ISPs Lied To Congress To Spread Confusion About Encrypted DNS, Mozilla Says (arstechnica.com) 70
An anonymous reader quotes a report from Ars Technica: Mozilla is urging Congress to reject the broadband industry's lobbying campaign against encrypted DNS in Firefox and Chrome. The Internet providers' fight against this privacy feature raises questions about how they use broadband customers' Web-browsing data, Mozilla wrote in a letter sent today to the chairs and ranking members of three House of Representatives committees. Mozilla also said that Internet providers have been giving inaccurate information to lawmakers and urged Congress to "publicly probe current ISP data collection and use policies." DNS over HTTPS helps keep eavesdroppers from seeing what DNS lookups your browser is making. This can make it more difficult for ISPs or other third parties to monitor what websites you visit.
"Unsurprisingly, our work on DoH [DNS over HTTPS] has prompted a campaign to forestall these privacy and security protections, as demonstrated by the recent letter to Congress from major telecommunications associations. That letter contained a number of factual inaccuracies," Mozilla Senior Director of Trust and Security Marshall Erwin wrote. This part of Erwin's letter referred to an Ars article in which we examined the ISPs' claims, which center largely around Google's plans for Chrome. The broadband industry claimed that Google plans to automatically switch Chrome users to its own DNS service, but that's not what Google says it is doing. Google's publicly announced plan is to "check if the user's current DNS provider is among a list of DoH-compatible providers, and upgrade to the equivalent DoH service from the same provider." If the user-selected DNS service is not on that list, Chrome would make no changes for that user.
"Unsurprisingly, our work on DoH [DNS over HTTPS] has prompted a campaign to forestall these privacy and security protections, as demonstrated by the recent letter to Congress from major telecommunications associations. That letter contained a number of factual inaccuracies," Mozilla Senior Director of Trust and Security Marshall Erwin wrote. This part of Erwin's letter referred to an Ars article in which we examined the ISPs' claims, which center largely around Google's plans for Chrome. The broadband industry claimed that Google plans to automatically switch Chrome users to its own DNS service, but that's not what Google says it is doing. Google's publicly announced plan is to "check if the user's current DNS provider is among a list of DoH-compatible providers, and upgrade to the equivalent DoH service from the same provider." If the user-selected DNS service is not on that list, Chrome would make no changes for that user.
Re: (Score:1)
Once one company becomes the gatekeeper to the "internet" they can try more censorship again.
Its more difficult to find a site if the browser tech never allows that site be searched, found, linked...
Back to the role of the good censor responding to their own political users...
As was done in the past due to a brands own internal feelings and ideas about how they s
Re: (Score:1)
A user can change ISP
Ha! That's a good one, tell me another!
Re: (Score:2)
Re:Browser Makers Are a Proven Threat (Score:5, Insightful)
When did Mozilla or Google block Gab?
Or do you not know the difference between blocking access to a web site and blocking an extension?
It Was Dissenter (Score:2)
Re: (Score:1)
Wow, that's a lot of wrong packed into one creepy sentence.
Mozilla did block Gab's extension merely because Gab refuses to make a habit of censoring people's words on the Internet. There is no reason to believe once they have the power to wield similar power via DNS that they will not do so. In fact, I'm quite sure controlling access is the specific goal of this effort. The backlash would be too great if they just rolled out this feature complete with blocking access to Web sites that Mozilla employees feel you shouldn't be allowed to read, but it will come. They'l
Re: (Score:1)
Like all far right supporters, you've made it clear the only type of censorship you hate is the type that's directed at you, directed at others though and you think that's fine.
I'll send you $10 worth of bitcoin if you can come up with a single example of "right wing" censorship in the United States.
It is no lie though, that it highjacks your DNS to (Score:4, Insightful)
So instead of our ISPs highjacking our DNS, it is now only Mozilla and Google highjacking our DNS.
Because those two are such beacons of neutrality and privacy... /s
Also, let's not forget the elephant in the room: Their obsession with making ALL the things "web".
DNS with TLS encryption would be the obvious option, even with forced CAs being a blatant gap in the logic right there, due to the lack of prevalence of true web-of-trust solutions.
But noo ... It HAS to be HTTP. ... Why not go straight to JSON-SOAP-with-XSLT-over WebSockets, melting all their nighmare creations into one?
