dns-blocklists VS AMDSEV

Please anybody using public wifi networks, protect yourself as much as possible. You can use encrypted dns on all of your devices. iPhone / Mac users download one of the profiles. Android users : choose the dns blocking level you want and enter the corresponding address in “private dns” on most Android devices in the network settings. My preference is dns over tls but dns over https is good too. TLS is just one additional layer of encryption. (Encrypts packets between your device and router) or just use a vpn or both.

Mullvad encrypted DNS is also available to all - whether paying for VPN services or not.

In addition they also support optional content blocking[1] via blocklists, just set the desired TLS/HTTPS DNS server.

[1] https://github.com/mullvad/dns-blocklists

Option for ads and tracker block DNS: 1. https://github.com/mullvad/dns-blocklists 2. https://nextdns.io 3. https://adguard-dns.io/en/public-dns.html

Not sure isit helpful, you can checkout mullvad dns https://github.com/mullvad/dns-blocklists or nextdns. They do offer free dns and block ads on dns level

I found that 100.64.0.31 is good, I got it from here

You can find more info here https://github.com/mullvad/dns-blocklists

I use Mullvad's adblock DNS and it works fine. Just go to 'Advanced' and under DNS put in the DNS combination you want from their list at https://github.com/mullvad/dns-blocklists

Okay, if we are switching the topic now to AMD's memory encryption, I'll bite, too.

First: Only Ryzen PRO or EPYC models support it, which kind of kicks out all mobile or laptop systems already. Then, only Zen3 CPUs work, because previous generations have a boot freeze bug, which wasn't fixed and upstream linux 5.15 as a result disabled the mem encrypt flag by default.

Second: Before you switch topic to SEV, that's only supported for EPYC models, see here [2]

Regarding attacks: At least AMD had an injection attack problem where SEV in EPYC 7xxx and 3xxx processors was confirmed to be affected without AMD confirming the vulnerability (yet...). It was a master thesis iirc from a guy in luebeck.

There are also known sidechannel attacks which void RAM encryption in practice, like Hertzbleed which used frequency scaling to decrypt ECDSA and PIKE SIDH (which is meanwhile known to be unsecure, at least for PIKE). [3]

Google also did an audit on Intel's TDX where they found bugs in loop boundaries, off by one errors and similar feasible attack methods (which haven't been published as a PoC yet, so I grant you that). [4]

So I would still argue that with these very narrow set of available processors (Intel Pro 13th generation for TME and EPYC 7xxx that have both SME and SEV) is highly limited in its availability and also not available for laptop hardware due to them being server CPUs.

Additionally there's been a lot of attack surfaces that have been proven to have access to SME or SEV stored keys in the CPU and there have been other sidechannel attacks which conceptionally are very unlikely to be fixed anytime soon.

So I would still argue that memory encryption in practice is unreliable.

[1] https://lists.freedesktop.org/archives/amd-gfx/2021-October/...

[2] https://github.com/AMDESE/AMDSEV/issues/1

[3] https://www.hertzbleed.com/

[4] https://services.google.com/fh/files/misc/intel_tdx_-_full_r...

Edit: found the AMD injection attack thesis:

[01] https://www.its.uni-luebeck.de/fileadmin/files/theses/MA_Luc...

Another attack on SEV, which was confirmed by others since the USENIX conference. Both of the techniques rely heavily on pattern matching to find the decryption oracles though, and around 16 bytes for their OpenSSH demonstrations.

[02] https://www.its.uni-luebeck.de/fileadmin/files/theses/MA_Luc...

[02]