SoylentNews is people
SoylentNews
from the how-dare-anyone-lie-to-congress dept.
Arthur T Knackerbracket has found the following story:
Mozilla is urging Congress to reject the broadband industry's lobbying campaign against encrypted DNS in Firefox and Chrome.
The Internet providers' fight against this privacy feature raises questions about how they use broadband customers' Web-browsing data, Mozilla wrote in a letter sent today to the chairs and ranking members of three House of Representatives committees. Mozilla also said that Internet providers have been giving inaccurate information to lawmakers and urged Congress to "publicly probe current ISP data collection and use policies."
DNS over HTTPS helps keep eavesdroppers from seeing what DNS lookups your browser is making. This can make it more difficult for ISPs or other third parties to monitor what websites you visit.
"Unsurprisingly, our work on DoH [DNS over HTTPS] has prompted a campaign to forestall these privacy and security protections, as demonstrated by the recent letter to Congress from major telecommunications associations. That letter contained a number of factual inaccuracies," Mozilla Senior Director of Trust and Security Marshall Erwin wrote.
(Score: 0) by Anonymous Coward on Tuesday November 05 2019, @07:22PM
OK, I'll back up a bit in case anyone was confused by my switching domain names to stick to the proper IETF TLD. First step in connecting to a website is your DNS resolution, where you (basically) ask your resolver "what are the IP addresses for domain.example." and the resolver will respond with, "The addresses are a.b.c.d based on my recursive search." Now note that if that is encrypted, no one other than you and the resolver know the site you are looking for at that point.
But, you then send a message to a.b.c.d that can take one of two forms. Unencrypted, you send a message that says "I want to do X with the resource located at this path from the Host domain.example and here is the data necessary to do that," where X is different HTTP "methods" and the Host header obviously changes to whatever server you are actually trying to contact. If your message is encryped, you instead say "I'd like to start a TLS 1.2 connection with the server for domain.example and here is the info necessary to communicate with me," where the server name indication (SNI) changes depending on what server you are actually trying to contact.
Note that in either case, any hop or eavesdropper knows exactly what HTTP website you are trying to connect to, whether you use TLS or not. In fact any connection in any protocol wrapped in TLS will usually contain an SNI in the handshake to identify who you want to connect to; not to mention most protocols especially older ones will contain some sort of identifier in the handshake that you can see when not encrypted.