Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 15 submissions in the queue.

ISPs Lied To Congress To Spread Confusion About Encrypted DNS, Mozilla Says

posted by Fnord666 on Monday November 04 2019, @08:34PM   Printer-friendly
from the how-dare-anyone-lie-to-congress dept.

Arthur T Knackerbracket has found the following story:

Mozilla is urging Congress to reject the broadband industry's lobbying campaign against encrypted DNS in Firefox and Chrome.

The Internet providers' fight against this privacy feature raises questions about how they use broadband customers' Web-browsing data, Mozilla wrote in a letter sent today to the chairs and ranking members of three House of Representatives committees. Mozilla also said that Internet providers have been giving inaccurate information to lawmakers and urged Congress to "publicly probe current ISP data collection and use policies."

DNS over HTTPS helps keep eavesdroppers from seeing what DNS lookups your browser is making. This can make it more difficult for ISPs or other third parties to monitor what websites you visit.

"Unsurprisingly, our work on DoH [DNS over HTTPS] has prompted a campaign to forestall these privacy and security protections, as demonstrated by the recent letter to Congress from major telecommunications associations. That letter contained a number of factual inaccuracies," Mozilla Senior Director of Trust and Security Marshall Erwin wrote.

Original Submission

 
This discussion has been archived. No new comments can be posted.
ISPs Lied To Congress To Spread Confusion About Encrypted DNS, Mozilla Says | Log In/Create an Account | Top | 69 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Disagree) by exaeta on Monday November 04 2019, @09:12PM (5 children)

    by exaeta (6957) on Monday November 04 2019, @09:12PM (#915936) Homepage Journal
    This is the merit of Open Source Software. Nobody is forcing you to use Chrome. If someone is, take your beef up with them. DNS over HTTP is a fine mechanism to circumvent organizational wiretapping of DNS queries. I fully support DNS over HTTPS. Your software should not be able to be DNS wiretapped like it can be now. Yes, fixing the DNS backdoor will break some enterprise DNS setups, but is required for internet security to advance. DNS has always been a weak link and SSL has been bandaging around it for too long. One of the reasons CAs can issue certs for any domain is that the DNS security has been such a joke that domains were never considered a security feature. DNSSEC helps but doesn't solve all the issues.
    --
    The Government is a Bird
    Starting Score:    1  point
    Moderation   +1  
       Insightful=1, Disagree=2, Total=3
    Extra 'Disagree' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3  

  • (Score: 2, Funny) by fustakrakich on Monday November 04 2019, @09:41PM

    by fustakrakich (6150) on Monday November 04 2019, @09:41PM (#915950) Journal

    DNS over HTTP is a fine mechanism to circumvent organizational wiretapping of DNS queries. I fully support DNS over HTTPS.

    Normally I would agree, but Cloudflare? Eventually the ISP's owners will buy them, and then who has all that DNS info?

    And this whole HTTPS thing is a joke also. The certs aren't worth the paper they're printed on.

    --
    La politica e i criminali sono la stessa cosa..

  • (Score: 5, Insightful) by maxwell demon on Monday November 04 2019, @09:59PM (3 children)

    by maxwell demon (1608) on Monday November 04 2019, @09:59PM (#915964) Journal

    The problem isn't exactly that DNS is checked over HTTPS, the problem is that this decision is made on the browser level.

    I would have absolutely no problem with a program you install at your computer that makes all the DNS lookups on that computer go through HTTPS. I do have a problem with the browser not using the computer's configured DNS, whatever that is.

    And no, it doesn't break just enterprise setups. It breaks every single home router whose web interface is accessed through a local domain name.

    --
    The Tao of math: The numbers you can count are not the real numbers.

    • (Score: 0) by Anonymous Coward on Monday November 04 2019, @11:15PM

      by Anonymous Coward on Monday November 04 2019, @11:15PM (#916015)

      "A program" which a regular user would not even know about, let alone be able to properly configure, will be used only by a tiny minority. As a consequence, any action against that program, the protocol, and its users, will go through unopposed. Which rather defeats the whole purpose.
      Common browser (Chrome) using a common protocol (HTTPS) to a common endpoint (Cloudflare) on the other hand, is where breaking it is "breaking the Internet" for the masses, which isn't yet commonly done. A separate program like you want, could well exist alongside it, and hide in the noise; but its attempting to stand alone will be the very essence of pointless.

    • (Score: 3, Informative) by exaeta on Tuesday November 05 2019, @04:33PM (1 child)

      by exaeta (6957) on Tuesday November 05 2019, @04:33PM (#916330) Homepage Journal
      I kind of disagree. As a programmer I find it infuriating when my DNS queries are hijacked by AT&T et al. Fake DNS hosts serve two purposes, first, to send back false information (like AT&T does) and second, as a crude blocking mechanism. Neither of these are in my eyes, legitimate practices.
      --
      The Government is a Bird

      • (Score: 2) by maxwell demon on Tuesday November 05 2019, @05:52PM

        by maxwell demon (1608) on Tuesday November 05 2019, @05:52PM (#916401) Journal

        I kind of disagree. As a programmer I find it infuriating when my DNS queries are hijacked by AT&T et al.

        Then configure your computer to fetch the DNS from elsewhere. Over HTTPS, from Google, from your friend's private DNS server, it doesn't matter. The point is, the browser is the wrong place for that. Probably you don't even have to do that at your computer; you can configure your home router to use a different DNS server, which will distribute that setting through DHCP.

        If I open a page from Firefox, I want to get the IP from the same place as when I use wget. Or links.

        And if I make an entry in my hosts file, I want the browser to honour that, too.

        What about users of Pi-hole? [wikipedia.org] I'm sure they'll not be amused if all the ads (and possibly malware) suddenly start coming through again, just because the browser no longer honours the settings of the computer.

        --
        The Tao of math: The numbers you can count are not the real numbers.