Mozilla: ISPs Are Lying About Encrypted DNS, Should Have Privacy Practices Investigated
from the ill-communication dept
In a bid to avoid losing access to the cash cow that is your daily browsing data, ISPs like Comcast have been lying about Google and Mozilla's quest to encrypt DNS data. The effort would effectively let Chrome and Mozilla users opt in to DNS encryption -- making your browser data more secure from spying and monetization -- assuming your DNS provider supports it. Needless to day, telecom giants that have made billions of dollars monetizing your every online behavior for decades now (and routinely lying about it) don't much like that.
As a result, Comcast, AT&T, and others have been trying to demonize the Google and Mozilla efforts any way they can, from insisting the move constitutes an antitrust violation on Google's part (it doesn't), to saying it's a threat to national security (it's not), to suggesting it even poses a risk to 5G deployments (nah).
Mozilla this week came out with a letter not only taking aim at those claims, but urging Congress to investigate telecom's long history of privacy problems:
"Our recent experience in rolling out DNS over HTTPs (DoH)—an important privacy and security protection for consumers—has raised questions about how ISPs collect and use sensitive user data in their gatekeeper role over internet usage," the letter, signed by Marshall Erwin, senior director of trust and security and Mozilla, reads. "With this in mind, a congressional examination of ISP practices may uncover valuable insights, educate the public, and help guide continuing efforts to draft consumer privacy legislation."
While there's obviously plenty of perfectly legitimate criticism of Silicon Valley giants like Facebook and Google, we've been noting how telecom lobbyists have been quietly co-opting this backlash to help the telecom sector. So far you'd have to view these efforts as successful; while the government hyperventilates about Facebook and whether it should be broken up and heavily regulated, telecom has convinced lawmakers to effectively obliterate all oversight of telecom, despite the sector having historically been every bit as terrible as Facebook on the subjects of privacy, consumer rights, and competition.
As a result there are a few lawmakers (Marsha Blackburn comes quickly to mind) who claim to be utterly incensed at Facebook's behavior, but have chosen to give telecom a free pass. Mozilla's letter urges Congress to, you know, stop doing that if they want to be taken seriously:
"We believe that more information regarding ISP practices could be useful to the Committee as it continues its deliberations on this front, and we encourage the Committee to publicly probe current ISP data collection and use policies."
As we look to craft what the privacy standards and guidelines of tomorrow look like, it's another reminder of how focusing too exclusively on the missteps of Silicon Valley giants obscures the fact that these problems aren't just exclusive to "big tech." Mozilla's spot on when it notes that privacy solutions that don't consider telecom aren't much of a solution in the first place.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: congress, dns over https, doh, encrypted dns, privacy, security
Companies: at&t, comcast, google, mozilla, verizon
Reader Comments
Subscribe: RSS
View by: Time | Thread
"if they want to be taken seriously"
Hahahaha - good one.
[ link to this | view in chronology ]
The Reason Telecoms don't Want Encrypted DNS Lookups
Be careful here though. I've seen people who claim that their ISP is hijacking their DNS lookups (regardless of whether they're using the ISP's DNS Server or not) and when pressed on it they point to how some ISPs are taking failed DNS lookups to their own DNS servers and returning their own search page (which they can obviously sell ads and placing on). A lot of experts claim this breaks certain functionality that relies on invalid domain errors (NXDOMAIN).
If the DNS lookup was encrypted, then obviously the ISP could not hijack a DNS lookup that was going to another DNS Server and route it to their own, but as far as I can tell, there's no evidence that they are doing that. They also wouldn't be able to use DNS lookups that are going to third party DNS servers to accumulate lists of visited websites, but they can do that anyways since 99.999% of the time right after a DNS lookup is done, the next step is to actually go to that IP address. So they have that information anyways.
So why are they opposing it? I suspect because they know if encrypted DNS lookups become standard, it will mean a cost to them to implement. Sure, there's also the failed DNS lookup aspect to it, but since pretty much every browser these days uses a unified address bar, most people expect a search page to show up if they mistype a domain name. So I'd be surprised if any ISPs even bother to hijack NXDOMAIN errors anymore since more often than not the browser is going to handle it.
[ link to this | view in chronology ]
Re: The Reason Telecoms don't Want Encrypted DNS Lookups
C:\> nslookup
Off the top of my head, Charter and Comcast are still doing it also.
[ link to this | view in chronology ]
Re: Re: The Reason Telecoms don't Want Encrypted DNS Lookups
Just a note for any "Level3 isn't an ISP" folks:
When FiOS got handed over to Frontier, those DNS servers were often proposed for folks w/ static IPs. Frontier's current DNS servers return the same IPs for NXDOMAIN (as Level3's DNS).
