Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Firefox Encryption Government Mozilla The Internet Technology

ISPs Lied To Congress To Spread Confusion About Encrypted DNS, Mozilla Says (arstechnica.com) 70

An anonymous reader quotes a report from Ars Technica: Mozilla is urging Congress to reject the broadband industry's lobbying campaign against encrypted DNS in Firefox and Chrome. The Internet providers' fight against this privacy feature raises questions about how they use broadband customers' Web-browsing data, Mozilla wrote in a letter sent today to the chairs and ranking members of three House of Representatives committees. Mozilla also said that Internet providers have been giving inaccurate information to lawmakers and urged Congress to "publicly probe current ISP data collection and use policies." DNS over HTTPS helps keep eavesdroppers from seeing what DNS lookups your browser is making. This can make it more difficult for ISPs or other third parties to monitor what websites you visit.

"Unsurprisingly, our work on DoH [DNS over HTTPS] has prompted a campaign to forestall these privacy and security protections, as demonstrated by the recent letter to Congress from major telecommunications associations. That letter contained a number of factual inaccuracies," Mozilla Senior Director of Trust and Security Marshall Erwin wrote. This part of Erwin's letter referred to an Ars article in which we examined the ISPs' claims, which center largely around Google's plans for Chrome. The broadband industry claimed that Google plans to automatically switch Chrome users to its own DNS service, but that's not what Google says it is doing. Google's publicly announced plan is to "check if the user's current DNS provider is among a list of DoH-compatible providers, and upgrade to the equivalent DoH service from the same provider." If the user-selected DNS service is not on that list, Chrome would make no changes for that user.

This discussion has been archived. No new comments can be posted.

ISPs Lied To Congress To Spread Confusion About Encrypted DNS, Mozilla Says

Comments Filter:
  • by BAReFO0t ( 6240524 ) on Monday November 04, 2019 @05:13PM (#59380896)

    So instead of our ISPs highjacking our DNS, it is now only Mozilla and Google highjacking our DNS.

    Because those two are such beacons of neutrality and privacy... /s

    Also, let's not forget the elephant in the room: Their obsession with making ALL the things "web".

    DNS with TLS encryption would be the obvious option, even with forced CAs being a blatant gap in the logic right there, due to the lack of prevalence of true web-of-trust solutions.

    But noo ... It HAS to be HTTP. ... Why not go straight to JSON-SOAP-with-XSLT-over WebSockets, melting all their nighmare creations into one?

    • by Rockoon ( 1252108 ) on Monday November 04, 2019 @05:33PM (#59380982)
      I trust my ISP with my DNS lookups more than I trust Google and its multi-national bending-over-for-them concerns. Full stop.
      • ironically there is a russian proverb : TRUST BUT VERIFY

        NONE of the browsers verify the answers they are getting

        while not perfect DNSSEC would go a LONG way to help this conversation and both Mozilla and Google should implement it if they are implementing resolvers within their browsers allowing the users to VERIFY the ANSWERS they are getting

        it really is that simple

      • by AmiMoJo ( 196126 )

        I don't. All the big ISPs in the UK censor via DNS. They all do logging too, keeping it for 2 years as required by law. Cloudflare/Google isn't an ISP so there is no such legal requirement.

        The other reason Cloudflare/Google are more trustworthy is that Cloudflare/Google can't trivially link your DNS queries to your billing details. Your ISP knows who you are and knows what IP address they assigned to you at what time. Google may be able to infer some of that if you are logged in to their service, but not Cl

    • So instead of our ISPs highjacking our DNS, it is now only Mozilla and Google highjacking our DNS.

      Mozilla is sending everything to Cloudflare by default, that's sleazy. But Google sends the traffic to your ISP by default, even if they don't run a DOH service. It falls back to your ISP's DNS.

      DNS with TLS encryption would be the obvious option,

      ...except that it wouldn't help with the cases where ISPs hijack your attempts to connect to external DNS.

    • by fonos ( 847221 ) on Monday November 04, 2019 @05:43PM (#59381022)

      Google's solution checks if your CURRENT DNS provider provides the encryption service. If it does, it upgrades you the encrypted version of your CURRENT DNS providers'. If your DNS provider doesn't provide encryption, Google does nothing. How is this hijacking your DNS?

      • How is it any of Google's business? Why do they care?

