You are absolutely correct, I should have lead with that. Encrypted client handshake means no one can see what certificate you are trying to request from the remote end of your connection, even your ISP.
However, It’s worth noting though that if I am your ISP and I see you connecting to say public IP 8.8.8.8 over https (443) I don’t need to see the SNI flag to know you’re accessing something at Google.
First, I have a list of IP addresses of known blocked sites, I will just drop any traffic destined to that address, no other magic needed.
Second, if you target an IP that isn’t blocked outright, and I can’t see your SNI flag, I can still try to reverse lookup the IP myself and perform a block on your connection if the returned record matches a restricted pattern, say google.com.
VPN gets around all of these problems, provided you egress somewhere less restrictive.
Yeah, even if they miss your DNS request, the ISP can still do a reverse lookup on the destination IP you’re attempting to connect to and just drop the traffic silently. That is pretty rare though, at least in US, mainly because It costs money to enforce restrictions like that at scale, which means blocking things isn’t profitable. However, slurping up your DNS requests can allow them to feed you false error pages, littered with profitable ads, all under the guies of enforcing copyright protections.
Most ISP blocking is pretty superficial, usually just at the DNS level, you should be fine in the vast majority of cases. While parsing for the SNI flag on the client hello is technically possible, it’s computationally expensive at scale, and generally avoided outside of enterprise networks.
They are individual copies of the Lemmyverse that all sync content with each other. That’s the ‘federation’ part. Some of them are weird and scary places, friend.
You will still be able to use them completely offline after you complete the setup process, it’s in the article. Regardless, I only have a couple devices, so it’ll be pretty painless for me to rip em out.
Yeah, they seem to put a lot of energy into esoteric features, when the app is in serious need of some quality of life improvements. I donate a tiny monthly sum to the project and honestly feel conflicted about how effectively it’s being used.
God damnit. They ruined Viptela, absolutely fucked the licensing model for ThousandEyes, kneecapped OpenDNS, and now this shit. Stop Ciscoing good companies, Cisco!!
Judging by the screenshots, this looks very similar to Portainer. Are they basically the same tool set for different container architectures? Looks pretty interesting.