Re:It is no lie though, that it highjacks your DNS (Score:4, Interesting)
Trust but verify (Score:2)
ironically there is a russian proverb : TRUST BUT VERIFY
NONE of the browsers verify the answers they are getting
while not perfect DNSSEC would go a LONG way to help this conversation and both Mozilla and Google should implement it if they are implementing resolvers within their browsers allowing the users to VERIFY the ANSWERS they are getting
it really is that simple
Re: (Score:2)
I don't. All the big ISPs in the UK censor via DNS. They all do logging too, keeping it for 2 years as required by law. Cloudflare/Google isn't an ISP so there is no such legal requirement.
The other reason Cloudflare/Google are more trustworthy is that Cloudflare/Google can't trivially link your DNS queries to your billing details. Your ISP knows who you are and knows what IP address they assigned to you at what time. Google may be able to infer some of that if you are logged in to their service, but not Cl
Re: (Score:2)
So instead of our ISPs highjacking our DNS, it is now only Mozilla and Google highjacking our DNS.
Mozilla is sending everything to Cloudflare by default, that's sleazy. But Google sends the traffic to your ISP by default, even if they don't run a DOH service. It falls back to your ISP's DNS.
DNS with TLS encryption would be the obvious option,
...except that it wouldn't help with the cases where ISPs hijack your attempts to connect to external DNS.
Re:It is no lie though, that it highjacks your DNS (Score:5, Informative)
Google's solution checks if your CURRENT DNS provider provides the encryption service. If it does, it upgrades you the encrypted version of your CURRENT DNS providers'. If your DNS provider doesn't provide encryption, Google does nothing. How is this hijacking your DNS?
Re: (Score:2)
How is it any of Google's business? Why do they care?
Re: (Score:2)
They wrote the browser that their users want to be secure, rather than spilling the details of their browsing history to their ISP. That's how it's their business and why they care.
Re: (Score:2)
As with other services once you start they can make the changes as they wish. Android is a perfect example where the users choices are restricted by what Google wants rather than what the user wants. Slowly the service changes and options are removed. Call recording is no longer an option but advertising ID is, or rather the requirement of one.
Re:It is no lie though, that it highjacks your DNS (Score:4, Informative)
Yeah, except for the fact that they are hijacking nothing. They don't switch from providers DNS unless the user himself changes it - which has always been possible. If they include a setting where you can manually choose one of alternative DNS providers, that's got nothing to do with hijacking anything.
When any browser (except Tor Browser) starts using another DNS without user knowledge, then we can talk. Until that this is unfounded FUD.
Re: (Score:3)
Yeah, except that's exactly what Mozilla is doing - they are changing Firefox to send all DNS requests to Cloudflare unless you opt out.
Re: (Score:3)
It's still not hijacking because they ask the user before making the change. There is a pop-up that asks if you want it or not. Hijacking implies doing it against the user's will.
Re: (Score:2)
So instead of our ISPs highjacking our DNS, it is now only Mozilla and Google highjacking our DNS.
This is a lie you were corrected about before.
DoH is browser specific, so it can in no way affect your system DNS.
Google and Mozilla have no need to care about your browsers DNS when every letter you type in the address bar is sent back to them in real time right now and has been that way for 10 years.
ISPs lied to congress (Score:2)
I don't believe it
Comment removed (Score:5, Interesting)
Re: (Score:3)
This has nothing to do with anything. It's pure trolling and FUD.
Re: (Score:1)
Re: (Score:2)
What, the capability to switch to DNS with secured connection? Because the ability to switch DNS servers has been there for ages - is it not actually good that a secure version of the protocol is implemented?
Re: (Score:2)
Lying to Congress is illegal though.
Re: (Score:2)
Only if you do it under oath. If you do it through lobbyists and unsolicited submissions of information, it's business as usual.
Re: (Score:2)
The nature of DNS means you have to trust somebody. I'll trust a random stranger more than I trust Google.
The silliness of DoH (Score:3)
Re: (Score:2)
Dunno, I don't use either nor my ISP's DNS. There are several options out there.
How about playing the 'Muh Russia' card? (Score:2)
Re: (Score:1)
Pretending to be a mentally ill boot-licker isn't making you stand out from the Slashdot crowd quite as much as you though it would, is it? Maybe going on Facebook and pretending to be a dumb fucking boomer will get you noticed?
It *IS* what Mozilla says its doing (Score:3, Interesting)
During the last two years, Mozilla, in partnership with other industry stakeholders, has worked to develop, standardize, and deploy DoH, a critical security improvement to the underlying architecture of the internet.
This is a lie. DoH is nothing approaching a "critical security improvement" or any substantive "security" improvement of any kind. It's simply a tunnel that terminates D.N.S resolution at a different location on the same insecure network using the same untrustworthy D.N.S protocols as everyone else to actually perform resolution.
