Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Friday June 26 2020, @11:07PM   Printer-friendly
from the defeating-the-purpose-(DoH!) dept.

Talk about the fox guarding the hen house. Comcast to handle DNS-over-HTTPS for Firefox-using subscribers

Comcast has agreed to be the first home broadband internet provider to handle secure DNS-over-HTTPS queries for Firefox browser users in the US, Mozilla has announced.

This means the ISP, which has joined Moz's Trusted Recursive Resolver (TRR) Program, will perform domain-name-to-IP-address lookups for subscribers using Firefox via encrypted HTTPS channels. That prevents network eavesdroppers from snooping on DNS queries or meddling with them to redirect connections to malicious webpages.

[...] At some point in the near future, Firefox users subscribed to Comcast will use the ISP's DNS-over-HTTPS resolvers by default, though they can opt to switch to other secure DNS providers or opt-out completely.

[...] Incredibly, DNS-over-HTTPS was heralded as a way to prevent, among others, ISPs from snooping on and analyzing their subscribers' web activities to target them with adverts tailored to their interests, or sell the information as a package to advertisers and industry analysts. And yet, here's Comcast providing a DNS-over-HTTPS service for Firefox fans, allowing it to inspect and exploit their incoming queries if it so wishes. Talk about a fox guarding the hen house.

ISPs "have access to a stream of a user’s browsing history," Marshall Erwin, senior director of trust and security at, er, Mozilla, warned in November. "This is particularly concerning in light of the rollback of the broadband privacy rules, which removed guardrails for how ISPs can use your data. The same ISPs are now fighting to prevent the deployment of DNS-over-HTTPS."

Mozilla today insisted its new best buddy Comcast is going to play nice and follow the DNS privacy program's rules.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Insightful) by SomeGuy on Friday June 26 2020, @11:47PM (10 children)

    by SomeGuy (5632) on Friday June 26 2020, @11:47PM (#1013039)

    This whole DNS over HTTPS stuff just doesn't make much sense. A client's DNS query should normally go to a DNS sever provided by the ISP. There should be little need to encrypt that, as this should only travel over the ISP's network.

    Now, the main reason to use a non-ISP DNS server is to avoid intentionally corrupted DNS servers that redirect to advertising. Why such poisoned DNS servers are even legal is just one small example of how fucked up this world is. But what prevents DNS over HTTPS providers from doing the same thing? Nothing?

    Unless you intentionally use another DNS, the ISP already has your DNS browsing data anyway, so why shouldn't they also provide a DNS over HTTPS server in addition to DNS? (Please tell me nobody is planning to drop DNS any time soon).

    Starting Score:    1  point
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 0, Insightful) by Anonymous Coward on Saturday June 27 2020, @12:12AM (5 children)

    by Anonymous Coward on Saturday June 27 2020, @12:12AM (#1013045)

    》 There should be little need to encrypt that

    Do you really want your ISP knowing that you visit chickenlovers.com? And selling that info to the highest bidder?

    • (Score: 3, Informative) by Anonymous Coward on Saturday June 27 2020, @12:48AM (2 children)

      by Anonymous Coward on Saturday June 27 2020, @12:48AM (#1013056)

      But your ISP already knows you're going to the IP address that chickenlovers.com resolves to... unless there's some sort of name-based virtual hosting going on such that totallynotchickenlovers.com resolves to the same IP address, your ISP already knows you're going to chickenlovers.com... Even in the case of name-based virtual hosting, they can probably guess, which should be good enough for selling to the highest bidder.

      • (Score: 2) by Subsentient on Sunday June 28 2020, @05:58AM (1 child)

        by Subsentient (1111) on Sunday June 28 2020, @05:58AM (#1013580) Homepage Journal

        Exactly. Secure DNS doesn't help much, they can just use reverse DNS on whatever IP addresses you visit.

        --
        "It is no measure of health to be well adjusted to a profoundly sick society." -Jiddu Krishnamurti
        • (Score: 0) by Anonymous Coward on Monday June 29 2020, @02:25AM

          by Anonymous Coward on Monday June 29 2020, @02:25AM (#1013952)

          They don't even have to do that. Most protocols in use today, including HTTP, SMTP, IMAP, and TLS, send the domain name of the server you are communicating with in the clear.

