undefined | Better HN

0 pointsmehrdadn7y ago0 comments

There we go! OK, so you'd trust your ISP and CloudFlare more than Google. Let's go through them.

> I would also, needless to say, feel ok hosting my own dns.

Yeah let's avoid options that 99%+ of people wouldn't find realistic.

> Quad9 and opendns both filter content, and as such I don't trust them because the fact that they're willing to do that means that they are willing to censor content if they so choose.

Right, I think I agree on that.

> Cloudflare's main prerogative isn't to sell clicks the way google's is, which earns it points already.

Sure, some points there for the increased likelihood of hypothetical data mishandling due to their incentives.

OTOH, don't forget it was Google who found this issue in CloudFlare, which earned Google some points and earned CloudFlare /quite/ the demerits in my book... and note that this was an _actual_ massive security incident, not a hypothetical one: https://blog.cloudflare.com/incident-report-on-memory-leak-c...

> My own ISP already knows all the ips I connect to, so telling them what the domains are doesn't tell them much, especially as the trend towards ipv6 means that multiple-domains-on-one-ip has gotten less popular.

I find this to be quite the odd argument for most people (maybe you're in the 1% of people who uses unconventional ISPs or email/search/map/etc. sites). Not only do major ISPs (thinking e.g. Comcast, AT&T here) not exactly have a great reputation on the privacy or security front (wasn't it just a few days ago someone posted about your home address being linked to your IP on Comcast?) -- meaning whatever data they do collect is prone to being hacked even if you believe they're really honestly keeping it private, which I'm not sure I always would -- but for most people Google already knows pretty much their life. And on top of that, they do their own tracking with Google Analytics, so they already know what websites most people are visiting -- not just from home, but also from work and on the go. And unlike with your ISP, it's likely already linked to your personal identity, not just your household or work office.

Oh, and in case you would like your advice to apply to those who have, say, Comcast, may I point you to quotes like this [1]:

> Comcast today said it has "no plans" to sell its customers' individual Web browsing histories, but Comcast can still deliver personalized ads based on its customers' browsing history. Comcast, the nation's largest home Internet provider, said it will continue to offer customers a way to opt out of targeted ads.

I don't know about you, but I would be shocked if they did this solely based on IP and did not find DNS information to be important for this task.

[1] https://arstechnica.com/tech-policy/2017/03/comcast-we-wont-...

0 comments

2 comments · 1 top-level

earenndil7y ago· 1 in thread

> OTOH, don't forget it was Google who found this issue in CloudFlare, which earned Google some points and earned CloudFlare /quite/ the demerits in my book

I don't quite understand this one. Are you saying that you have an expectation that all software be bug-free? That just doesn't happen, unfortunately. Cloudflare had a problem, they fixed it promptly and then published a post-mortem on it. That, imo, is exactly what should happen. And as for google, it was discovered by their dedicated team of security researchers. Having such a team arguably reflects well on google, but do remember that monolithic corporations such as google are rarely unified.

mehrdadnOP7y ago

No, I never suggested "I expect all software to be bug-free". Google software has bugs too. You're completely muddying the waters with a strawman like this. What I'm saying is that it that calling a massive security incident a "bug" doesn't suddenly erase it. Maybe it was pure dumb bad luck that could've happened to Google too, maybe it was because CloudFlare is just younger and still learning about the whole "defense-in-depth" thing that prevents 1-2 bugs from massively screwing everything up, or maybe it's just the lack of money and/or being able to attract as much top talent... I can't know for sure, and maybe I'd even sympathize with them, but I'm not trying to determine guilt and figure out whom to throw in jail here—I'm just trying to decide whose service to trust, pay for, and use. I'd be completely nuts to disregard actual severe past mistakes and solely look at my impressions of their intentions and hypothetical scenarios. You might look at intentions when figuring out whom to blame, but you definitely need to look at the cold, hard facts when figuring out whom to trust. The fact that they did actually make a system that actually screwed up in keeping private data private simply has to be taken into account when figuring out how much I can trust them with private data, however good their intentions and post-facto reactions to it were.