Submitted via IRC for SoyGuest31999
Android, the world's most popular mobile operating system, will soon enable a security protocol that helps keep internet service providers (ISPs) from spying on users. "DNS over TLS" adds a level of encryption to your DNS requests that are (mostly) inaccessible by your ISP.
[...] Using current methods, the requests happen through UDP or TCP protocols, not the more secure TLS. When Android makes the switch, you'll get the same results, only now with HTTPS-level security. That is to say, snoops now know when you've connected to a website, but not which one. Pornhub, for example, is the same as Gmail. Or, it is for the person spying on you. You'll still have to live with the fact you're watching Pokemon Go porn (safe-ish for work).
(Score: 5, Insightful) by darkfeline on Thursday October 26 2017, @07:34AM (4 children)
Can we forget privacy for a moment?
The real win here is security, not privacy. DNS by default is completely insecure. Plaintext UDP packets. Anyone can MITM your DNS queries.
There's stuff like DNSSEC, but a simple hack like DNS over TLS is the kind of thing DNS needs to gain wide adoption of basic security features in the current decade.
Here's the RFC: https://tools.ietf.org/html/rfc7858 [ietf.org]
I haven't read it yet, but it will probably be a lot more useful than TFA.
Join the SDF Public Access UNIX System today!
(Score: 3, Informative) by TheRaven on Thursday October 26 2017, @10:06AM (3 children)
sudo mod me up
(Score: 2) by tibman on Thursday October 26 2017, @02:43PM (1 child)
Out of band cert delivery most likely. Just like how it's done in your web browser today. You get certs for cert signing authorities when you install.
SN won't survive on lurkers alone. Write comments.
(Score: 2) by TheRaven on Thursday October 26 2017, @03:21PM
You could potentially provide the cert in the DHCP response (though there's no standard for this yet), which at least means that you'd need to spoof DHCP, but that's not actually hard...
[1] Okay, it's a large number (and a much larger number than I'm entirely comfortable with) of certs.
sudo mod me up
(Score: 2) by darkfeline on Thursday October 26 2017, @05:24PM
Presumably the DNS server you're using is trusted, and you have the trusted cert for that server.
That doesn't provide end-to-end security, but let's say your trusted DNS server itself has trusted certs for other servers, and those servers have trusted certs.
Again, it's a hack compared to DNSSEC, but it's the kind of hack that I can see getting rolled out and adopted much faster than DNSSEC has. It would be a huge improvement over the current state of affairs.
Join the SDF Public Access UNIX System today!