I disagree on the former, but I agree on the later, technology is not a good substitute for consent.
Regarding the privacy:
If you are using a VPN to protect your privacy, then you are effectively transferring your trust from your ISP to your VPN provider. The VPN provider is your new ISP. So you have to make sure you trust the VPN provider more than your ISP.
I don't use VPN when I'm on my home ISP but I do when I'm someplace where I don't control the gateway. My VPN is on a vultr VPS I control (in as much as I can control a VPS), and I do trust vultr (or digitalocean or any of the major VPS providers) more than I trust, let's say, the person who set up the wifi at the holiday inn.
If only there was a drop in replacement for Google Workspace… even if you use Fastmail for email you don’t have Google docs anymore and that’s a huge piece…
I believe that's only if the GA account is connected to an Ads account (or set up to collect demographics, I think). By itself, GA will only use https://www.google-analytics.com/j/collect (or /g/collect for GA4).
google.com/maps would result in a DNS request for google.com so anyone monitoring DNS would know they are connecting to a google service but wouldn't know which one.
maps.google.com would result in a DNS request that show they are connecting to maps.google.com and could presume they want some maps.
DoH (and ESNI on the server side) would fix it, but iirc Chrome (the most used browser) doesn't use DoH by default.
My point about Chrome is not that it can’t do DoH but by default it doesn’t so relies on the system settings which for the vast majority of users (not us geeks who explicitly opt in) never change and use ISP supplied values so DNS snooping is still a thing for the majority.
Should a browser override system settings? That’s another question, because doing so can impact other things for the avg Joe. For example my mobile providers self serve website plays up when I use custom DNS, free hotspots with captive portals also can be an issue when you override the DNS provided by the access point.
I understand your point, but anyway, no app, no browser should ever think that "it knows better" and attempt to fix what it considers incorrect. It may think that it protects the user, but in reality, it will break what the user configured. Private DNS zones are common, and if the browser ignores user configured DNS, they will break. And as I wrote elsewhere, just because the machine is configured to use 53/udp for a resolver, it doesn't mean that the resolver is forwarding over 53/udp too.
If you want to solve unsafe defaults, this is not the way. Pushing for configuring safe defaults is.
If a general purpose browser can empower hundreds of millions or even billions of regular users with better privacy (and ultimately, security) by making a change that might disrupt a small handful of power users who manually configure this stuff, I say the browser should go for it. The power users are the very people who can, without much effort at all, reconfigure their stuff, or easily find a special purposed browser, so they'll be just fine.
Spock was right, logic clearly dictates that the needs of the many outweigh the needs of the few.
The problem I fear is the needs of the few who are not technology minded, don't want their browser (or in their eyes their internet connection) to stop working because their ISP issued router uses a DNS based captive portal to onboard people (I've seen this used by atleast one major ISP in the UK to on-board devices onto their per-device content filtering system - BT, however I think they rolled back on that after it was caused issues with IOT devices).
However I believe (not read the docs in a while) FireFox works around this by falling back to DNS if an issue with DoH is detected.
EDIT: However I'm still on the fence if it should be a browser decision. Yes browsers move more quickly then OS & ISP changes and can make things better for the masses quickly, but i'm also wary of those changes screwing up the avg person, the people like my mother who can just about order things online via her ipad but thats about it, if she accidentally lowers the screen brightness of her ipad I soon get a call about it. Its for those kind of people I don't like the idea of a browser messing around with a connection in unknown network conditions.
> If a general purpose browser can empower hundreds of millions or even billions of regular users with better privacy
This statement makes a huge assumption, that the DoH provider is more trustworthy than your existing DNS provider. Personally, I trust my ISP (Small, locally owned) with my query history than I trust Google (Massive, exploitative advertising company). The fact that Google is automatically turning this on to scoop up DNS information without users consent should be illegal.
…, I get the "wrong" IP for anything hosted by Akamai (i.e. an IP address that corresponds to a part of their CDN which has abysmal peering with my ISP and is completely unusable in the evening)
Even if you are using DoT, the DNS provider will still know you're using Maps if it resolved the subdomain, and the DNS provider itself might well be the biggest privacy threat here.
> DoH (and ESNI on the server side) would fix it, but iirc Chrome (the most used browser) doesn't use DoH by default.
It would fix it for some specific circumstances. Since maps.google.com resolves differently than www.google.com, you can ignore DNS and just look at TCP connections to tell what service is being talked to.
Granted that Google is basically the exception here. But when I query the IP's for maps.google.com I get 142.250.179.238 and when I query google.com I get 142.250.200.14
If make a http get request to 142.250.179.238/ (the maps IP) but with the host header set to "www.google.com" I get the search page returned to me. If I make a http get request to 142.250.200.14/maps I get google maps.
OK. /maps might be a bad example because well google.com/maps is already a thing :-p
So if I make a request to 142.250.179.238 with the host youtube.com I get youtube. This is because most of googles public facing servers can act as the front door for many other google services not just the service that its dns is set to.
Not really sure it it comes under "domain fronting" because isn't that tactic many used to bypass censorship, pretend your connecting to one CloudFront customer when really wish to connect to another. Where google explictly configured their services to do this so they can easily load balance as demand and network conditions allow. Anyways I'm rambling now.
My point is, with google you can't rely on the ip address alone to determine the service (however it still wouldn't stop you peeking into connection and pulling out the host header unless ESNI was used) but as I said at the start, Google is more the exception here.
> iirc Chrome (the most used browser) doesn't use DoH by default.
Last I checked, Linux was behind other platforms because there’s a lot of complex custom dns configuration that chrome (understandably) didn’t want to be accused of overriding/ignoring, but which isn’t all easily visible to the browser
Which is the correct behavior; if the user wants to configure his computer to DoT/DoH, system resolver is the correct place and Chrome has to respect it.
Even if the computer is using 53/udp to the configured local resolver in the local network, it doesn't mean that the resolver itself is using 53/udp. Many of them can forward queries using DoT/DoH/IPoAC and the app on the users computer will be none the wiser.
Using google.com/XXX for all its services protect the user from being spied by external actors such as ISP because everything is hidden behind HTTPS.
Whereas, with XXX.google.com, external actors knows that you are using service XXX.