Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

So, having read the blog post from Cloudflare I don't understand why the proxy (needs to terminate|terminates) TLS.

I thought HTTPS proxying (or rather: Any TCP protocol) was a solved problem by the HTTP CONNECT verb or SOCKS proxies.

What am I missing?



The user's IP address is masqueraded by the proxy, and neither the DNS mothership (Cloudflare) nor the ISP get to see both who the user is and what they requested. It's an extremely desirable property DoH currently lacks


Yes, I understand that. But I don't understand what ODoH does better than a run of the mill SOCKS proxy, such as Tor.


Tor is not a run of the mill SOCKS proxy, not least in that it inserts arbitrarily high latency into the user data path. On the other hand, an actual run of the mill SOCKS proxy would have visibility of the user's queries and their identity, defeating the purpose of the design.


> an actual run of the mill SOCKS proxy would have visibility of the user's queries and their identity, defeating the purpose of the design.

Why would it have visibility of the queries? If I send a TLS connection (containing my DoH query) through that SOCKS proxy, then the SOCKS proxy is unable to decrypt that TLS connection without breaking certificate verification and thus can't read my DoH query.


Very good point! Sorry, I was confusing myself thinking about classic DNS.


Abuse. The message must be a DNS query, not arbitrary tor traffic.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: