Submitted via IRC for SoyGuest31999
Android, the world's most popular mobile operating system, will soon enable a security protocol that helps keep internet service providers (ISPs) from spying on users. "DNS over TLS" adds a level of encryption to your DNS requests that are (mostly) inaccessible by your ISP.
[...] Using current methods, the requests happen through UDP or TCP protocols, not the more secure TLS. When Android makes the switch, you'll get the same results, only now with HTTPS-level security. That is to say, snoops now know when you've connected to a website, but not which one. Pornhub, for example, is the same as Gmail. Or, it is for the person spying on you. You'll still have to live with the fact you're watching Pokemon Go porn (safe-ish for work).
(Score: 4, Insightful) by Anonymous Coward on Thursday October 26 2017, @04:38AM (12 children)
They've picked a method that prevents ISP-spying but requires Google-spying.
(Score: 0) by Anonymous Coward on Thursday October 26 2017, @05:31AM (3 children)
And Google will sell that information back to the ISP. They are frustrated that the ISP and not they control that aspect.
Better secrecy could be had by running a local DNS server on the phone.
(Score: 0) by Anonymous Coward on Thursday October 26 2017, @06:09AM (2 children)
A local resolver on the phone would merely recurse to the root servers, and the traffic would not be any more obfuscated than simply using a public DNS server.
(Score: 2) by isostatic on Thursday October 26 2017, @01:16PM
Better to run DNS over a VPN tunnel to a trusted end point. Or simply run all traffic over that VPN.
(Score: 0) by Anonymous Coward on Thursday October 26 2017, @05:23PM
But it would prevent Google from seeing the queries, and ISPs may be more cautious about editing the data in flight.
(Score: 5, Informative) by KiloByte on Thursday October 26 2017, @06:01AM (5 children)
Nope, this method doesn't affect ISP-spying nearly at all. Even if you obtain the IP address, what will you do next? Connect to it!
This can be done via a plain text protocol, a point-to-point encrypted protocol, a non-SSL tunnel, or, usually nowadays, over SSL. Plain text is obviously spy-able, most custom protocols either connect directly to the target system (ssh) or provide a VPN (which wasn't spyable (beside traffic timing) in the first place). This leaves SSL which covers the vast majority of uses these days (https and others).
SSL may or may not use SNI. Without SNI, it's a point-to-point protocol like ssh thus knowing the target IP already gives you the metadata. So here we have SNI. Which is negotiated over plain text.
Ie, for any non-fringe real-world usage, there's no benefit from this new protocol at all. So why implement it? Because it informs Google of every single TCP/IP connection you make, information they wouldn't otherwise have.
Ceterum censeo systemd esse delendam.
(Score: 1, Interesting) by Anonymous Coward on Thursday October 26 2017, @07:35AM
Ding. This guy knows his stuff.
So, unless you're using a VPN, your ISP can track you just as well as they can today - and a VPN will also prevent them from tracking you without needing to use DNS over TLS.
The only thing this adds is thus that the owner of the TLS DNS server can track you as well. Which just happens to be... Google... because who else would waste time to set up a DNS server with a protocol that doesn't offer any improvements, and is only used by Google products anyway.
(Score: 2, Disagree) by c0lo on Thursday October 26 2017, @10:33AM (3 children)
Not quite the same in all cases.
E.g. many web sites share the same IP address, but if you can't see the content of the payload, you'll never know with of the sites was contacted.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 3, Informative) by KiloByte on Thursday October 26 2017, @11:59AM (2 children)
Which is exactly the main case I'm talking about! The way SSL is implemented, target hostname is sent in open.
Just run tcpdump and connect to a https site, to see it yourself.
Ceterum censeo systemd esse delendam.
(Score: 2) by c0lo on Thursday October 26 2017, @12:12PM
Ah, yes, right.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Thursday October 26 2017, @04:29PM
One of the suggested improvements for TLS 1.3 was to also encrypt the SNI portion of the exchange or at least hash. Based on the last time I checked, that was ultimately rejected because most of the suggested techniques (not all) required increasing the number of packets exchanged. Of course, the techniques that didn't were rejected as "unfeasible" because there is no possible way for all servers to know the domain names or SLDs that they will be serving in advance, or because it would require reordering some packets, or because exchanging a hashed+salted SLD isn't secure due to bruting concerns or CDN certs with 100 SANs, etc.
(Score: 2) by maxwell demon on Thursday October 26 2017, @06:10AM (1 child)
Source? Because the TFA indicates the opposite:
So unless you have indication that Google is the only DNS provider supporting TLS, there's absolutely no evidence that you are restricted to Google DNS by this.
