Firefox users in the United States are getting an extra measure of privacy protection starting this week, the Mozilla Foundation announced Tuesday.
Firefox Desktop Product Development Vice President Selena Deckelmann heralded the rollout of encrypted DNS over HTTPS (DoH) by default in Mozilla’s browser.
The DNS, or Domain Name System, is one of the oldest parts of the Internet. It’s how “human-friendly” names are converted to the IP addresses needed to reach a website.
Because of the way the Internet was designed decades ago, browsers doing lookups for websites have done so without encryption. Without encryption, devices can collect DNS queries, or even block or change them. What’s more, the lookups can be sent to servers that will use them to spy on Internet activity.
“At the creation of the Internet, these kinds of threats to people’s privacy and security were known, but not being exploited yet,” Deckelmann noted.
“Today, we know that unencrypted DNS is not only vulnerable to spying but is being exploited, and so we are helping the Internet to make the shift to more secure alternatives,” she continued.
“We do this by performing DNS lookups in an encrypted HTTPS connection,” Deckelmann explained. “This helps hide your browsing history from attackers on the network, helps prevent data collection by third parties on the network that ties your computer to websites you visit.”
Although DoH will be activated by default only in the United States, users in other countries can turn it on through Firefox’s settings.
Big Win for Privacy
“Secure DNS is a pretty big win for privacy if implemented correctly,” said Jason Kent, hacker in residence at Cequence Security, a maker of automated digital security solutions in Sunnyvale, California.
“If it’s implemented poorly, your Web surfing experience will have unknown sites or broken links, because lots of external resources are needed to load a page,” he told TechNewsWorld.
DoH makes DNS requests opaque to your Internet service provider, said Jean-Philippe Taggart, a senior security researcher at Malwarebytes, a cybersecurity software maker based in Santa Clara, California.
“But the requests are not opaque to the DoH provider,” he told TechNewsWorld. “So you’re shifting access to the data to Cloudflare.”
Cloudflare and NextDNS, which also is working with Mozilla, are considered trusted resolvers.
“We’re committed to deleting all queries within 24 hours,” he told TechNewsWorld. “We promise not to sell query data to anyone. We promise not to use it to target people with advertising.”
Hot Button for Law Enforcement
If an ISP’s access to DNS information is blocked by encryption, the industry maintains, it could impact a number of services:
- Parental controls and IoT management;
- Connection of users to the nearest content delivery networks; and
- Enforcement of judicial orders to combat online piracy and exploitation of minors.
Encryption has been a hot button issue for law enforcement, which has been lobbying for some time for “backdoors” to be installed in encrypted products so it can obtain data from devices like smartphones.
“Any time you encrypt any part of the Internet, that increases the security and privacy for some parties, but it makes other parties’ jobs potentially harder,” observed Cloudflare’s Prince.
“There are organizations that sit on the backbone of the Internet and are able to sniff where everybody is going online,” he added. “Encryption makes their jobs harder. But there is a privacy and security risk whenever you don’t have encryption protecting what you’re doing online.”
‘Going Dark’ Flawed
It’s unlikely that law enforcement will be impacted significantly by DoH, said Drew Schmitt, an incident response consultant with The Crypsis Group, a security advisory firm with offices in Washington D.C., New York, Chicago, Austin and Los Angeles.
“On one hand, law enforcement will lose the ability to easily obtain and use DNS data to aid in investigations,” he noted.
“On the other hand, law enforcement faces similar problems today with technologies like Tor and has been able to continue being effective at thwarting criminal and terrorist threats,” Schmitt told TechNewsWorld.
“This is an opportunity for law enforcement to creatively evolve their processes to remain effective and relevant in a changing technological society,” he added.
Encrypted DNS data need not be an obstacle to crime fighters. For example, the DoH provider could turn over the data of a suspected terrorist to law enforcement.
The infrastructure to accommodate those kinds of requests may or may not exist right now. “This isn’t the type of information ISPs are open about sharing right now, so it’s speculation at this point,” Malwarebytes’ Taggart noted.
“People who engage in this kind of activity in a serious manner usually cover their tracks by other means. The ‘going dark’ argument is flawed for law enforcement, even if you tack on the ‘terrorist’ moniker to the question,” he explained.
“I still think that everyone is better protected if that data isn’t in the clear,” Taggart added. “The alternative is to intentionally leave users vulnerable, just to retain visibility.”
Hurting Surveillance Economy
Surveillance will continue, even with DoH in place, observed Rui Lopes, engineering and technical director for Panda Security, a computer security company in Bilbao, Spain.
“Encrypted DNS over HTTPS will not eliminate unwanted surveillance entirely, but it will certainly reduce the methods where it is possible through an Internet browser and reduce the attack surface for exploits,” he told TechNewsWorld.
One area where DoH could have an immediate impact is in the surveillance economy.
“Consumers are going to be safeguarded from ISPs and other entities tracking their activities,” said The Crypsis Group’s Schmitt.
“This has a significant effect on targeted ads and behavioral patterns that ISPs and other organizations use to generate revenue,” he pointed out.
“At the same time, DoH is also going to force ISPs to change their tactics, possibly resulting in more radical or aggressive methods of obtaining browsing habits and Internet behavior,” Schmitt added.
The surveillance economy could suffer if DoH is adopted widely, but “I’m sure once a page loads, all the rich data will still flow,” Cequence Security’s Kent said. “Tracking cookies and tracing your behavior shouldn’t be impacted.”