Wait, let me get this straight... you moved from Cloudflare, because you were worried about the scale of their control of the Internet... and you chose to migrate to... Google, the company that definitively actually controls the Internet, via monopoly-scale shares of search, email, web browsing, and has authored nearly every new Internet protocol specification in the last ten years to subtly make their ads harder to escape?
The protocols Google is redefining to be user hostile are a layer below even infrastructure. The very nature of HTTP and DNS are being rewritten to serve Google's business interests.
Hostile to what? Enterprise middleware that wants to snoop on their users (sure, fair) so they demand entire standards to allow for said snooping? Enterprise users are a small minority of end users.
I guess DNS over https can be antiuser (even for normal consumers) in the sense that it makes it harder to block ads at the dns level but quic?
DoH is now being used by malware to covertly communicate with C&C servers, blending in with all the other encrypted traffic routed through Google DNS. QUIC is quite similar in that the goal is to mandate encryption and obscure traffic and content from security devices. The only supposed benefit to consumers is for websites which need to load an excessive amount of ad content and scripts, again, doubling down on their core competencies at the expense of everyone else. HTTP/1 is more than serviceable for any website that isn't, at minimum, shoving ten times more ad content than actual content.
Honestly, I think that's a core misconception Google has managed to sell people on: That enterprise middleware is somehow bad and malicious, as opposed to the ad company that distributes malware as a primary revenue stream which tells you that the middleware that catches it is bad.
If network traffic is on my home network, I have a right to inspect it. If network traffic is on my work's network, my work certainly has a right to inspect it. To be blunt, with some regulatory supervision assumed, if you're using an ISP's network, they absolutely have the right to manage their network. Why in the actual heck did anyone buy Google's narrative that somehow enabling them to convert the Internet into an end-to-end encrypted ad delivery and spyware platform was a good idea?
The marketing acumen to pull that off, now that's legendary.
> If network traffic is on my home network, I have a right to inspect it. If network traffic is on my work's network, my work certainly has a right to inspect it. To be blunt, with some regulatory supervision assumed, if you're using an ISP's network, they absolutely have the right to manage their network. Why in the actual heck did anyone buy Google's narrative that somehow enabling them to convert the Internet into an end-to-end encrypted ad delivery and spyware platform was a good idea?
Because there are quite the number of countries that run massive nation-scale censorship and surveillance campaigns. Google going all-in on encryption of everything, LetsEncrypt being founded - all of that is a direct response to the actions of the US government wiretapping everything including Google's internal datacenter communications and countries like China, Russia and Iran running massive disruption campaigns.
And that doesn't even touch private entities messing with the Internet traffic of their customers - most notably ISPs not just delivering wrong answers on non-existent domains on their own DNS servers to serve ads instead of NXDOMAINs, but going as far as to hijack and rewrite all DNS traffic for that purpose. Or that sniff on DNS requests to sell that data to advertisers (or to the NSA).
And to make it worse, the various "middleboxes" along the Internet placed there by employers forced to comply with dumbass laws, by ISPs doing above-mentioned DPI and manipulation, or by governments of all kind have led to an ossification of Internet protocols because even trivial stuff could lead to issues (remember DCC SEND STARTKEYLOGGER 0 0 0?).
Yes, it is a good thing that Google leads the way in making encryption ubiquitous. Fuck governments, fuck ISPs, fuck everyone who thinks they have a right to intercept, snoop on, track or analyze my communication.
PS: If an employer (or you) wish to inspect traffic, there are many solutions - the most obvious being a private CA root cert to be installed on the client.
Your basic premise here is that the encryption is good because it provides the privacy to do, essentially, ethical crime. That's all well and good, when indeed, we have governments passing bad laws, but the problem is that it both doesn't actually protect your ethical crime effectively, because Google's only doing it so that they can be the sole arbiter of your data, which they happily distribute to governments en masse on request, and enables a massive swath of unethical crime, aka, the large volume of scams and malware that Google directly profits off the distribution of, while being shielded from any liability for.
The whole evil ISPs tampering with your data thing is just "reading too many Jon Brodkin articles on Ars". I used to have an ISP that tampered with web delivery to deliver a piracy notice, and it nearly didn't get noticed at all, because it neither went to the account owner (me), nor the person who did the crime (not me), but went to a different guest at the house (also not me), who thankfully told me about it, leading me to inquire with their office to get an actual copy of their complaint so I could respond with "wasn't me, told that dude not to do stuff on my Wi-Fi". Which is to say, the effect of an ISP doing this is... generally less harmful than Google using protocols to deliver malicious content, and hilariously ineffective even when they employ it.
What scares me a lot more is not just the actively malicious work shipped through Google's various platforms to target society's most vulnerable (usually seniors), but the sheer amount of money that has been dumped around every journalism outlet, activist org, and lobbyist to sell the narrative you just posted, all to protect a trillionaire corporation that watches your every move, and happily provides that information to all of the organizations you're worried about for free while convincing you it's doing you a favor.
In short, screw governments, but screw Google making it hard for me to filter out the traffic that lets them figure out whose visiting abortion clinics, which they are absolutely handing over to the authorities who ask about it.
That’s the sort of crap you end up with when every network operator asserts their “right” to modify traffic.
Don’t get me wrong I do dns filtering on my home network and block public dns over http endpoints, but there is some balance to be had here imo.