Of course it could be that Android devices only ever send their queries to Google DNS servers (it's something I could imagine Google to do), but then, this TLS support doesn't change anything about it: Google gets your information with or without TLS.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Thursday October 26 2017, @05:19PM
Apparently DNS over TLD is not a google only thing, with http://dnsprivacy.org/ [dnsprivacy.org] as the most visible center. They have a page with publicly accessible test servers, at https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers [dnsprivacy.org] though they are only test servers. But it looks good for not tying you to google's DNS in theory (the implementation in android ...)
(Score: 0) by Anonymous Coward on Thursday October 26 2017, @04:42AM (8 children)
Encrypting DNS query doesn't hide you from your ISP. And chances are, you are using the ISP's DNS servers.
SN editors should know better.
(Score: 5, Insightful) by coolgopher on Thursday October 26 2017, @04:48AM (2 children)
In the grand tradition of not RTFA'ing before I comment:
No, you'd only hit the ISP's DNS server with the request for the VPN endpoint, if that. After that, all your DNS would happily be encrypted all the way to 8.8.8.8 or 8.8.4.4 so the ISP can't spy on you, and Google gets credit for preventing the ISP from doing so, all the while seeing eeeeeverything you do.
Great feature.
Hopefully the VPN and remote DNS would be configurable, but I would not be surprised if they aren't.
(Score: 0) by Anonymous Coward on Thursday October 26 2017, @05:05AM (1 child)
If you are already using VPN, additional encryption would be even more pointless. It's simply replacing ISP with VPN provider for snooper.
(Score: 1, Insightful) by Anonymous Coward on Thursday October 26 2017, @07:17AM
Then pick a better VPN provider. Your choice of ISP is more limited and they have shown themselves to be more likely to snoop.
(Score: 2, Troll) by aristarchus on Thursday October 26 2017, @05:36AM
Except, they don't. We have one that is a self-confessed Windows user! Ewww! And they seem to listen to the janitorial staff, namely The Mightly Buzzard, because he seems to know some coding more better than they do. Oh, Lordy! Will SoylentNews survive this Fine Article?
[Pro-tip:
Pornhub has always been the same a Gmail. And Google knows this? Your point being? OK, more of a "pro-question."]
(Score: 2) by MichaelDavidCrawford on Thursday October 26 2017, @06:09AM (3 children)
4.2.2.4
8.8.8.8
I plan to set up my own DNS cache so I won't need to send so many queries.
Yes I Have No Bananas. [gofundme.com]
(Score: 1, Funny) by Anonymous Coward on Thursday October 26 2017, @06:34AM (1 child)
Level 3 and Google impose onerous rate limits on their public DNS.
In contrast, Sprint demonstrates dedication to providing consistent query execution time.
(Score: 0) by Anonymous Coward on Thursday October 26 2017, @04:46PM
I don't get how this is "Funny" at all.
From where I sit, 8.8.8.8 is throttled to about 25 answers per second.
About the only advantage 8.8.8.8 has is a memorable IP address which is only useful to lookup the IP address of a better DNS server.
In fact I would say 4.2.2.4 is pretty much the same deal except 4.2.2.4 is still popular among old people.
NS3.SPRINTLINK.NET is also a thing.
(Score: 0) by Anonymous Coward on Thursday October 26 2017, @07:54PM
i tell everyone not to use 8.8.8.8 considering its uh Evil and all that
i even block it at the edge. 8.8.4.4, too. if you dont want to be spied on like that, don't just send it willingly to google. cmon
(Score: 3, Interesting) by MichaelDavidCrawford on Thursday October 26 2017, @06:07AM (1 child)
Safari once had a really useful Activity window that displayed the size of each resource that went into each web page.
It's not hard to figure out that 43 bytes must be the size of a single-pixel gif. Ah I've been so neglectful as of late:
127.0.0.1 hosted-pixel.com. # I Am Absolutely Serious
There are dozens of analytics "services". Most of them are free of charge for web developers to use in their sites. I once saw a photo of the data center that was used by a mobile analytics vendor.
Data centers cost a great deal of money. Someone had to be paying for all those violations of my privacy.
I'm completely cool with advertising. But to know I'm being tracked sometimes makes me floridly paranoid. When that happens my only defense is to stop the tracking. That once resulted in my building a hosts file with hundreds of entries.
The very worst are political campaign websites. Sometimes they use a dozen or more different analytics services - quite likely some are the kind that charge money.
Today I read in the news that the Trump campaign made extensive use of a particular analytics service. Someone from that service dropped a dime to Julian Assange and tried to convince him to boost some Democratic Party email. Assange did the right thing: he refused.
While Wikileaks is heavily into leaking, I expect they don't do so for the specific benefit of any particular person or organization.
Yes I Have No Bananas. [gofundme.com]
(Score: 2) by Freeman on Thursday October 26 2017, @05:29PM
NoScript, Flashblock, and uBlock the anti-ad trifecta.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 3, Interesting) by MichaelDavidCrawford on Thursday October 26 2017, @06:11AM (7 children)
I've been visiting a lot of corporate sites while building http://soggy.jobs/computer [soggy.jobs]
The reason I'm now host-binning web bugs again is that within hours of my visits, Facebook shows me advertisements for those exact same companies.