Providers sold the real-time location data of their mobile broadband customers to third parties without user knowledge or meaningful consent.2 In one particular case, an intermediary was found to be selling particularly sensitive GPS data, which can pinpoint the location of users within a building, for over five years.
Some ISPs are evil. The vast majority of big content is evil incarnate. Google reads your emails and tracks your location 24x7. Facebook broke a record for having to pay the largest privacy related fine in US history. Hundreds of millions of people are being stalked by literally hundreds of sleazy big data firms as they move from website to website.
If the question is who do I trust more my local ISP or the D.N.S provider of my choice vs. a single publically traded corporation with access to hundreds of millions of users browsing history the answer is easy. I trust my ISP or D.N.S provider more.
Mozillaâ(TM)s policy establishes strict requirements for potential Firefox DNS resolvers, including requiring that data only be retained for as long as is necessary to operate the resolver service, that data only be used for the purpose of operating that service, and that partners maintain a privacy notice specifically for the resolver that publicly attests to data collection and policies
Where can I read Cloudflares legally binding DoH privacy policy? The only document I know of that speaks to this in any way is a single BLOG POST.
The privacy policy for 1.1.1.1 DNS service does not limit usage to what is necessary to operate the service unless you believe that "Process and deliver contest or sweepstakes entries and rewards;", "Monitor and analyze trends, usage, and activities in connection with the Websites and Services and for marketing or advertising purposes;" and "Send commercial communications" is required to operate the service.
Our approach with DoH attempts to close part of this regulatory gap through technology and strong legal protections for user privacy.
Worth re-iterating not even ****GOOGLE**** is publically contemplating doing what Mozilla is doing with this egregious insane bid to centralize control over D.N.S resolution for hundreds of millions of users.
Re: (Score:2)
I mean cloudflare has their privacy policy posted, you can read it, instead of just assuming what it is:
https://www.cloudflare.com/pri... [cloudflare.com]
Public Resolver Users:
We will collect limited DNS query data that is sent to the resolvers. This data does not contain user IP addresses or any other personally identifiable information, and the bulk of the limited query data is only stored for 24 hours. You can learn more about our 1.1.1.1 Public Resolver commitment to privacy here and here. Our data handling practices for our 1.1.1.1 Mobile Application are somewhat different and are described here.
Re: (Score:2)
I mean cloudflare has their privacy policy posted, you can read it, instead of just assuming what it is:
Good grief. Seriously I f****ing quoted it in my post.
Re: (Score:1)
I mean cloudflare has their privacy policy posted, you can read it, instead of just assuming what it is:
It's not legally binding. They can violate it with no repercussions. As such, it has no meaning.
Comment removed (Score:4, Interesting)
Re: (Score:1)
But it's a Cloudflare post, hosted and posted by Cloudflare. It is legally binding.
What law or case law specifically binds online service providers to honor the promises made in their official blog posts?
Re: (Score:2)
This is a lie. DoH hides D.N.S queries from your ISP by encrypting them, passing it on to a trusted third party who will typically have little incentive to record them. The fact the third party makes the D.N.S queries in the same way as you would have done had you not had DoH doesn't mean that your D.N.S queries can now be snooped upon by your ISP.
You are talking about privacy not security. The text I explicitly cited in my response was "critical security improvement" and was therefore limited to security context. D.N.S provides untrustworthy resolution of names to untrustworthy network identifiers. Even if D.N.S were 100% accurate, private and available it still wouldn't constitute a critical security improvement anymore than asking a liar if they are telling the truth constitutes reliable information.
This is why all secure systems are designed t
Re: (Score:2)
This is a lie. DoH is nothing approaching a "critical security improvement" or any substantive "security" improvement of any kind. It's simply a tunnel that terminates D.N.S resolution at a different location on the same insecure network using the same untrustworthy D.N.S protocols as everyone else to actually perform resolution.
This is a lie. DoH separates DNS lookups from your ISP, making it much harder for them to monitor which websites you visit because all they see are encrypted HTTPS connections to IP
Re: (Score:1)
This is a lie. DoH separates DNS lookups from your ISP, making it much harder for them to monitor which websites you visit because all they see are encrypted HTTPS connections to IP addresses that likely server a number of different domains. Often just a CDN. Therefore it's a major security improvement because it prevents your ISP, who knows who you are thanks to billing details and the need to provide a physical connection to your house, from matching your identity to times and dates of website visits.
