from the encrypt-ALL-the-things! dept
Historically, like much of the internet, DNS hasn’t been all that secure. That’s why Mozilla last year announced it would begin testing something called “DNS over HTTPS,” a significant security upgrade to DNS that encrypts and obscures your domain requests, making it more difficult (though not impossible) to see which websites a user is visiting. Obviously, this puts a bit of a wrinkle in government, telecom, or other organizational efforts to use DNS records to block and filter content, or track and sell user activity.
As a result, a lot of these folks have been throwing temper tantrums in recent weeks.
The telecom sector, which makes plenty of cash selling your daily browsing habits, have spent much of the last year trying to demonize the Google and Mozilla efforts any way they can, from insisting the move constitutes an antitrust violation on Google’s part (it doesn’t), to saying it’s a threat to national security (it’s not), to suggesting it even poses a risk to 5G deployments (nah, that’s an entirely different mess). Mozilla’s response to telecoms’ face fanning? To first urge Congress to investigate telecom’s long history of privacy abuses, then proceeding this week to enable the feature by default in the Mozilla browser.
In a blog post, Mozilla explains its thinking as such:
“At the creation of the internet, these kinds of threats to people?s privacy and security were known, but not being exploited yet. Today, we know that unencrypted DNS is not only vulnerable to spying but is being exploited, and so we are helping the internet to make the shift to more secure alternatives. We do this by performing DNS lookups in an encrypted HTTPS connection. This helps hide your browsing history from attackers on the network, helps prevent data collection by third parties on the network that ties your computer to websites you visit.”
While there’s a lot of overheated rhetoric about the risk of DNS over HTTPS from the likes of big telecom and government surveillance aficionados, there are some legitimate concerns about the standard from more above-board cybersecurity professionals. They’ll be quick to note there’s several other points at which ISPs can still engage in data surveillance and sales. They’ll also argue that DNS over HTTPS really complicates life for enterprise IT managers, and in some instances encrypted DNS could derail existing cybersecurity solutions or parental control solutions.
I find DNS over HTTP unwise from a Corp security perspective for a few reasons (particularly NIDS and legacy malware detection), but this is a good explanation and I?d pay close attention to the sections on how to force-disable it as an organization if you rely on that detection. https://t.co/i2yjATPbP9 pic.twitter.com/I7bgyCMCtW
— Lesley Carhart @RSAC (@hacks4pancakes) February 25, 2020
Mozilla says it’s listening to these complaints, so it’s starting slowly with a gradual roll out across the US only. The organization says Firefox will disable encrypted DNS if it conflicts with parental controls. The feature will also be disabled by default in enterprise configurations. Firefox’s encrypted DNS will use Cloudflare by default, though users can switch to other encrypted DNS providers manually in their browser settings. Those curious about the particulars can dig through Mozilla’s FAQ here.