You are reading a single comment by @NotThamesWater and its replies. Click here to read the full conversation.
  • The easiest way to see what you're doing isn't to try and decrypt the web traffic but just to serve the DNS and look at the DNS logs.

    DNS is not encrypted, so why do anything harder. The logs reveal which local IP address asked for which domain name.

    It's hard to stop this, but if you use Firefox and enable DNS over HTTPS then your DNS will be encrypted too.

    At that point all anyone can tell is which IP you've connected to. But with SNI certificates, without a host head known in advance, most websites will not return anything and only the smaller sites where a single site is on an IP would reveal what you are looking at - were someone manually checking.

    So assume your DNS is leaking everything despite encryption everywhere else, and isolate browsing you want to keep private to Firefox, and ensure DNS over HTTPS is enabled (it's only default enabled in the USA right now as it's a new feature).

  • Thanks David!

    If I'm wanting to be super-duper secret squirrely, I run an ssh tunnel on localhost, and connect to this as a socks5 proxy (incl. DNS)

    My concern is that this may not be as secure as I would have thought*, and that because this is a work laptop, there is a root certificate that means I don't have true end-to-end.

    Similarly, if I'm just browsing on the network with no tunnel (when I don't really care if the DNS queries are visible), can I be sure that when I am accessing my cloud server, what I am looking at is not being monitored. The certificates all look to be the ones I installed.

    * Based on a convsersation with my local IT person, who made a comment about why I was searching for keys, when we were talking about yubikeys & 2fa - The irony of this is not lost.

About