Apple's new partnership might help close one of the web's worst privacy holes

[aum]

New internet protocol makes it much harder for ISPs to know which sites you visit

 

Engineers from Cloudflare, Apple and Fastly have co-authored a new proposed DNS standard that separates IP addresses from queries to make it harder for internet service providers to know which websites users visit.

 

The new internet protocol, dubbed Oblivious DNS-over-HTTPS (ODoH), could help close one of the web's worst privacy holes and Cloudflare has made its source code publicly available so that anyone can try out ODoH or even run their own ODoH service.

 

When a user visits a website, their browser utilizes a DNS resolver to convert the site's web address into a machine-readable IP address in order to locate where a web page is located on the internet. However, this process is not encrypted which means that DNS queries are sent in clear text. To make matters worse, your ISP could be your DNS resolver unless you've changed it, meaning your internet provider may know exactly which websites you visit.

 

In order to safeguard DNS from third parties, the IETF standardized DNS encryption with DNS over HTTPS (DoH) and DNS over TLS (DoT). Both of these protocols prevent queries from being intercepted, redirected or modified but don't prevent DNS resolvers from seeing the websites you visit online.

 

Oblivious DNS-over-HTTPS

ODoH is the IETF's latest protocol and it works by adding a layer of public key encryption as well as a network proxy between clients and DoH servers. These two added elements guarantee that only the user has access to both the DNS messages and their own IP address at the same time.

 

As the DNS query is encrypted, the proxy can't see what's inside and instead acts as a barrier to prevent the DNS resolver from seeing who sent the query in the first place. By using ODoH, only the proxy knows the identity of the internet user and the DNS resolver only knows the website being requested which in turn protects the privacy of users online.

 

In addition to making ODoH's source code publicly available, Cloudflare has launched the new protocol with several leading proxy partners including PCCW, SURF and Equinix. Browser makers are also interested in using the new protocol and Firefox's CTO Eric Rescorla explained in a blog post that it will soon be available in its browser, saying:

 

“Oblivious DoH is a great addition to the secure DNS ecosystem. We're excited to see it starting to take off and are looking forward to experimenting with it in Firefox.”

 

Improved privacy is the main goal of introducing ODoH but the new protocol will also prevent ISP's from tracking customers and selling their browsing history to advertisers.

 

Source

[Karlston]

Cloudflare, Apple, and others back a new way to make the Internet more private

New DNS technique separates address lookups from the people making them.

Enlarge

Getty Images

95 with 70 posters participating

For more than three decades, the Internet’s most key underpinning has posed privacy and security threats to the billion-plus people who use it every day. Now, Cloudflare, Apple, and content-delivery network Fastly have introduced a novel way to fix that using a technique that prevents service providers and network snoops from seeing the addresses end users visit or send email to.

 

Engineers from all three companies have devised Oblivious DNS, a major change to the current domain name system that translates human-friendly domain names into the IP addresses computers need to find other computers over the Internet. The companies are working with the Internet Engineering Task Force in hopes it will become an industry-wide standard. Abbreviated as ODoH, Oblivious DNS builds off a separate DNS improvement called DNS over HTTPS, which remains in the very early stages of adoption.

The way DNS works now

When someone visits arstechnica.com—or any other website, for that matter—their browser must first obtain the IP address used by the hosting server (which at the moment is 3.128.236.93 or 52.14.190.83). To do this, the browser contacts a DNS resolver that typically is operated by either the ISP or a service such as Google’s 8.8.8.8 or Cloudflare’s 1.1.1.1. Since the beginning, however, DNS has suffered from two key weaknesses.

 

First, DNS queries and the responses they return have been unencrypted. That makes it possible for anyone in a position to view the connections to monitor which sites a user is visiting. Even worse, people with this capability may also be able to tamper with the responses so that the user goes to a site masquerading as arstechnica.com, rather than the one you’re reading now.

 

To fix this weakness, engineers at Cloudflare and elsewhere developed DNS over HTTPS, or DoH, and DNS over TLS, or DoT. Both protocols encrypt DNS lookups, making it impossible for people between the sender and receiver to view or tamper with the traffic. As promising as DoH and DoT are, many people remain skeptical of them, mainly because only a handful of providers offer it. Such a small pool leaves these providers in a position to log the Internet usage of potentially billions of people.

 

That brings us to the second major shortcoming of DNS. Even when DoH or DoT is in place, the encryption does nothing to prevent the DNS provider from seeing not only the lookup requests but also the IP address of the computer making them. That makes it possible for the provider to build comprehensive profiles of the people behind the addresses. As noted earlier, the privacy risk becomes greater still when DoH or DoT thins the number of providers to only a handful.

 

ODoH is intended to fix this second shortcoming. The emerging protocol uses encryption and places a network proxy between end users and a DoH server to guarantee that only the user has access to both the DNS request information and the IP address that sends and receives it. Cloudflare calls the end user the client and the DNS resolver operated by the ISP or other provider the target. Below is a diagram.

Enlarge

Cloudflare

How it works

In a blog post introducing the Oblivious DoH, Cloudflare researchers Tanya Verma and Sudheesh Singanamalla wrote:

The whole process begins with clients that encrypt their query for the target using HPKE. Clients obtain the target’s public key via DNS, where it is bundled into a HTTPS resource record and protected by DNSSEC. When the TTL for this key expires, clients request a new copy of the key as needed (just as they would for an A/AAAA record when that record’s TTL expires). The usage of a target’s DNSSEC-validated public key guarantees that only the intended target can decrypt the query and encrypt a response (answer).

 

Clients transmit these encrypted queries to a proxy over an HTTPS connection. Upon receipt, the proxy forwards the query to the designated target. The target then decrypts the query, produces a response by sending the query to a recursive resolver such as 1.1.1.1, and then encrypts the response to the client. The encrypted query from the client contains encapsulated keying material from which targets derive the response encryption symmetric key.

 

This response is then sent back to the proxy, and then subsequently forwarded to the client. All communication is authenticated and confidential since these DNS messages are end-to-end encrypted, despite being transmitted over two separate HTTPS connections (client-proxy and proxy-target). The message that otherwise appears to the proxy as plaintext is actually an encrypted garble.

A work in progress

The post says that engineers are still measuring the performance cost of adding the proxy and encryption. Early results, however, appear promising. In one study, the additional overhead between a proxied DoH query/response and its ODoH counterpart was less than 1 millisecond at the 99th percentile. Cloudflare provides a much more detailed discussion of ODoH performance in its post.

 

So far, ODoH remains very much a work in progress. With shepherding from Cloudflare, contributions from Apple and Fastly—and interest from Firefox and others—ODoH is worth taking seriously. At the same time, the absence of Google, Microsoft, and other key players suggests it has a long way to go still.

 

What’s clear is that DNS remains glaringly weak. That one of the Internet’s most fundamental mechanisms, in 2020, isn’t universally encrypted is nothing short of crazy. Critics have resisted DoH and DoT out of concern that it trades privacy for security. If ODoH can convert the naysayers and doesn’t break the Internet in the process, it will be worth it.

 

 

Cloudflare, Apple, and others back a new way to make the Internet more private