
Comcast, Mozilla strike privacy deal to encrypt DNS lookups in Firefox - trulyrandom
https://arstechnica.com/tech-policy/2020/06/comcast-mozilla-strike-privacy-deal-to-encrypt-dns-lookups-in-firefox/
======
jlgaddis
Let me make sure I've got this right:

* Comcast sniffs / records / tracks their user's DNS traffic

* Mozilla announced they would enable DoH by default, to protect end user's DNS data from shady ISPs like Comcast

* Comcast then raised hell about Mozilla's decision (presumably because they would no longer have access to this data)

* Now, Comcast and Mozilla come to some sort of agreement which effectively restores Comcast's access to their customer's DNS traffic?

\---

I'm really confused why Mozilla would agree to this. I _really_ hope this
isn't one of the ways they're exploring to "diversify" their revenue streams
but, in the last few years, Mozilla has made a lot of decisions that I don't
agree with so I suppose I really wouldn't be all that surprised.

~~~
jlivingood
> Comcast sniffs / records / tracks their user's DNS traffic

Actually not only does Comcast say they don't do that
([https://www.xfinity.com/privacy/policy/dns](https://www.xfinity.com/privacy/policy/dns))
but now has signed a contract to this effect as well, thereby meeting the same
level of commitment as the other TRR operators. This means IMO that Mozilla is
doing a good job leading the industry on DNS privacy and convincing many of
the merits of a strong pro-privacy philosophy.

(disclosure: I work for Comcast and have been working on encrypted DNS)

~~~
Paul-ish
If Comcast sells DNS data now, they open themselves up to penalties from the
both FTC and Mozilla. FTC because they enforce privacy policies, and Mozilla
because of the contract they have.

I would say this Mozilla changing the overall ecosystem for the better.

~~~
jlgaddis
Do we know what the actual penalties are? I have trouble believing that they
are of any substance.

Additionally, I think it's safe to say that Comcast has years and years of
experience in finding "loopholes" and/or other "workarounds" in its
agreements.

> _I would say this Mozilla changing the overall ecosystem for the better._

You obviously have much more faith in Comcast than I do. Let's hope you're
right.

~~~
Forbo
> _Do we know what the actual penalties are? I have trouble believing that
> they are of any substance._

So long as the penalty is less than the value they derive from violating the
agreement, they will abuse it.

------
Washuu
Considering that Comcast sniffs, intercepts, and injects into HTTP web sites
for their customer notification system(data cap overages and such) this just
screams suspicious to me even if it seems like it is meant to be a good
announcement. I am not sure how I am supposed to trust that they will do the
right thing for their customers.

~~~
sandworm101
There is nothing that Comcast can do that would increase my opinion of them re
privacy. In my security regime ISPs like them are on the other side. Last-mile
ISPs are unsecured public networks that shouldn't be trusted any more than
free airport wifi. I want them blind to everything I (and my client) does
online. Encrypt everything. Route DNS to trusted non-profit entities. Serve me
the encrypted data I request but otherwise I don't want to even have a
conversation with Comcast.

~~~
Skunkleton
> Route DNS to trusted non-profit entities.

I'm sure you know this, but some readers might not. DNS is totally insecure.
Even if you change your DNS server from the default to 1.1.1.1 or whatever,
your ISP can and does still read and/or intercept these requests. This sort of
interference is absolutely trivial to implement, even at scale. Don't think it
isn't happening to you.

~~~
solarkraft
... which is exactly why DoH is gaining attention.

But I keep wondering: Can't the ISP trivially correlate the accessed IP
addresses with their corresponding sites even without DNS query data?

~~~
SAI_Peregrinus
Only for sites with dedicated IPs. If they're hosted on some sort of cloud
service then the ISP has to sniff the SNI data. And with ESNI coming to
encrypt it that hole will be plugged soon.

~~~
the8472
That just means moving from the ISP in a prime position for snooping to
various CDNs being in that prime position.

You traded one master for another.

~~~
xoa
> _You traded one master for another._

No. By definition, last mile ISP sees 100% of net-bound traffic. "Various
CDNs" itself already represents a dilution of that view, and are not universal
themselves. It's an inherent improvement even outside of other factors. But
there are other factors, including a decrease in the level of natural
monopoly. Last-mile ISPs often have zero effective competition, and even with
one or two there are often high change over costs, longer term contracts
involved, etc. The closer you get to the net's core however, the more
bandwidth there is and the more players there are and in turn vastly more
competition potential. That's not a guarantee sure, but it absolutely makes a
difference. There's also a limiting factor principle at work: even if you do
trust a given ISP, how does that help you avoid CDNs anyway?

