Apple, Cloudflare Join Forces To Encrypt DNS
from the long-overdue dept
Each time you visit a website, your browser interacts with a domain name system (DNS) resolver that converts web addresses to an IP address understood by the machines along your path. Historically however this traffic exchange isn't encrypted, making it possible for your broadband provider or another third party to monitor your browsing data based on your DNS queries. DNS inventors in the 80s didn't really bet on a future where all DNS queries would be tracked, monetized, or weaponized by third parties.
Experts for a while have been arguing (including here at the Techdirt Greenhouse policy project) that it's important that we start encrypting these pathways to bring a little more security and privacy to the equation. Companies like Mozilla have been at the forefront of implementing "DNS over HTTPS," a significant security upgrade to DNS that encrypts and obscures your domain requests, making it more difficult (though not impossible) to see which websites a user is visiting. Recently, even Comcast (a company that's no stranger to monetizing your online habits) joined Mozilla's efforts to take the idea mainstream.
But even DNS over HTTPS (DoH) doesn't fully thwart DNS resolvers from seeing your browsing activity. Enter a new joint effort from Cloudflare and Apple, who say they have joined forces to back a new internet protocol dubbed ODOH, based in turn on existing research out of Princeton (pdf). Cloudflare explains how it works this way:
"ODoH is an emerging protocol being developed at the IETF. ODoH works by adding a layer of public key encryption, as well as a network proxy between clients and DoH servers such as 1.1.1.1. The combination of these two added elements guarantees that only the user has access to both the DNS messages and their own IP address at the same time."
The changes shouldn't add any perceptible latency to browsing speed, but should notably improve user and overall internet security. A good thing in a country that still doesn't seem to think even a modern, simply privacy law for the internet era is necessary to protect the security of the internet and public safety. But as Zack Whitacre at TechCrunch notes, steps still need to be taken to ensure no single party controls both the DNS resolver and proxy:
"A key component of ODoH working properly is ensuring that the proxy and the DNS resolver never “collude,” in that the two are never controlled by the same entity, otherwise the “separation of knowledge is broken,” Sullivan said. That means having to rely on companies offering to run proxies."
Cloudflare told TechCrunch that several partner organizations are already running proxies, allowing for folks to give the system an early spin if they use Cloudflare's security-focused 1.1.1.1 DNS resolver. Everybody else will need to wait until the new protocol comes standard as part of your OS or browser, which depends on how long it takes for the Internet Engineering Task Force to finalize the proposal. That could take months or years, but in a world where your every waking online movement is increasingly tracked and monetized, it should be a welcome shift whenever it finally drops.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: dns, dns over https, doh, encrypted dns, odoh
Companies: apple, cloudflare
Reader Comments
Subscribe: RSS
View by: Time | Thread
First Mozilla and Comcast, Now Cloudflare (or Cloudfare) and Apple.
Surprising, but anything can happen.
[ link to this | view in chronology ]
Re:
Mozilla uses cloudfare to provide it's service.
So it's not really an improvement. More like Cloudfare is becoming the main DNS provider for many web browsers, and every member of the Five Eyes is currently getting agents in position.
[ link to this | view in chronology ]
Hmm
While this looks good on the surface I've seen way too many problematic behaviors from cloudflare.
An interesting write up I found of some of them: https://www.devever.net/~hl/cloudflare
Um... isn't that the "DoH" part? Reading past the bluster it sounds like they are just adding a proxy. Which in and of itself doesn't sound bad, however cloudflare being in control of proxys doesn't sound like a good idea.
Also with the way TLS works, I wouldn't be too surprised if a cloudflare controlled proxy was able to hijack your requests. If cloudflare has access to a trusted CA, they would be able to forge a certificate. Of course there are ways to resist forged certs (cert pinning for example). But simply waiting to launch the attack at/near the certificate expiration/change over point would make it more successful.
[ link to this | view in chronology ]
Away with client public key
Sending client pubkey is unnecessary and even risky. They swear not to pass on the client IP address, but they just create another identifier: client pubkey serves that case perfectly. That's the risky part. It's unnecessary, because client could have just sent a key for symmetric encryption, which would have the nice side effect of reducing server resource requirements.
[ link to this | view in chronology ]
Re: Away with client public key
The pubkey serves as the perfect advertising ID. Currently the spec does not specify lifetime of the key. To thwart the risks, it would need to be recreated periodically.
[ link to this | view in chronology ]
Re: Re: Away with client public key
Encrypting DNS isn't a very good security enhancement. If anything it just makes compromise that much easier.
Get everyone using the same provider and you can gain a lot of info:
1) Block the provider and see who's smart enough to get local DNS working. Refer them to active monitoring.
2) Those that aren't, will complain loudly and get the feature disabled / gutted due to user friendliness issues.
3) While the service is up and running get agents in there to monitor / backdoor everything, while everyone else assumes they are safe due to the service's marketing.
4) ???
5) Profit.
[ link to this | view in chronology ]
Re: Away with client public key
Umm do you know how symmetric/asymmetric encryption even works? Sending the symmetric key (while not using asymmetric encryption to do so/or derive the key) is tantamount to having a clear connection.
Further more. the client could regularly regenerate its asymmetric key, it could be once a day, once a month, or even once for every transaction. Then it wouldn't be much of an identifier at all.
[ link to this | view in chronology ]
It's only PR.... and monopoly.
Apple is doing a lot these days for "privacy". What most seem to miss is that what is actually going on is Apple closing down every avenue of data collection that isn't going though Apple's own ad service to force everyone's hand. It is an abuse of market-position and should be stopped. Apple is in no way more pro-privacy than for example Facebook or Google is. Yet since Apple have fans, not users, it is cool instead of scary.
[ link to this | view in chronology ]