DNS over HTTPS (DoH), backed by Google, Mozilla, and Cloudflare, is about to make web surveillance a lot more difficult.
DNS over HTTPS (and its close relative DNS over TLS, or DoT) makes this impossible because it encrypts these requests – normally sent in the clear – hence the panic reported in a recent Sunday Times article (paywall).
For more detail on how DoH/DoT works, read our previous coverage on the topic. The takeaway, however, is that Britain’s National Cyber Security Centre (NCSC), and probably the US Government think its unexpectedly rapid evolution imperils the monitoring of terrorism and other illegal content.
Big ISPs also worry it will interfere with complex Content Delivery Network (CDN) traffic caching, make customer management through support and captive portals difficult, and leave them fielding calls from unhappy customers when the third-party DNS servers offering DoH fall over.
DoH’s sudden rise
Filter the hysteria and what you’re left with is a technological conflict between ISPs which have traditionally controlled the first leg of every internet connection and companies that control the software that sits on devices – this is primarily Google but also companies such as Cloudflare and partner Mozilla which promote privacy.
Today, users connect to the internet by paying an ISP for a connection. In effect, under DNS over HTTPS, they will then establish a second DNS connection to servers run by companies such as Google and Cloudflare to make web browsing private.
It’s come to a head now because Google is in the process of implementing DoH as part of its public DNS system (220.127.116.11/18.104.22.168), which will be supported at some point in the world’s most popular browser, Chrome, and is already supported in Android 9 (this has been possible for some time on older Android versions by using Google’s Intra app).
Mozilla, meanwhile, has identical plans for Firefox implemented via Cloudflare’s 22.214.171.124 service, which the company is still testing, while Cloudflare released a dedicated Android/iOS app last year.
Currently, if a government agency wants to know which sites you’ve been visiting they can ask an ISP. In theory, under DoH they could do the same by asking Google, Cloudflare or Mozilla.
Unfortunately, the problem isn’t simply whether those companies would agree to comply, but whether they could even if they wanted to.
For example, Cloudflare has previously said it only logs DNS requests for 24 hours and plans to prove that with a public audit of its behavior run by KPMG. Compare that to ISPs which in many countries now collect domain data for up to a year.
Here to stay?
It should have been obvious that something like DoH was coming since a slew of proposed technologies for encrypting DNS requests started gathering momentum in 2017. Last October, the IETF formally adopted DoH (aka RFC 8484) as the simplest route for this to happen quickly.
Not everyone was happy with this for architectural reasons, not least because it places a lot of trust in the resolver, principally Google, Cloudflare and anyone else who adopts it.
Hitherto, the internet has been built as a compromise between what the user could do and what the service provider would let them do. DoH, some claim, upsets this balance.
The counter-argument is that too many ISPs and governments have lazily used DNS as a quick surveillance fix, for legal, political but also commercial reasons.
Fortune 100 passwords, email archives, and corporate secrets left exposed on unsecured Amazon S3 server
Fortune 100 passwords, email archives, and corporate secrets left exposed on unsecured Amazon S3 serverSome of the world’s biggest companies have had 750GB worth of their innermost secrets revealed on unsecured Amazon S3 buckets, available for anybody to download – no...
New Microsoft Excel Attack SurfacesResearchers have identified a security hole in Microsoft Office’s Excel spreadsheet program that allows an attacker to trigger a malware attack on remote systems. A feature in Microsoft Office’s Excel spreadsheet program called Power...
Malicious URL attacks using HTTPS surge across the enterpriseCyberattacks launched against the enterprise which makes use of the HTTPS protocol are increasing alongside spoofing and cloud-based threats, new research suggests. According to FireEye's Q1 2019 Email...
Stay Up to Date With The Latest News & Updates
Join Our Newsletter
Get weekly tech updates and immediate alerts when there is a zero-day or security issue!