        • by DRJlaw ( 946416 )

          How is it any of Google's business? Why do they care?

          They wrote the browser that their users want to be secure, rather than spilling the details of their browsing history to their ISP. That's how it's their business and why they care.

      • by MeNeXT ( 200840 )

        As with other services once you start they can make the changes as they wish. Android is a perfect example where the users choices are restricted by what Google wants rather than what the user wants. Slowly the service changes and options are removed. Call recording is no longer an option but advertising ID is, or rather the requirement of one.

    • Yeah, except for the fact that they are hijacking nothing. They don't switch from providers DNS unless the user himself changes it - which has always been possible. If they include a setting where you can manually choose one of alternative DNS providers, that's got nothing to do with hijacking anything.

      When any browser (except Tor Browser) starts using another DNS without user knowledge, then we can talk. Until that this is unfounded FUD.

      • by Burdell ( 228580 )

        Yeah, except that's exactly what Mozilla is doing - they are changing Firefox to send all DNS requests to Cloudflare unless you opt out.

        • by AmiMoJo ( 196126 )

          It's still not hijacking because they ask the user before making the change. There is a pop-up that asks if you want it or not. Hijacking implies doing it against the user's will.

    • by dissy ( 172727 )

      So instead of our ISPs highjacking our DNS, it is now only Mozilla and Google highjacking our DNS.

      This is a lie you were corrected about before.

      DoH is browser specific, so it can in no way affect your system DNS.

      Google and Mozilla have no need to care about your browsers DNS when every letter you type in the address bar is sent back to them in real time right now and has been that way for 10 years.

  • I don't believe it

  • Comment removed (Score:5, Interesting)

    by account_deleted ( 4530225 ) on Monday November 04, 2019 @05:32PM (#59380976)
    Comment removed based on user account deletion
    • Lying to Congress is illegal though.

      • by DRJlaw ( 946416 )

        Lying to Congress is illegal though.

        Only if you do it under oath. If you do it through lobbyists and unsolicited submissions of information, it's business as usual.

  • by OneHundredAndTen ( 1523865 ) on Monday November 04, 2019 @05:47PM (#59381036)
    With DoH, the only thing you are achieving is to swap one eavesdropper for another - instead of being your ISP who knows about every single DNS query that you make, it will be any of the DoH providers currently available: most likely either Google or Cloudflare. Does it make you happy sharing your DNS queries with them, rather than with your ISP? This apart from the fact that your ISP will still know what sites you are visiting, anyway.
  • Mozilla should just tell Congress that unencrypted DNS means Russian hackers can see the domain name of every politician's favourite gay porn website. Encrypted DNS will be *mandatory* in no time.
  • by WaffleMonster ( 969671 ) on Monday November 04, 2019 @06:14PM (#59381110)

    During the last two years, Mozilla, in partnership with other industry stakeholders, has worked to develop, standardize, and deploy DoH, a critical security improvement to the underlying architecture of the internet.

    This is a lie. DoH is nothing approaching a "critical security improvement" or any substantive "security" improvement of any kind. It's simply a tunnel that terminates D.N.S resolution at a different location on the same insecure network using the same untrustworthy D.N.S protocols as everyone else to actually perform resolution.

    Providers sold the real-time location data of their mobile broadband customers to third parties without user knowledge or meaningful consent.2 In one particular case, an intermediary was found to be selling particularly sensitive GPS data, which can pinpoint the location of users within a building, for over five years.

    Some ISPs are evil. The vast majority of big content is evil incarnate. Google reads your emails and tracks your location 24x7. Facebook broke a record for having to pay the largest privacy related fine in US history. Hundreds of millions of people are being stalked by literally hundreds of sleazy big data firms as they move from website to website.

    If the question is who do I trust more my local ISP or the D.N.S provider of my choice vs. a single publically traded corporation with access to hundreds of millions of users browsing history the answer is easy. I trust my ISP or D.N.S provider more.

    Mozillaâ(TM)s policy establishes strict requirements for potential Firefox DNS resolvers, including requiring that data only be retained for as long as is necessary to operate the resolver service, that data only be used for the purpose of operating that service, and that partners maintain a privacy notice specifically for the resolver that publicly attests to data collection and policies

    Where can I read Cloudflares legally binding DoH privacy policy? The only document I know of that speaks to this in any way is a single BLOG POST.