It's the same reason that spinning up your own instance of an algo VPN on some
VPS and funneling all your home and mobile traffic through that may have
practical benefits. Sure in principle the VPS (or data center if you go on
your own metal) provider could try spying as well. But competition there is
fierce, the average technical level of users is higher, major business
interests are involved in reputation, and swapping to another provider is
utterly trivial. The incentives and business models for the likes of
Amazon/DigitalOcean/Google/Microsoft/OVH/Scaleway/Vultr/[...] in their compute
offerings are completely different from the likes of
AT&T/Charter/Comcast/T-mobile/Verizon. So it is in fact reasonable to expect a
difference in the level of shenanigans too, and hey, if not you can easily
move, which _also_ in turn makes it much easier as a practical matter to
retaliate (sue), which virtuously further decreases the likelihood of
shenanigans.

~~~
the8472
You have a contractual relation with your ISP and they're in your jurisdiction
so at least in theory you have legal recourse.

Advocating for ESNI on the other hand means argueing for more centralization
towards entities which are far more removed from you where you have little
recourse. So as far as incentives go they may be more beholden to some law
enforcement agency than you the non-customer.

There are difference, but it does not appear to be an obvious improvement to
me.

~~~
wrkronmiller
I think you bring up good points but your takeaway is 180 off.

Different jurisdiction means less likely to be answerable to your local
government should they be oppressive.

The fact you don't have a contractual relationship with a CDN is a good thing
because it becomes trivial simply to stop using them, should the need arise.
Don't like Cloudflare? block them. Your choice of websites will be reduced
greatly but you still have an operational internet connection.

------
WarOnPrivacy
> Mozilla in November accused ISPs of lying to Congress in order to spread
> confusion about encrypted DNS. Mozilla's letter to Congress criticized
> Comcast

> NCTA cable lobby that Comcast belongs to wrote a letter to Congress
> objecting to Google's plans for encrypted DNS. Comcast gave members of
> Congress a lobbying presentation that claimed the encrypted-DNS plan would
> "centraliz[e] a majority of worldwide DNS data with Google". Comcast's
> lobbying presentation also complained about Mozilla's plan for Firefox.

Compromise, 2020 style: Comcast retains access to it's users DNS data and
Mozilla doesn't dogpiled by NCTA-purchased legislators.

~~~
Andrex
This says to me they've cleared the "but what about encrypted DNS in Firefox?"
excuse from the boards so they can focus all their lobbying power fighting the
only other encrypted DNS implementation (in Chromium.)

Comcast's anti-DoH argument doesn't work with Mozilla as an adversary. The
basis of it is squarely anti-Google so having any other reputed organization
backing DoH against them sinks that argument.

This is potentially a very evil move and Mozilla is not only complicit but
actually aiding. Concerning.

------
gruez
>Comcast told Ars yesterday that "Firefox users on Xfinity should
automatically default to Xfinity resolvers under Mozilla's Trusted Recursive
Resolver program, unless they have manually chosen a different resolver, or if
DoH is disabled.

How would this work? Is the detection done once, everytime firefox starts, or
everytime the network changes? Would you ever get into a situation where
you're not using comcast, but are still using comcast dns? eg. you have VPN
enabled or your laptop moved to somewhere else.

>Joining Mozilla's program means that Comcast agreed that it won't "retain,
sell, or transfer to any third party (except as may be required by law) any
personal information, IP addresses, or other user identifiers, or user query
patterns from the DNS queries sent from the Firefox browser," along with other
requirements.

And how is this enforced? If comcast breaches the agreement, is anyone going
to sue them for punitive damages? Given the current state of the US legal
system (eg. what happened equifax after the breach), these assurances are
worthless to me.

~~~
ta576248_743568
My understanding is that Comcast signs a legally-binding contract with Mozilla
which imposes the requirements on them [0]. This obviously isn't perfect
protection, but it substantially increases the risk of failing to adhere to
the requirements. Mozilla claims "We intend to publicly document violations of
this Policy and take additional actions if necessary." [1]. Presumably the
additional actions include suing for damages pursuant to the breach of
contract.

