multiple things, then it may obscure who you're talking to.

That being said, if somebody is observing enough of the network, they can look at network traffic flows, and determine what other service you're actually speaking with. IE unique traffic patterns to play a game, watch a video, interact with a app. Those can get exposed by the size of packets and frequency of packets transiting.

The main difference between a VPN, and an encrypted socket, for traffic flow analysis, is the VPN traffic gets all lumped together, so a third party doesn't know which pattern belongs to which stream. So if you're streaming videos, well doing other stuff on the VPN, it becomes harder to identify your traffic flow.

The browser traffic flow analysis is much easier, because each individual stream of data is observable by the ISP.

[-] joaojeronimo@feddit.nl 1 points 1 year ago

But how easy is it to actually make up what's going through a socket? If my ISP sees 1TB of data being continuously downloaded (from another IP address that they don't already know what its usually involved with) maybe I'm downloading some illegal movies, maybe I'm retrieving a hard drive backup, right?

Torrent traffic that doesn't go through a VPN is probably easy to make up, it's tons of packets from 50+ addresses, but if it's a Usenet download from one address, or SSH traffic from a seedbox, that should be more complicated to figure out right?

[-] jet@hackertalks.com 6 points 1 year ago

It's unlikely anyone is going to do traffic analysis to catch piracy.

Whistle blowing, human rights reporting, political opposition gets the traffic analysis heuristic identification attack.

[-] Psiczar@aussie.zone 11 points 1 year ago

The DNS traffic might be encrypted but that doesn’t mean that other protocols are. A VPN tunnel encrypts all traffic passing through regardless of protocol.

[-] ultratiem@lemmy.ca 4 points 1 year ago* (last edited 1 year ago)

This is the correct answer. A VPN encrypts and obfuscates all your connections, not just the web browser.

If all you care about is hiding the websites you visit from your ISP, DNS over TLS is fine. But just remember that you’re bleeding data by using your real IP (ISP, geolocation, etc.). And any other connection, is just unabashedly, you.

[-] joaojeronimo@feddit.nl 1 points 1 year ago

Well I was mostly thinking about Usenet but I guess everything else applies. Websites really can leak everything.

[-] joaojeronimo@feddit.nl 1 points 1 year ago

But so does TLS right?

[-] Psiczar@aussie.zone 1 points 1 year ago

Yes, HTTPS traffic is encrypted also, but I wouldn’t trust that all of your activity online is hidden just because DNS and HTTPS are encrypted.

Up to you, but I use a VPN when online.

[-] Kushan@lemmy.world 5 points 1 year ago

That "traffic between two IP addresse"s is enough reason to use a VPN you trust.

Put it this way, bit torrent traffic can be encrypted and routed over standard ports to make it look like regular web traffic, so still "just traffic between two IP addresses" but you wouldn't run that without a VPN, would you?

[-] lemmyvore@feddit.nl 3 points 1 year ago

To add to what the others have said, a VPN requires one end to authenticate to the other. Regular HTTP and DNS connections don't.

If you need to access a service remotely, doing it over VPN requires the user to authenticate (to use the VPN).

If you simply expose the service publicly, even if the connection to it is encrypted, it doesn't prevent random strangers from accessing it or trying to break in.

[-] teichflamme@lemm.ee 4 points 1 year ago

HTTPS does enforce at least one sided authentication though. In the scenario the service they access is most likely being hosted by a server that does authenticate via X.509 cert.

Unless it's p2p of course.

[-] twistypencil@lemmy.world -2 points 1 year ago

In this case, a VPN only offers obscuring that you are connecting to the dns over http end point.

this post was submitted on 05 Nov 2023
48 points (98.0% liked)

Piracy: ꜱᴀɪʟ ᴛʜᴇ ʜɪɢʜ ꜱᴇᴀꜱ

54390 readers
373 users here now

⚓ Dedicated to the discussion of digital piracy, including ethical problems and legal advancements.

Rules • Full Version

1. Posts must be related to the discussion of digital piracy

2. Don't request invites, trade, sell, or self-promote

3. Don't request or link to specific pirated titles, including DMs

4. Don't submit low-quality posts, be entitled, or harass others

Loot, Pillage, & Plunder

📜 c/Piracy Wiki (Community Edition):

💰 Please help cover server costs.

Ko-Fi Liberapay
Ko-fi Liberapay

founded 1 year ago
MODERATORS
db0@lemmy.dbzer0.com
sunbrothersco@lemmy.dbzer0.com
dataprolet@lemmy.dbzer0.com
Flatworm7591@lemmy.dbzer0.com
RandomLegend@lemmy.dbzer0.com