    • (Score: 3, Informative) by Anonymous Coward on Saturday June 27 2020, @12:48AM (1 child)

      by Anonymous Coward on Saturday June 27 2020, @12:48AM (#1013057)

      If you are using your ISP's DNS/resolver/whatever then THEY ALREADY KNOW THAT and are selling that data.

      If you are using someone else's DNS/resolver/whatever then SOMEONE ELSE now knows that and is selling that data.

      HTTPS does NOT CHANGE THAT.

      HTTPS does not prevent you from connecting to a server that does bad things.

      HTTPS does not protect your data once it reaches that remote server.

      HTTPS is not not fucking magic.

      • (Score: 0) by Anonymous Coward on Saturday June 27 2020, @06:00PM

        by Anonymous Coward on Saturday June 27 2020, @06:00PM (#1013320)

        Some of us live in real world, as opposed to the world of sunshine and rainbows where government don't like to command what you should and should not watch.

  • (Score: 3, Informative) by deimtee on Saturday June 27 2020, @01:27AM

    by deimtee (3272) on Saturday June 27 2020, @01:27AM (#1013066) Journal

    For those not in the USA, the most common reason for using non-ISP DNS is to bypass blocking. Those of us in "less free" countries see only a big legal notice advising that we seek legal copies if we use ISP DNS to go to, for instance, The Pirate Bay. [thepiratebay.org]
    Change to GoogleDNS or OpenDNS and these silly notices go away.

    --
    If you cough while drinking cheap red wine it really cleans out your sinuses.
  • (Score: 1, Informative) by Anonymous Coward on Saturday June 27 2020, @01:39AM

    by Anonymous Coward on Saturday June 27 2020, @01:39AM (#1013073)

    You skipped a step.

    The DNS request goes to the local DNS server FIRST.

    This is exceedingly important in both home networks and corporate enterprises.

    Home use: I just want to connect to my NAS - why is my request going FIRST to an external 3rd party? DoH is LESS privacy secure in this way.
    Enterprise: The security implications are tremendous using the home example. In addition, if I host say, my_website, I don't want my Internal traffic going to my border router and then routing back internally. I tell my DNS server to send requests for my_website to an internal IP. Maybe I want to set up a DNS alias... all of this is less efficient and *clearly* a constant and impressive data leak.
    Malware writer: I effing LOVE THIS! Everyone has to go through tremendous hoops just even think of blocking me...

    I also guarantee you that the 5-eyes, 3-letter agencies are tapping these places to harvest all kind of information. Sure, they don't record it, but they don't have to. There's a closet that no one is allowed access to that has 3-letter agency equipment tapping directly in to the servers to log the info.

  • (Score: 2, Informative) by fustakrakich on Saturday June 27 2020, @02:59AM

    by fustakrakich (6150) on Saturday June 27 2020, @02:59AM (#1013100) Journal

    This whole DNS over HTTPS stuff just doesn't make much sense.

    Take a tour of the marketing department.

    And don't you think the spies would prefer one stop shopping instead of having to snoop around all those ISPs?

    Our only hope is to convert the internet from client/server to ad hoc, turn the ISPs' routers into switches, kinda like old fashion POTS

    --
    La politica e i criminali sono la stessa cosa..
  • (Score: 1, Informative) by Anonymous Coward on Saturday June 27 2020, @09:46AM

    by Anonymous Coward on Saturday June 27 2020, @09:46AM (#1013188)

    1. It's mostly Cloudflare (So DNS-over CLoudflare, DoCF), the company is known from fighting user's privacy. So I think Moz may get some part from it.
    2. It prohibits blocking trackers and ads using hosts file - it is impossible to install a domain-based blocking on such low level in DoCF.
    3. So now the blockers are in "as-an-addon" phase where they cannot effectively catch all connections like system does (this can be seen by Firefox phoning home every run). This is the third phase of Mozilla's killing useful features. First - as option, then - as about:config item, then - as add-on and finally API breaks it.
    4. It increases user passivity - instead of voting with wallet and choosing good provider, user is taught to fight with windmills (and you think why I still chosen to have 4MBit link?).