Minimizing Digital Footprints in Hostile Environments

There are 4 pieces of information that can reveal which websites/apps/services you use, to the ISP/government:

DNS

• Avoid using plain text DNS as much as you can.

• Use DNS over HTTPS for security and anonymity.

• Governments can block well-known servers quickly, you can however self-host on a private cloud or use a serverless DNS to have access to a new endpoint for DoH over a newly setup domain.

• If you use DoH all they can see is the domain name of the Secure DNS server as well as the IP addresses of the websites you connect to.

Certificate

• Use TLS v1.3.

• When using TLS v1.3, the certificate part of the HTTPS connection is encrypted and none of its details are visible to the eavesdropper.

• TLS v1.2 handshakes do not encrypt the certificates, resulting in the common name and the website you are visiting to be revealed to the eavesdropper.

URL

• The full path to a web page or web resource is sent over HTTP protocol, so if website uses HTTPS, it's all encrypted.

• When using HTTPS, the path and query string (everything after TLD and slash) is encrypted and not available to anybody but the client and server, the answer is encrypted as well.

SNI (Server Name Indication or Client Hello)

• This is the most important part.

• If you don't use a proper VPN, SNI can still reveal the domain and sub-domain of the website you are visiting to the eavesdropper.

• To secure that, the browser and the website must support ECH (Encrypted Client Hello) or use proper VPN like OpenVPN or WireGuard.

SpyNetGirl Security blogSpyNetGirl Security blog