    The privacy policy for 1.1.1.1 DNS service does not limit usage to what is necessary to operate the service unless you believe that "Process and deliver contest or sweepstakes entries and rewards;", "Monitor and analyze trends, usage, and activities in connection with the Websites and Services and for marketing or advertising purposes;" and "Send commercial communications" is required to operate the service.

    Our approach with DoH attempts to close part of this regulatory gap through technology and strong legal protections for user privacy.

    Worth re-iterating not even ****GOOGLE**** is publically contemplating doing what Mozilla is doing with this egregious insane bid to centralize control over D.N.S resolution for hundreds of millions of users.

    • I mean cloudflare has their privacy policy posted, you can read it, instead of just assuming what it is:

      https://www.cloudflare.com/pri... [cloudflare.com]

      Public Resolver Users:

      We will collect limited DNS query data that is sent to the resolvers. This data does not contain user IP addresses or any other personally identifiable information, and the bulk of the limited query data is only stored for 24 hours. You can learn more about our 1.1.1.1 Public Resolver commitment to privacy here and here. Our data handling practices for our 1.1.1.1 Mobile Application are somewhat different and are described here.

      • I mean cloudflare has their privacy policy posted, you can read it, instead of just assuming what it is:

        Good grief. Seriously I f****ing quoted it in my post.

      • I mean cloudflare has their privacy policy posted, you can read it, instead of just assuming what it is:

        It's not legally binding. They can violate it with no repercussions. As such, it has no meaning.

    • Comment removed (Score:4, Interesting)

      by account_deleted ( 4530225 ) on Tuesday November 05, 2019 @09:01AM (#59382906)
      Comment removed based on user account deletion
      • But it's a Cloudflare post, hosted and posted by Cloudflare. It is legally binding.

        What law or case law specifically binds online service providers to honor the promises made in their official blog posts?

      • This is a lie. DoH hides D.N.S queries from your ISP by encrypting them, passing it on to a trusted third party who will typically have little incentive to record them. The fact the third party makes the D.N.S queries in the same way as you would have done had you not had DoH doesn't mean that your D.N.S queries can now be snooped upon by your ISP.

        You are talking about privacy not security. The text I explicitly cited in my response was "critical security improvement" and was therefore limited to security context. D.N.S provides untrustworthy resolution of names to untrustworthy network identifiers. Even if D.N.S were 100% accurate, private and available it still wouldn't constitute a critical security improvement anymore than asking a liar if they are telling the truth constitutes reliable information.

        This is why all secure systems are designed t

    • by AmiMoJo ( 196126 )

      This is a lie. DoH is nothing approaching a "critical security improvement" or any substantive "security" improvement of any kind. It's simply a tunnel that terminates D.N.S resolution at a different location on the same insecure network using the same untrustworthy D.N.S protocols as everyone else to actually perform resolution.

      This is a lie. DoH separates DNS lookups from your ISP, making it much harder for them to monitor which websites you visit because all they see are encrypted HTTPS connections to IP

      • This is a lie. DoH separates DNS lookups from your ISP, making it much harder for them to monitor which websites you visit because all they see are encrypted HTTPS connections to IP addresses that likely server a number of different domains. Often just a CDN. Therefore it's a major security improvement because it prevents your ISP, who knows who you are thanks to billing details and the need to provide a physical connection to your house, from matching your identity to times and dates of website visits.

        Please explain how moving all Firefox user's browsing habits from dozens of separate ISPs into one central repository of information improves security. Your whole argument rests on the assumption that Mozilla and/or Cloudfare are not nefarious actors and that they never will be. What is the basis of your assumption?

        • by AmiMoJo ( 196126 )

          Your whole argument rests on the assumption that Mozilla and/or Cloudfare are not nefarious actors and that they never will be.

          No, it rests on the fact that seeing DNS requests from IP addresses isn't nearly as bad as an ISP seeing DNS requests from a known individual's account for which they have name, address and possibly TV viewing and phone usage data.

          Can you see the different between

          "123.456.789.526 looked up ford.com at 15:37"

          and

          "Joe Bloggs of 123 Arcacia Avenue, Metro City, XY, looked up ford.com 9 seconds after viewing a Ford TV commercial and the ATV network, and here's a link to his credit report and a vast database of in

          • No, it rests on the fact that seeing DNS requests from IP addresses isn't nearly as bad as an ISP seeing DNS requests from a known individual's account for which they have name, address and possibly TV viewing and phone usage data.