Please explain how moving all Firefox user's browsing habits from dozens of separate ISPs into one central repository of information improves security. Your whole argument rests on the assumption that Mozilla and/or Cloudfare are not nefarious actors and that they never will be. What is the basis of your assumption?
Re: (Score:2)
Your whole argument rests on the assumption that Mozilla and/or Cloudfare are not nefarious actors and that they never will be.
No, it rests on the fact that seeing DNS requests from IP addresses isn't nearly as bad as an ISP seeing DNS requests from a known individual's account for which they have name, address and possibly TV viewing and phone usage data.
Can you see the different between
"123.456.789.526 looked up ford.com at 15:37"
and
"Joe Bloggs of 123 Arcacia Avenue, Metro City, XY, looked up ford.com 9 seconds after viewing a Ford TV commercial and the ATV network, and here's a link to his credit report and a vast database of in
Re: (Score:2)
No, it rests on the fact that seeing DNS requests from IP addresses isn't nearly as bad as an ISP seeing DNS requests from a known individual's account for which they have name, address and possibly TV viewing and phone usage data.
Can you see the different between
"123.456.789.526 looked up ford.com at 15:37"
and
"Joe Bloggs of 123 Arcacia Avenue, Metro City, XY, looked up ford.com 9 seconds after viewing a Ford TV commercial and the ATV network, and here's a link to his credit report and a vast database of information on him we gathered from other sources"
When Mozilla throws the switch people currently protected by DNS filtering services will be unnecessarily exposed without warning.
Evil ISPs will either bypass DoH via provided canary domain mechanism or they will simply collect the same data from SNI field of first data packet of each new flow. It costs more to store the data than it does to extract.
Most important of all this will expose hundreds of millions of users to an entirely new vector to have their entire browsing history exposed to a single centra
Re: (Score:2)
This is a lie. DoH separates DNS lookups from your ISP, making it much harder for them to monitor which websites you visit because all they see are encrypted HTTPS connections to IP addresses that likely server a number of different domains.
Again like the other guy you are confusing privacy and security. I was explicitly responding to security based language "critical security improvement" while you are talking exclusively about privacy related issues not security.
As a separate matter the privacy arguments ring a bit hollow considering present day facts:
1. Any ISP doing these things could assert a canary domain that disables DoH or block access to DoH servers.
2. Any ISP can inspect the first data packet after TCP session is established to get
All about the revenue (Score:3)
The real reason the ISPs don't want this is because of revenue. Most ISPs in the US have "enhanced DNS pages" that serve you ads instead of a 404 if you search for a nonexistent URL. At the same time, they double-dip by selling your information. Sure, people can go to Cloudflare or Google but most won't.
Breaks Geofiltering? (Score:2)
My org subscribes to a geofiltering serivce that blocks all of Europe based on IP address. I'm guessing this will break that and my users won't be protected from clicking links that they shouldn't.
Re: (Score:2)
If you're identifying links that users shouldn't click by whether the link IP address geolocates to Europe, you deserve to have that incompetent system broken. The same threats can obtain hosting from anywhere on the planet, and in fact do so.
Of course, since Google will no be changing DNS settings except to a Do
Re: (Score:2)
The org went from five ransomware outbreaks in a six month span to zero in five years after enabling that single licensed feature in their Sonicwalls. Very cost-effective. In the real world every dollar matters.
Let me guess, this rural town with 15 employees should spend $500k on equipment and hire another 15 people to administer it.
But please, don't let any of that stop you from pontificating.
Re: (Score:2)
I've got an awesome tiger-repelling rock to sell your rural town as well. Very cost-effective.
BTW, unless your Sonicwalls support DoH Google won't change Chrome's DNS behavior, and for Mozilla, if you're relying solely upon Sonicwall's DNS proxy rather than filtering traffic by IP then your security protocol is even more incompetent than initially advertised.
OSS Revenue Stream (Score:1)
If the encrypted DNS debate is about 90% shifting funds and 10% privacy, we can definitely do better.
Bye, Felicia (Score:1)
Re: (Score:1)
What the fuck can they do about it?
Make Firefox even less relevant than it already is, thanks to Mozilla's chutzpah.
What's the point (Score:1)
After my Firefox gets the ip address of the site I want to visit, completely in the dark for the isp (where I trust mine roughly as much as Mozilla, meaning way more than Google and similar), it will then do a request for https data from that site, where it will be plain to my isp which one it is, or they wouldn't be able to route the packets back to me. Or does reverse DNS not work for isps?