Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Friday June 26 2020, @11:07PM   Printer-friendly
from the defeating-the-purpose-(DoH!) dept.

Talk about the fox guarding the hen house. Comcast to handle DNS-over-HTTPS for Firefox-using subscribers

Comcast has agreed to be the first home broadband internet provider to handle secure DNS-over-HTTPS queries for Firefox browser users in the US, Mozilla has announced.

This means the ISP, which has joined Moz's Trusted Recursive Resolver (TRR) Program, will perform domain-name-to-IP-address lookups for subscribers using Firefox via encrypted HTTPS channels. That prevents network eavesdroppers from snooping on DNS queries or meddling with them to redirect connections to malicious webpages.

[...] At some point in the near future, Firefox users subscribed to Comcast will use the ISP's DNS-over-HTTPS resolvers by default, though they can opt to switch to other secure DNS providers or opt-out completely.

[...] Incredibly, DNS-over-HTTPS was heralded as a way to prevent, among others, ISPs from snooping on and analyzing their subscribers' web activities to target them with adverts tailored to their interests, or sell the information as a package to advertisers and industry analysts. And yet, here's Comcast providing a DNS-over-HTTPS service for Firefox fans, allowing it to inspect and exploit their incoming queries if it so wishes. Talk about a fox guarding the hen house.

ISPs "have access to a stream of a user’s browsing history," Marshall Erwin, senior director of trust and security at, er, Mozilla, warned in November. "This is particularly concerning in light of the rollback of the broadband privacy rules, which removed guardrails for how ISPs can use your data. The same ISPs are now fighting to prevent the deployment of DNS-over-HTTPS."

Mozilla today insisted its new best buddy Comcast is going to play nice and follow the DNS privacy program's rules.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0, Insightful) by Anonymous Coward on Saturday June 27 2020, @12:12AM (5 children)

    by Anonymous Coward on Saturday June 27 2020, @12:12AM (#1013045)

    》 There should be little need to encrypt that

    Do you really want your ISP knowing that you visit chickenlovers.com? And selling that info to the highest bidder?

    Starting Score:    0  points
    Moderation   0  
       Insightful=1, Overrated=1, Total=2
    Extra 'Insightful' Modifier   0  

    Total Score:   0  
  • (Score: 3, Informative) by Anonymous Coward on Saturday June 27 2020, @12:48AM (2 children)

    by Anonymous Coward on Saturday June 27 2020, @12:48AM (#1013056)

    But your ISP already knows you're going to the IP address that chickenlovers.com resolves to... unless there's some sort of name-based virtual hosting going on such that totallynotchickenlovers.com resolves to the same IP address, your ISP already knows you're going to chickenlovers.com... Even in the case of name-based virtual hosting, they can probably guess, which should be good enough for selling to the highest bidder.

    • (Score: 2) by Subsentient on Sunday June 28 2020, @05:58AM (1 child)

      by Subsentient (1111) on Sunday June 28 2020, @05:58AM (#1013580) Homepage Journal

      Exactly. Secure DNS doesn't help much, they can just use reverse DNS on whatever IP addresses you visit.

      --
      "It is no measure of health to be well adjusted to a profoundly sick society." -Jiddu Krishnamurti
      • (Score: 0) by Anonymous Coward on Monday June 29 2020, @02:25AM

        by Anonymous Coward on Monday June 29 2020, @02:25AM (#1013952)

        They don't even have to do that. Most protocols in use today, including HTTP, SMTP, IMAP, and TLS, send the domain name of the server you are communicating with in the clear.

  • (Score: 3, Informative) by Anonymous Coward on Saturday June 27 2020, @12:48AM (1 child)

    by Anonymous Coward on Saturday June 27 2020, @12:48AM (#1013057)

    If you are using your ISP's DNS/resolver/whatever then THEY ALREADY KNOW THAT and are selling that data.

    If you are using someone else's DNS/resolver/whatever then SOMEONE ELSE now knows that and is selling that data.

    HTTPS does NOT CHANGE THAT.

    HTTPS does not prevent you from connecting to a server that does bad things.

    HTTPS does not protect your data once it reaches that remote server.

    HTTPS is not not fucking magic.

    • (Score: 0) by Anonymous Coward on Saturday June 27 2020, @06:00PM

      by Anonymous Coward on Saturday June 27 2020, @06:00PM (#1013320)

      Some of us live in real world, as opposed to the world of sunshine and rainbows where government don't like to command what you should and should not watch.