![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Dreamwidth is a little unusual in giving everyone their own subdomain. Off the top of my head, I can only think of three other sites that do this: Its predecessor (Livejournal), Tumblr, and DeviantArt. There are almost certainly others, but it's uncommon.
Even though all communications to the site are done over a secure connection, so the *contents* of the pages are hidden from your ISP, any government interlopers, nosy parents who have installed spyware on the home router, and people snooping on your use of insecure café WiFi... the domain name you're visiting (here,
That means that within a few minutes of poking around on Dreamwidth, anyone who can watch your internet traffic likely knows 1) who your friends are, and 2) by that token, who *you* are. (If you stick to just your Reading Page, you are not leaking your circle's usernames to any watchers, but you are leaking your own.)
I feel like this is maybe something that could and should be changed, since DW is already a centralized service and doesn't *need* separate domain names. (My social media prototype will *need* it, to some extent, which is a sobering thought.) I don't know if I believe this strongly enough to advocate for it,
Another option is to access DW via Tor! I just fired up TAILS and confirmed that I can log in to Dreamwidth just fine. [3] (No captchas or other nonsense.) Unlinking your home IP from the domain you're visiting (and those domains from each other) in the eyes of someone snooping on network traffic is *precisely* what Tor is for. So regardless of whether DW takes action on this, if this is a privacy issue for you, there is a way you can protect yourself. (Also applies to Tumblr, DeviantArt, etc.)
[1] This first part does not apply for people using experimental DNS-over-HTTPS—only the DNS server can read the request
[2] The Server Name Indication TLS header, which is unencrypted in current versions of TLS. TLS 1.3 allows encrypting it, but that's still being rolled out.
[3] Tor is quite safe to use as long as you're visiting HTTPS websites, which is most sites these days. But advice to heed browser warnings about invalid certificates applies doubly so over Tor. If you ignore those, Tor becomes *less* safe than using the internet directly. So don't. :-)
Even though all communications to the site are done over a secure connection, so the *contents* of the pages are hidden from your ISP, any government interlopers, nosy parents who have installed spyware on the home router, and people snooping on your use of insecure café WiFi... the domain name you're visiting (here,
squirrelitude.dreamwidth.org) is still being broadcast in two ways:- When your computer asks the Domain Name System for the IP address of the site, it sends the domain name out in the clear[1], and the DNS server of course knows what domain you're asking for
- When your computer then connects to that IP address, it mentions the domain name in the initial message to the server[2]
That means that within a few minutes of poking around on Dreamwidth, anyone who can watch your internet traffic likely knows 1) who your friends are, and 2) by that token, who *you* are. (If you stick to just your Reading Page, you are not leaking your circle's usernames to any watchers, but you are leaking your own.)
I feel like this is maybe something that could and should be changed, since DW is already a centralized service and doesn't *need* separate domain names. (My social media prototype will *need* it, to some extent, which is a sobering thought.) I don't know if I believe this strongly enough to advocate for it,
Another option is to access DW via Tor! I just fired up TAILS and confirmed that I can log in to Dreamwidth just fine. [3] (No captchas or other nonsense.) Unlinking your home IP from the domain you're visiting (and those domains from each other) in the eyes of someone snooping on network traffic is *precisely* what Tor is for. So regardless of whether DW takes action on this, if this is a privacy issue for you, there is a way you can protect yourself. (Also applies to Tumblr, DeviantArt, etc.)
[1] This first part does not apply for people using experimental DNS-over-HTTPS—only the DNS server can read the request
[2] The Server Name Indication TLS header, which is unencrypted in current versions of TLS. TLS 1.3 allows encrypting it, but that's still being rolled out.
[3] Tor is quite safe to use as long as you're visiting HTTPS websites, which is most sites these days. But advice to heed browser warnings about invalid certificates applies doubly so over Tor. If you ignore those, Tor becomes *less* safe than using the internet directly. So don't. :-)