[0] [https://blog.mozilla.org/netpolicy/2020/02/25/the-facts-
mozi...](https://blog.mozilla.org/netpolicy/2020/02/25/the-facts-mozillas-dns-
over-https-doh/) [1] [https://wiki.mozilla.org/Security/DOH-resolver-
policy#Enforc...](https://wiki.mozilla.org/Security/DOH-resolver-
policy#Enforcement)

~~~
pbhjpbhj
Surely damages will be approximately zero? There has to be something else to
sway Comcast's executives to abide by the contract, surely. Like the CEO
agrees to forfeit an amount equal to their previous years total earnings, from
all sources, ... that would be an interesting contract!

~~~
mantap
If Comcast breaks the contract then Mozilla will simply change the default
back to Cloudflare DNS.

~~~
mike_d
Out of the pot into the fire.

24 years ago a group of Stanford students started Architext. They took a few
million from Kleiner Perkins, called themselves Excite, and started a search
engine and internet provider. They were a good, ethical, well ran technology
company. Over the years bits and pieces were chopped up and merged and
acquired and spun off based on what generated shareholder value. Parts of that
old soul live in on now in the current Comcast.

The same thing will happen to Cloudflare. Matthew Prince will move on, or
retire, or get hit by a bus. The board will be taken over by an activist
investor. It will get merged with ExxonTacoBell, which also now owns the 2nd
largest ad network. They will figure out the data gold mine the company built
under total ethical pretenses, and the stock price will triple. There isn't a
damn thing a single current Cloudflare employee can do to stop it except stop
participating in the centralization of the internet behind a single MitM
proxy.

~~~
Nemo_bis
I sure hope that Mozilla writes contracts so that they can't be transferred by
sale or merger. That's the most basic protection from your friendly
counterparty joining your sworn enemy.

------
ohnope
I'm confused. For me, a major selling point of DoH is it hides DNS queries
from your ISP, which has detailed personal information about you. And if
you're locked into Comcast, you're operating with completely eroded trust from
the get-go.

Clearly, DNS statistics are extremely valuable to Comcast, or they would not
have engaged with Mozilla to get back the data, nor would they have raised
hell with Congress.

I would not have expected an organization like Mozilla to sign a data deal
with Comcast, even if Comcast is now theoretically restricted on how they use
the data.

This is a weak move.

~~~
bad_user
Mozilla cannot enable one provider by default. People already complained that
Cloudflare was initially the only choice.

Users at the moment are expected to choose their provider anyway.

This deal is about Mozilla picking Comcast by default for Comcast customers.
This is essentially as if they'd be using the network's default, because
Comcast is the network's default already, being what people get via DHCP.

They can always choose a different provider. And Mozilla apparently struck a
privacy deal with them too.

~~~
ohnope
I understand the arrangement. From a Comcast user’s perspective, very little
has changed, depending on how much trust you assign to a “we promise” privacy
agreement. Are Comcast users better off than default? Yes. But decoupling DNS
from ISPs which sit in such a privileged position is, for me, 85% of the
threat model.

I’d like to read more about how the choice will be presented to users, beyond
about:config. I’d also like to understand more the community’s reaction to
Cloudflare default.

What if there was a round robin setup between neutral operators? Pairing
Comcast users to Comcast just seems like a wtf move.

------
Ericson2314
Everyone is complaining:

\- No DOH: "DNS is trivial to snoop"

\- DOH with Cloudflair: "DNS is not longer distributed"

\- DOH with ISPs: "Great, the ISPs get the data again"

Well, guess what? With the current changes we get rid of the arbitrary snooper
problem while preserving DNS as a distributed service: not bad, not amazing,
but strictly better than before this all began!

Of course ISPs are sketch, and Comcast in particular, but I rather have
multiple providers to play off against each other. The upcoming IETF draft
they mention would also restore the ability of network admins to adjust the
default DOH (just like with regular DNS)---also good.

Actual anatomized and distributed DNS querying would require vastly different
technology that anything being proposed in these comments.

~~~
MaxBarraclough
> Actual anatomized and distributed DNS querying would require vastly
> different technology that anything being proposed in these comments.

I hope the _everything should be solved with blockchain!_ crowd don't get any
ideas.

------
noncoml
I don't know how we can have privacy and Comcast in one sentence. We have a
saying where I come from that translates roughly to "Putting the Wolf to Guard
the Sheep".

If you don't have any other option but to be with comcast my recommendation is
to run Pi-Hole + DoH.