I thought I was protecting myself by not listing my favorite books or movies, but now I'm profiled as some guy who spends a lot of time and energy looking for a coding job.
Yes I Have No Bananas. [gofundme.com]
(Score: 3, Touché) by takyon on Thursday October 26 2017, @06:13AM (6 children)
Oh God, that's horrible. I hope no recruiters catch wind of this.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: -1, Troll) by Anonymous Coward on Thursday October 26 2017, @06:22AM (1 child)
I know, right? Recruiters are the best. Always calling every day to offer you money for jobs that do not even exist because managers neglected to budget for headcount when posting fake jobs. You might even make it to a fake interview. You sure as shit will not get a fucking job. But those recruiters, man, they tell you the job market is great right now so submit your right to represent form right away.
There is no spoon.
There are no jobs.
Fuck MDC.
(Score: 2) by MichaelDavidCrawford on Friday October 27 2017, @05:10AM
-land.
I have no clue where they get that figure. Portland is just not that big a city.
Yes I Have No Bananas. [gofundme.com]
(Score: 3, Interesting) by MichaelDavidCrawford on Thursday October 26 2017, @06:22AM (3 children)
If the position isn't in the region that the C-TRAN and TriMet public transport serves, I mark them as spam.
This turned out to work remarkable well. I do still receive some inquiries, which now are mostly located in places I can get to on the bus and light rail.
Yes I Have No Bananas. [gofundme.com]
(Score: 1, Funny) by Anonymous Coward on Thursday October 26 2017, @06:49AM (2 children)
Perfect! Now fix the problem of jobs being posted "in" the location from which candidates are sought instead of where the job actually is. Also fix the problem of "no travel required, no relocation required" but "by the way the company has an office halfway across the country and you will be expected to fly there on demand."
I await your genius solution to blatant dishonesty.
(Score: 0) by Anonymous Coward on Thursday October 26 2017, @10:56AM
Get them a piece of twine and ask them to bind it to that office halfway across the country, then drag it closer. That will teach them, the bastards.
(Score: 2) by MichaelDavidCrawford on Friday October 27 2017, @05:08AM
The links are woefully out of date but the text explains my thinking.
tl;dr: I expect The Global Computer Employer index to render all the recruiters unemployable. I first publish the SC page in 1997. There are far fewer recruiters in Santa Cruz County than there were back then. I expect that I have some responsibility for that, but it's not easy to know for certain.
http://soggy.jobs/computer/united-states/california/santa-cruz/ [soggy.jobs]
Yes I Have No Bananas. [gofundme.com]
(Score: 5, Insightful) by darkfeline on Thursday October 26 2017, @07:34AM (4 children)
Can we forget privacy for a moment?
The real win here is security, not privacy. DNS by default is completely insecure. Plaintext UDP packets. Anyone can MITM your DNS queries.
There's stuff like DNSSEC, but a simple hack like DNS over TLS is the kind of thing DNS needs to gain wide adoption of basic security features in the current decade.
Here's the RFC: https://tools.ietf.org/html/rfc7858 [ietf.org]
I haven't read it yet, but it will probably be a lot more useful than TFA.
Join the SDF Public Access UNIX System today!
(Score: 3, Informative) by TheRaven on Thursday October 26 2017, @10:06AM (3 children)
sudo mod me up
(Score: 2) by tibman on Thursday October 26 2017, @02:43PM (1 child)
Out of band cert delivery most likely. Just like how it's done in your web browser today. You get certs for cert signing authorities when you install.
SN won't survive on lurkers alone. Write comments.
(Score: 2) by TheRaven on Thursday October 26 2017, @03:21PM
You could potentially provide the cert in the DHCP response (though there's no standard for this yet), which at least means that you'd need to spoof DHCP, but that's not actually hard...
[1] Okay, it's a large number (and a much larger number than I'm entirely comfortable with) of certs.
sudo mod me up
(Score: 2) by darkfeline on Thursday October 26 2017, @05:24PM
Presumably the DNS server you're using is trusted, and you have the trusted cert for that server.
That doesn't provide end-to-end security, but let's say your trusted DNS server itself has trusted certs for other servers, and those servers have trusted certs.
Again, it's a hack compared to DNSSEC, but it's the kind of hack that I can see getting rolled out and adopted much faster than DNSSEC has. It would be a huge improvement over the current state of affairs.
Join the SDF Public Access UNIX System today!
(Score: 0) by Anonymous Coward on Thursday October 26 2017, @02:05PM
Perhaps this pervasive snooping on the Intertubes will spawn a resurgence in the popularity of the great British nudey book.