undefined | Better HN

0 pointslabcomputer1y ago0 comments

They only need a certificate signed by an authority trusted by your resolver. And, unlike for the website itself, your browser does not show certificate information for the DoH server.

DoH also does not solve the problem of where the DNS server you use gets its information from: A government can compromise the other side as well.

0 comments

yegle1y ago

So, like, you are assuming someone using a resolver that ignores the certificate chain of trust, as an evidence that DoH is not useful?

Do your program language _show_ you the certificate information when you use an http library to connect to an HTTPS service?

Sure the other end of the DNS query may not be encrypted, but I can easily decide which government to trust, and run my DoH server there.

kelnos1y ago

> your browser does not show certificate information for the DoH server.

It doesn't show it, but I expect it would put up an error message if the DoH server's cert is invalid.

j / k navigate · click thread line to collapse