Sorry to reply to my own comment, but I have to correct some assumptions I made:

TLS 1.3 appears to (optionally?) encrypt certificates so that they're no longer sent in the clear, and eSNI (encrypted SNI) is an available extension.

So if you're using TLS 1.3 and the appropriate options, then yes the only thing your ISP will have to go on is the IP address. That may be good enough for accessing a lot of sites, but not every website lives on one of the big cloud hosting providers.

Fire up wireshark on port 443 and see if you can figure out where your browser is taking you.

From just opening a new tab on FF, I can see that it's making an HTTPS request to 'snippets.cdn.mozilla.net' (as specified in the 'Client Hello' TLS message under the server name extension). And I didn't need to break the encryption or anything - this is part of the handshake before encryption begins.

Maybe TLS 1.3 starts encryption earlier. If not, maybe later versions will. But at the moment, it's trivial to see who's connecting to what even without sniffing or controlling the DNS servers.

It's baffling to me how people (who aren't Goog or Moz) think that DoH is in any way beneficial. (aside from protection from eavesdropping)

The entire point is to redirect and encrypt DNS requests so they can't be mined by your ISP. Thus, your privacy is protected from them. Except, it just moves the privacy problem from one name-services provider to another.

If I can't trust my ISP to not exploit my DNS request data (which, for the record, I can't) why the f*$# should I trust my browser maker instead?

And even if DoH (or some other form of encrypted DNS) works and I can trust my chosen provider, my ISP would still be able to track where I go - Either by sniffing SNI and certificates during the HTTPS handshake (which, as of current TLS versions, are sent in the clear before encryption begins) or ultimately doing a reverse lookup on IP addresses.

As has been mentioned elsewhere in this thread, the only way to get actual privacy here is to use Tor - which comes with its own gotchas.

I believe that's what's known in AI as an "Expert System".
You ask an "Expert" what they'd do in a bunch of situations, and encode their responses in a laundry list of IF ... THEN statements.

dd if=/dev/random status=none bs=24 count=1 | base64

This should produce passwords accepted by the majority of sites, and should be about as secure as your random number generator and password management system. Tack on characters as the site requires. You may substitute your RNG of choice, and adjust length to your liking (protip: use a length that's a multiple of 6 to avoid getting extra =s' at the end of the encoding). Dropping the status=none saves you typing, but you have to pick out the password from the resulting jumble of output.

Mod Parent up please. There is too much conflation between "anonymous" ("without name") and "Anonymous" (the group). It seems some group has taken the name "Anonymous" and used it to further their own ends - losing their own anonymity in the process, and destroying the term for everyone else.

Incidentally, this whole thing bears a striking resemblance to The Laughing Man (Ghost in the Shell:SAC). In the show, there only ever was one Laughing Man, and he only ever did one thing in the public eye. Afterward, there were many copycats claiming to be "The Laughing Man," even though the original never referred to himself as such.

They've taken what was the default username on 4chan, and turned it into an activist group - losing whatever meaning it had in the first place. It is no longer "everyone and no one." It's just a bunch of street punks on the Internet.