Security news that informs and inspires

The Future is Encrypted

A fight is brewing in Washington over the move by large Internet companies to implement DNS over HTTPS, with Mozilla asking Congress to investigate the actions of ISPs that are pushing back against the use of a technology that prevents them from seeing users’ DNS queries.

In a letter sent Monday, Mozilla officials said that industry associations representing ISPs and telecom providers have been disingenuous in their lobbying efforts against the implementation of DoH. The idea behind DoH is to preserve the privacy of individuals’ DNS queries by running them through an HTTPS tunnel from the client to the DNS resolver. The standard is designed to prevent entities sitting along the route from the client to the DNS resolver from being able to snoop on or alter those queries. The idea has been around for several years and recently both Mozilla and Google have announced experiments to use DoH in their browsers.

Those efforts have drawn the ire of ISPs and several trade associations, which contend that DoH implementations--especially Google’s--will result in all DNS data being concentrated in the hands of a small number of providers. In September, three trade associations sent a letter to members of both the House of Representatives and Senate asking them to investigate Google’s move to implement DoH in Chrome and Android.

“By interposing itself between DNS providers and the users of the Chrome browser (> 60% worldwide share) and Android phones (> 80% worldwide share of mobile operating systems), Google would acquire greater control over user data across networks and devices around the world. This could inhibit competitors and possibly foreclose competition in advertising and other industries,” the letter from the NCTA, CTIA, and US Telecom says.

“Moreover, the centralized control of encrypted DNS threatens to harm consumers by interfering with a wide range of services provided by ISPs (both enterprise and public-facing) and others.”

The ISPs have a vested interest in keeping DoH from becoming the norm, though. Commercial service providers act as a man in the middle between individual users and the web and can see any DNS queries users send. Those queries contain information about users’ interests that is quite valuable to advertisers. But if the queries are encrypted, the ISPs lose their visibility into users’ habits and the sites they’re visiting, and also the ability to monetize that information.

“The motivating concern for using DoH is that the ISPs are actively tracking you and looking at the DNS queries and seeing all of the sites you’re visiting and monetizing that. They treat it basically like ad tech,” said Tom Ptacek, a veteran security researcher and principal at Latacora, which provides security teams to startups.

In its letter, sent to many of the same members of Congress, Mozilla said the telecom associations are misrepresenting the way DoH works and why they’re opposed to its use.

“That letter contained a number of factual inaccuracies. These have been examined in detail by others and as such will not be given an in-depth treatment here. Nonetheless, it is important to highlight the underlying premise of that letter: telecommunications associations are explicitly arguing that ISPs need to be in a position to collect and monetize users’ data. This is inconsistent with arguments made just two years earlier regarding whether privacy rules were needed to govern ISP data use,” the letter from Marshall Erwin, senior director of trust and security at Mozilla, said.

“It seems pretty clear that Mozilla and Google are on the right side of this."

Mozilla and Google have different implementations of DoH, but neither one involves centralizing DNS requests through resolvers owned by those companies by default. Mozilla’s implementation uses the 1.1.1.1 DNS service from Cloudflare, and as part of that partnership, Cloudflare agreed to a tight privacy policy. Google’s implementation in Chrome, meanwhile, will first try to use the DNS resolvers the user already has set up if they support DoH before trying Google’s own servers.

The use of DoH has support among privacy and digital rights activists, as well.

“This is a game-changer for Internet users around the world, and is crucial for human rights workers, activists, journalists, and dissidents whose online activities are under surveillance,” said Max Hunter, engineering director at the Electronic Freedom Foundation. “We hope to see Congress step up and fully support systemic deployment of DoH.”

Though it has a number of benefits, by no means is DoH a cure-all for Internet privacy and security concerns. It’s one link in a long and complex chain that requires trust and cooperation among many parties, and those relationships can be tenuous, especially in enterprise environments. Because it encrypts DNS queries, DoH has the effect of masking outbound traffic in enterprise networks where inspection of user traffic is routine.

“Purely on a technical level, if you’re an individual and not an enterprise, it makes sense. But you lose a tremendous amount of visibility with DNS over HTTPS in a corporate network,” said Kenn White, a security researcher who focuses on cryptography and is a co-director of the Open Crypto Audit Project.

“In the context of a corporate network that’s where it gets tricky. You want every tool possible to have visibility into your network and so the questions around visibility with DNS over HTTPS are legitimate ones.”

Even with those potential limitations, there are plenty of benefits to be had by protecting DNS queries from eavesdropping.

“It seems pretty clear that Mozilla and Google are on the right side of this. Normal people would want their DNS queries to be encrypted. Who wouldn’t want that? DNS over HTTPS is an unalloyed good thing,” Ptacek said.