Also I would not attribute https uptake to google only. A slightly less than trillion dollar organization - let’s encrypt - is really imo responsible for making https as ubiquitous as it is.
Let's Encrypt is just the carrot (and to be clear, Google is not just a top sponsor, but two of Let's Encrypt's other top sponsors are organizations themselves sponsored by Google). Let's Encrypt is not Google but absolutely is downstream from that money flow.
Meanwhile Google itself is the stick. Google has used it's policy control over Chrome to effectively mandate using Let's Encrypt, by making using certificates without it a nightmare, and making browser features arbitrarily require HTTPS for no reason other than it pushes more people to do it.
I am not wholly against HTTPS, mind you, I think there's reasonable benefit gains for privacy on balance, but we should definitely be clear that Google and it's subsidiaries and sponsored orgs are responsible for the spread, and the reasons for doing so are not goodwill.
DoH, QUIC, and ECH are where it really begins to go "too far", where we're obliterating norms to ensure nobody can tamper with ad delivery. Things like buying gTLDs and putting them in the HSTS preload list, to roll back to why them selling their registrar business is so unusual.
> by making using certificates without it a nightmare
You can still have "classic" certificates - if exchanging certificates is enough of a nightmare that you can't even do it once a year, it's a clear indicator your tech stack is brittle beyond belief and should be updated anyway. Meanwhile if you're using a modern cloud-based stack the provider (e.g. AWS ACM) does the work for you, and acme.sh makes it a breeze on on-prem/bare-metal stacks as well.
> DoH, QUIC, and ECH are where it really begins to go "too far", where we're obliterating norms to ensure nobody can tamper with ad delivery.
What? Browser extensions still exist and DoH doesn't impact whatever you're putting in /etc/hosts, that one works just fine.
Exchanging certificates once a year is... kinda ridiculous in almost every scenario except the one Google envisions when it dictates the Internet, yes. ACME support is making it into enterprise technology, but it'll probably be another five to seven years until it's common. Literally all businesses just have to suffer bull---- processes to cave to "Google felt like doing this, and Google is a monopoly".
And of course, don't worry, Google is ruining ad blocking browser extensions too, for the 70% of users who use their web browser. (This is one of the reasons defenses for Google's behavior so rarely holds... they are attacking users through so many different avenues at once, the justification only holds if you ignore everything else they're currently doing.)
> Exchanging certificates once a year is... kinda ridiculous in almost every scenario except the one Google envisions when it dictates the Internet, yes.
The thing is, if you're doing it right it should not take longer than 5 minutes. It forces people to actually invest in good infrastructure practices rather than build brittle shit that collapses at the first blow. And most of the "enterprise" stuff you're talking squarely fits into that category.
As said I'm happy for anything that aims to prevent ossification, simply because how often I have heard the lines "why invest into something proper when a thrown-together hack lasts us just the same" or "why replace that old Cisco firewall box if it ain't broken yet".
> The whole evil ISPs tampering with your data thing is just "reading too many Jon Brodkin articles on Ars".
No, it's personal experience. German Telekom did this crap by default until 2019, when they finally relented after criminal charges were filed [1], and they were far from the only one - NXDOMAIN abuse was shockingly common for a long time [2], including court-ordered censorship (e.g. The Pirate Bay, but governments liked to do DNS censorship against Twitter and other services too to squash resistance movements).
> What scares me a lot more is not just the actively malicious work shipped through Google's various platforms to target society's most vulnerable (usually seniors), but the sheer amount of money that has been dumped around every journalism outlet, activist org, and lobbyist to sell the narrative you just posted, all to protect a trillionaire corporation that watches your every move, and happily provides that information to all of the organizations you're worried about for free while convincing you it's doing you a favor.
In the end, you will always be fucked over by someone. At least if you're getting fucked by Google, you're not paying money for the privilege of getting fucked.
> In short, screw governments, but screw Google making it hard for me to filter out the traffic that lets them figure out whose visiting abortion clinics, which they are absolutely handing over to the authorities who ask about it.
Agree with you on that one, dragnet surveillance is plain bad. But the fix for that one is to get rid of DeSantis and his Evangelical ilk one way or the other, these laws have impact far beyond Google. It won't take long until some US state makes it a crime to travel to another US state for obtaining an abortion or for someone to transport a pregnant person to another US state for that purpose, so you'll see women essentially being trapped in these states (particularly those unable to afford their own car). Yes, that may be unconstitutional, but it will take years to reach the Supreme Court in the first place and it isn't guaranteed that the SC will block such outrageous crap.
iirc, custom DNS at CF refers to using your own subdomains as name servers for CF instead of the regular *.ns.cloudflare.com. Basically a form of whitelabelling.
Specifying 3rd party name servers as your domain’s name server was (still is?) not possible with Cloudflare Registrar.
It’s pretty crazy that you can’t setup a custom 3rd party name server. I can’t even transfer my domain from one Cloudflare account to another without transferring my domain to another registrar…
Thank you for this information, I was planning to move my domains.google domains to Cloudflare, but now I think I won't do that. I'll still use Cloudflare, but the inability to use my own NS is a dealbreaker for using Cloudflare as a registrar in my opinion.
Makes sense! That worries me too. I thought it was a new issue with them. Personally I use Porkbun and NameSilo (cheapest .ca domains) and am very happy with both.
In this case specifically, I moved the domain away since they want you to pay extra money to use custom DNS servers.