How can it possibly be, that an ISP, which I’m paying for gets to decid, which sites I’m allowed to have access to, and which not?

All the torrenting sites are restricted. I know, I can use VPN, and such… but I want to do it because of my privacy concerns and not because of some higher-up decided to bend over for the lobbying industry.

While on the other hand, if there’s a data breach of a legit big-corp website (looking at you FB), I’m still able to access it, they get fined with a fraction of their revenue, and I’m still left empty-handed. What a hipocracy!!

What comes next? Are they gonna restrict me from using lemmy too, bc some lobbyist doesn’t like the fact that it’s a decentralized system which they have no control over?

Rant, over!

I didn’t even know that my router was using my ISPs DNS, and that I can just ditch it, even though I’m running AdGuard (selfhosted)

  • MigratingtoLemmy@lemmy.world
    link
    fedilink
    English
    arrow-up
    6
    ·
    1 year ago

    If I utilise a DNS provider who supports ECH (mullvad) with a browser that supports ECH (Librewolf) will I still not be able to access certain websites? I haven’t come across a website blocked by my ISP yet so don’t know

    • noride@lemm.ee
      link
      fedilink
      English
      arrow-up
      8
      arrow-down
      1
      ·
      1 year ago

      Most ISP blocking is pretty superficial, usually just at the DNS level, you should be fine in the vast majority of cases. While parsing for the SNI flag on the client hello is technically possible, it’s computationally expensive at scale, and generally avoided outside of enterprise networks.

      With that siad, When in doubt, VPN out. ;)

      • MigratingtoLemmy@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        They won’t be able to get to my SNI if I’m using ECH, yes? I just assumed ECH was secure enough but I don’t know much

        • noride@lemm.ee
          link
          fedilink
          English
          arrow-up
          6
          arrow-down
          2
          ·
          edit-2
          1 year ago

          You are absolutely correct, I should have lead with that. Encrypted client handshake means no one can see what certificate you are trying to request from the remote end of your connection, even your ISP.

          However, It’s worth noting though that if I am your ISP and I see you connecting to say public IP 8.8.8.8 over https (443) I don’t need to see the SNI flag to know you’re accessing something at Google.

          First, I have a list of IP addresses of known blocked sites, I will just drop any traffic destined to that address, no other magic needed.

          Second, if you target an IP that isn’t blocked outright, and I can’t see your SNI flag, I can still try to reverse lookup the IP myself and perform a block on your connection if the returned record matches a restricted pattern, say google.com.

          VPN gets around all of these problems, provided you egress somewhere less restrictive.

          Hope that helps clarify.

          • Darkassassin07@lemmy.ca
            link
            fedilink
            English
            arrow-up
            5
            ·
            1 year ago

            I can still try to reverse lookup the IP myself and perform a block on your connection if the returned record matches a restricted pattern

            This is only effective when the host is the only one using that IP. Anything that uses Cloudflares WAF or similar services will just be a shared IP that responds for hundreds of hosts like one of Cloudflares Reverse Proxies.

          • MigratingtoLemmy@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            Ah, that clears it up! I feel silly that the idea of the ISP doing a reverse-lookup on my traffic didn’t occur to me, thanks.