On Sun, Oct 18, 2020 at 02:40:17PM -0700, Jordan Geoghegan wrote:
[..] As I see it, it's just a couple TLS
handshakes which look identical to DNS over HTTPS traffic (which use the
ubiquitous port 443).
Heh, that is kinda funny. If you haven't disabled DNS over HTTPS network wide
you certainly will not care about this information disclosure.
I am very glad that the Mozilla folks made this easy to do with DNS tricks
(so I could do it even for remote networks w/o site visit or using remote
hands on every windows machine).
Unless there's something I'm missing (or that the
paranoiacs failed to address) I'm pretty sure this is one of the only viable
solutions for combating the chicken and egg clock problem TODAY.
This thread had several (from my POV) better ones already, but they all
have the downside of needing local setup / configuration. Which I don't
consider a big deal (or even a plus).
However, it it totaly fine to behave like you described for all users
unable to provide the needed services localy or conciously choses not
to - as long as the rope is provided to override things and go with a
better (according to local metrics, for the local setup) solution.
Martin