            Can you see the different between

            "123.456.789.526 looked up ford.com at 15:37"

            and

            "Joe Bloggs of 123 Arcacia Avenue, Metro City, XY, looked up ford.com 9 seconds after viewing a Ford TV commercial and the ATV network, and here's a link to his credit report and a vast database of information on him we gathered from other sources"

            When Mozilla throws the switch people currently protected by DNS filtering services will be unnecessarily exposed without warning.

            Evil ISPs will either bypass DoH via provided canary domain mechanism or they will simply collect the same data from SNI field of first data packet of each new flow. It costs more to store the data than it does to extract.

            Most important of all this will expose hundreds of millions of users to an entirely new vector to have their entire browsing history exposed to a single centra

      • This is a lie. DoH separates DNS lookups from your ISP, making it much harder for them to monitor which websites you visit because all they see are encrypted HTTPS connections to IP addresses that likely server a number of different domains.

        Again like the other guy you are confusing privacy and security. I was explicitly responding to security based language "critical security improvement" while you are talking exclusively about privacy related issues not security.

        As a separate matter the privacy arguments ring a bit hollow considering present day facts:

        1. Any ISP doing these things could assert a canary domain that disables DoH or block access to DoH servers.

        2. Any ISP can inspect the first data packet after TCP session is established to get

  • by Joe Gillian ( 3683399 ) on Monday November 04, 2019 @06:41PM (#59381222)

    The real reason the ISPs don't want this is because of revenue. Most ISPs in the US have "enhanced DNS pages" that serve you ads instead of a 404 if you search for a nonexistent URL. At the same time, they double-dip by selling your information. Sure, people can go to Cloudflare or Google but most won't.

  • My org subscribes to a geofiltering serivce that blocks all of Europe based on IP address. I'm guessing this will break that and my users won't be protected from clicking links that they shouldn't.

    • by DRJlaw ( 946416 )

      My org subscribes to a geofiltering serivce that blocks all of Europe based on IP address. I'm guessing this will break that and my users won't be protected from clicking links that they shouldn't.

      If you're identifying links that users shouldn't click by whether the link IP address geolocates to Europe, you deserve to have that incompetent system broken. The same threats can obtain hosting from anywhere on the planet, and in fact do so.

      Of course, since Google will no be changing DNS settings except to a Do

      • The org went from five ransomware outbreaks in a six month span to zero in five years after enabling that single licensed feature in their Sonicwalls. Very cost-effective. In the real world every dollar matters.

        Let me guess, this rural town with 15 employees should spend $500k on equipment and hire another 15 people to administer it.

        But please, don't let any of that stop you from pontificating.

        • by DRJlaw ( 946416 )

          But please, don't let any of that stop you from pontificating.

          I've got an awesome tiger-repelling rock to sell your rural town as well. Very cost-effective.

          BTW, unless your Sonicwalls support DoH Google won't change Chrome's DNS behavior, and for Mozilla, if you're relying solely upon Sonicwall's DNS proxy rather than filtering traffic by IP then your security protocol is even more incompetent than initially advertised.

  • On second glance, it would be cool to see a new round of OSS web browsers/tools come in and snatch that revenue to solve the huge dilemma that is OSS funding.

    If the encrypted DNS debate is about 90% shifting funds and 10% privacy, we can definitely do better.
  • Mozilla / Google can stuff it with DOH. Ever since I found out about dnscrypt I've been routing my traffic through that. It uses multiple servers who at least claim not to log and encrypt your queries. I could care less about what congress or any of these people think. As long as those servers keep churning away I'll be keeping my queries private. Even if one server is run by the NSA, it constantly bounces around different ones so nobody can have a complete log.
  • Could anyone explain what the point is of DoH?

    After my Firefox gets the ip address of the site I want to visit, completely in the dark for the isp (where I trust mine roughly as much as Mozilla, meaning way more than Google and similar), it will then do a request for https data from that site, where it will be plain to my isp which one it is, or they wouldn't be able to route the packets back to me. Or does reverse DNS not work for isps?

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (10) Sorry, but that's too useful.

Working...