Synopsis: ISP's Buddy hijacking DNS != ISPs don't hijack DNS.
ref: other Frontier DNS servers
https://www.dslreports.com/forum/r31831677-Faster-Internet-Frontier-DNS-settings
[ link to this | view in chronology ]
Re: Re: The Reason Telecoms don't Want Encrypted DNS Lookups
Hijacking NXdomain and replacing them with landing pages was pioneered by Verizon, and they still do it.
[ link to this | view in chronology ]
Re: Re: Re: The Reason
... The lair is pretty much correct. Verizon and Comcast have used that to hijack searches and inject content into streams.
[ link to this | view in chronology ]
Re: Re: Re: Re: The Reason
Comcast's network does not do that (in FD I work there...) NXDOMAIN redirection was done for a short period that ended in January 2012 when DNSSEC Validation was turned on (1st large ISP in the US to do so).
[ link to this | view in chronology ]
Re: Re: The Reason Telecoms don't Want Encrypted DNS Lookups
[ link to this | view in chronology ]
Re: Re: Re: The Reason Telecoms don't Want Encrypted DNS Lookups
Wow - that is all mangled in plain text. Trying again in markdown:
dig @4.2.2.2 flubboxzing.org
; <<>> DiG 9.10.6 <<>> @4.2.2.2 flubboxzing.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38884
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
dig @4.2.2.2 nonamehere.example.com
; <<>> DiG 9.10.6 <<>> @4.2.2.2 nonamehere.example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 19479
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 8192
;; QUESTION SECTION:
;nonamehere.example.com. IN A
;; AUTHORITY SECTION:
example.com. 1884 IN SOA ns.icann.org. noc.dns.icann.org. 2019101516 7200 3600 1209600 3600
;; Query time: 84 msec
;; SERVER: 4.2.2.2#53(4.2.2.2)
;; WHEN: Fri Nov 08 18:06:57 EST 2019
;; MSG SIZE rcvd: 107
;; QUESTION SECTION:
;flubboxzing.org. IN A
;; Query time: 24 msec
;; SERVER: 4.2.2.2#53(4.2.2.2)
;; WHEN: Fri Nov 08 18:09:20 EST 2019
;; MSG SIZE rcvd: 33
[ link to this | view in chronology ]
Re: The Reason Telecoms don't Want Encrypted DNS Lookups
IP address alone isn't super useful to ISPs when more and more websites are using shared IPs via cloud hosting.
[ link to this | view in chronology ]
More privacy for consumers is a good thing,
isp,s selling data to private companys could be a security risk,
the less companys that have acess to your browsing data ,
the less chance of it been hacked and even being leaked on the web
and to being used to gain acess to financial info like credit card info ,
purchasing info.
Most people do not want info leaked of for instance the fact they pay to buy adult dvds or stream xx rated movies .
Private companys have a bad record of securing user data from being hacked .
Google and facebook are criticised for selling user data to advertisers ,
meanwhile isp,s get a free pass to any small private company .
i would trust google or mozilla than any isp .
[ link to this | view in chronology ]
Upvote Mozilla bug preventing DoH and ESNI from working together
Please upvote Bug 1585395 under the "Details" dropdown menu, since both DoH and ESNI are needed to minimize ISP spying.
[ link to this | view in chronology ]
Friday deep thoughts:
The trick is: convincing people that online anonymity, online privacy, actually exist. Actual privacy is the fallacy.
[ link to this | view in chronology ]
BUT, BUT...
Thats not fair..
https://www.techdirt.com/articles/20191104/19421143323/cbp-now-has-access-to-nsa-cia-collecti ons.shtml
gov. dont like it
ISP's dont like it..
VPN dont like it..
Advert agencies dont like it..
NOW, how much are the Congress going to get?? Backdoors open..
[ link to this | view in chronology ]
Those are just some of the ISP sins that Mozilla listed in its letter, which urged the chairs and ranking members of three House of Representatives committees to examine the privacy and security practices of ISPs, particularly with regards to the domain name services (DNS) ISPs provide to US consumers https://www.upsers.one/
[ link to this | view in chronology ]
Stop it with these links to news sites, rather than the doc
Karl,
The link there is NOT to the letter but to a Vice article. Are they paying you or are you just being lazy?
Dont give us:
https://www.vice.com/en_us/article/zmj5p9/mozilla-firefox-asks-congress-to-investigate-internet- service-providers-data-selling-collection?utm_source=mbtwitterus
Give us:
https://assets.documentcloud.org/documents/6538356/Mozilla-Letter-to-Congress-on-DoH.pdf
[ link to this | view in chronology ]
I don't see here why it makes any sense that DNS traffic should be directed by a browser breaking network automation and directing people to the worst violators of individuals privacy. I trust tech about as much as I trust ISPs, but the ISPs I can avoid. The big tech giants I have no way to avoid. So why does this make any sense. Don't give me a terms of service agreement that has zero penalties if broken.
[ link to this | view in chronology ]
Re:
How can you avoid the ISP? Do you own one?
[ link to this | view in chronology ]
Re:
Only if you give up using the Internet.
[ link to this | view in chronology ]