DNS-over-HTTPS: Privacy and Security Concerns

Discussion in 'privacy technology' started by mood, Sep 7, 2019.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    20,779
    EFF and Partners Urge U.S. Lawmakers to Support New DoH Protocol for a More Secure Internet
    DoH Can Prevent Censorship and ISP Tracking by Encrypting Users’ Web Browsing
    October 22, 2019
    https://www.eff.org/press/releases/...support-new-doh-protocol-more-secure-internet
     
  2. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    82
    Location:
    USA
    Interesting reads:

    Centralised DoH is bad for privacy, in 2019 and beyond

    ...we haven’t been very analytical about what moving and encrypting DNS does for privacy.
    https://blog.powerdns.com/2019/09/25/centralised-doh-is-bad-for-privacy-in-2019-and-beyond/

    DoH and Cloudflare

    defies common internet architecture
    https://www.jbschirtzinger.com/post/doh/
     
  3. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    20,779
  4. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    20,779
    Mozilla: Cloudflare doesn't pay us for any DoH traffic
    Mozilla publishes FAQ document detailing its DNS-over-HTTPS implementation plans in greater detail
    October 24, 2019

    https://www.zdnet.com/article/mozilla-cloudflare-doesnt-pay-us-for-any-doh-traffic/
     
  5. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    79,935
    Location:
    Texas
    Comcast Slides Reveal It's Lobbying Against Plans to Encrypt Browser Data: Report
     
  6. Beyonder

    Beyonder Registered Member

    Joined:
    Aug 26, 2011
    Posts:
    492
  7. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    20,779
    Google addresses ‘misconceptions’ about Chrome’s encrypted DNS push
    October 28, 2019
    https://9to5google.com/2019/10/28/chrome-encrypt-dns/
    Google: Addressing some misconceptions about our plans for improving the security of DNS
     
  8. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,805
    Location:
    UK
    The article above reads very much with the unstated subtext - Firefox are the naughty people because they're effectively mandating Cloudflare.

    And, in this instance, I agree with that. The problem with the FF default is that it's not respecting what the OS and DHCP might be specifying, and that's potentially dangerous.
     
  9. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    20,779
    DNS over HTTPS Will Give You Back Privacy that Big ISPs Fought to Take Away
    October 28, 2019
    https://www.eff.org/deeplinks/2019/...ck-privacy-congress-big-isp-backing-took-away
     
  10. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    924
    Location:
    Member state of European Union
    I agree that if user manually specified OS DNS address then Firefox should respect that. On the other hand:
    1. ISP may be considered as threat to privacy, especially in USA. In UE it is a less of a problem because of GDPR
    2. DHCP is a protocol that does not use cryptography to check for integrity of received packets. That is a problem, because adversary can send spoofed DHCP packets. If it is on your private, wired infrastructure it is less of a problem, but when you connect to public Wifi, especially public unencrypted Wifi networks it is a real threat.
     
  11. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    654
    Well, if people don't like cloudflare they can always change the DOH server to something else with few clicks (at least in firefox)
    Code:
    https://en.wikipedia.org/wiki/Public_recursive_name_server
    In the future, there will be products/services (free or paid) with always encrypted DNS for those who know what they want.
    And for the rest of the masses there is an option to always enable encrypted DNS if they so wishes.

    ISPs have to figure out some other ways to squeeze money from their poor users ....
     
  12. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,805
    Location:
    UK
    Well, on public Wifi, use of a VPN is rather desirable, and should over-ride the dhcp's (nominal) choice of DNS. I also tend to use Firejail with nailed-up DNS resolution.
     
  13. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    924
    Location:
    Member state of European Union
    VPN is something user must choose and pay for in advance. Most people don't have VPN subscription. Also VPN generates additional overhead, so it degrades performance, especially if Wifi signal is not great and there is a considerable amount of packet loss.
     
  14. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    20,779
    ISPs lied to Congress to spread confusion about encrypted DNS, Mozilla says
    ISPs lobby against DNS encryption, but Mozilla tells Congress not to trust them
    November 4, 2019
    https://arstechnica.com/tech-policy...d-confusion-about-encrypted-dns-mozilla-says/
     
  15. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    20,779
    DNS-over-HTTPS will eventually roll out in all major browsers, despite ISP opposition
    DoH support is already present in all major browsers. Users just have to enable it and configure it
    November 8, 2019

    https://www.zdnet.com/article/dns-o...in-all-major-browsers-despite-isp-opposition/
     
  16. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    20,779
    Microsoft Jumps on the DoH Train – Company to Introduce Encrypted DNS
    “Providing encrypted DNS support without breaking existing Windows device admin configuration won’t be easy”
    November 18, 2019
    https://www.cbronline.com/news/microsoft-encrypted-dns
    Microsoft: Windows will improve user privacy with DNS over HTTPS
     
  17. A_mouse

    A_mouse Registered Member

    Joined:
    Jul 29, 2019
    Posts:
    14
    Location:
    A field
    That happens if the connection is not there first. It checks to see if there is a connection before enabling.
    If you change the service to delayed start it can help (worked for me).

    Oh BTW. Firefox does actually let you set your own preferred resolver, and is actually easier to change than chrome.

    The news that Micro$oft will bolt DoH into the system is excellent !
    This stuff should not be handled differently in all apps or chaos will reign.
    However I think I will still stick with DNSCrypt due to the flexibility and functionality which MS will not bother with.
     
    Last edited: Nov 18, 2019
  18. Beyonder

    Beyonder Registered Member

    Joined:
    Aug 26, 2011
    Posts:
    492
    I'm not changing nothing, I want it to work out of the box so that I can install it at people's computers without having to worry over whether or not the service runs properly or not.
     
  19. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    20,779
    Microsoft Confirms Critical Windows 10 Security Change: Here’s What You Need To Know
    November 23, 2019
    https://www.forbes.com/sites/zakdof...-security-change-heres-what-you-need-to-know/
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.