~~~
city41
I do run PiHole. Any tips on how to do the `DoH` side of the equation?

edit: this looks to do the trick: [https://docs.pi-hole.net/guides/dns-over-
https/](https://docs.pi-hole.net/guides/dns-over-https/)

~~~
noncoml
Sorry, just saw the reply. Yes, cloudflared is what I do at the moment.

------
shirro
Tin foil hat time but I can't help feeling a lot of things promoted as privacy
solutions like VPNs and DoH are just aggregating data in a handful of
locations so it is easier to intercept. Sure they have privacy policies but
are they worth the paper they are written on when state actors are bound by a
totally different set of rules?

I recently changed my local dnssec resolver to forward to quad9 and cloudflare
using DoT because I was sick of the high latency with DNS resolving on boot. I
would forward to my own DoT server if there was some authentication built into
it and I could deny other traffic. But I have gone from dns requests being
aggregated at my ISP for easy inspection my the democratically elected
government of my own country, to a my own dns resolver which while it isn't
aggregated is still easy enough to intercept under warrant for local law
enforcement (which I generally support) to aggregating my queries in a few
logs which are likely in foreign countries where I have no say in how they are
used or abused. I am not sure what problem we are trying to solve with this
technology.

~~~
Santosh83
Indeed. As it stands, trust is merely being shifted from one set of parties
(ISPs) to another set (big DNS/CDN providers). Apparently that's attractive
enough to a lot of people who prefer to send their queries to a foreign
company than to their own ISP, but has it changed anything fundamental?

~~~
MaxBarraclough
The hope is that it's a change away from an untrustworthy provider, toward a
trusted provider. Not sure if it counts as being a fundamental change, but it
seems worth doing.

------
CWuestefeld
At home I've got a pihole handling my DNS, including using DoH to Cloudflare.

I assume that this configuration is superior to whatever FF is doing natively,
and I should disable FF's DoH support?

~~~
apocalyptic0n3
If you do not disable Firefox's DoH support, it will by pass your Pi-Hole
entirely. So you'd lose all the benefits of that and be limited to just the
protections Firefox provides (which are great, to be clear. Just not as good
as a well-sourced Pi0Hole)

~~~
deeter72
This is why I absolutely despise DoH. SysAdmins have no direct control over
it. In my organization we have blocked direct IP access from userspace VLAN's
to all known public DNS servers thus forcing all clients to rely on the
company DNS servers, which is not the most ideal way to do things.

~~~
speedgoose
Why do you want them to rely on the company DNS servers?

~~~
jlgaddis
1\. Internal names won't resolve if a client is using, for example, 1.1 as
their DNS server (breaking, among other things, logging on to an Active
Directory domain!)

2\. Many companies have established DNS logging and monitoring in place for
security.

------
danShumway
This is a net increase in privacy for most people on Comcast networks, I'm
glad to see Mozilla striking a deal like this -- especially with the privacy
agreements Comcast is signing. _But_ you should still switch your encrypted
DNS provider to someone else like Cloudflare or similar.

In short, good move, but you personally can make better moves than trusting
Comcast.

------
nfoz
> "Adding ISPs in the TRR program paves the way for providing customers with
> the security of trusted DNS resolution, while also offering the benefits of
> a resolver provided by their ISP such as parental control services and
> better optimized, localized results," the announcement said.

What? No! Why would DNS have "optimized, localized results"?

~~~
jlivingood
> Why would DNS have "optimized, localized results"?

Any content that is CDN-based (which is most content) dynamically responds to
DNS queries based on network and geographic location - to support CDN
localization. In this way, Akamai for example knows the end user is in Boston
on a Comcast network and will send the recursive DNS server a dynamic response
that points to a directly-connected local-to-Boston content server.

~~~
Eikon
Any serious CDN is doing that with anycast, not with geodns which has tons of
drawbacks.

~~~
virtuallynathan
That's not the case - many use hybrid approaches, and GeoDNS is still used
heavily in the industry. Anycast sucks too.

------
ruffrey
Is this the same Comcast that:

1) created an RFC to inject JavaScript into non-TLS pages 2) created an RFC to
intercept failed DNS lookups / connections with their own error page

Both of which I reported to the FCC as MITM attacks. Comcast followed up
referenced the bunk RFCs saying "it's fine."

------
bosswipe
Weird that a network or OS level concern is being moved to the application
layer. But considering that trust in all the other layers has been lost, from
the ISP to the OS (specifically Windows), maybe this makes sense.

~~~
jbverschoor
The whole newroling stack needs encryption etc. This is one reason why you see
everything moving of the layers. The other is, that Http servers are widely
available, tested and easily scalable

------
tofaz
Would be Comcast able to intercept the TLS SNI requests anyway and see at
least were the traffic is directed?

------
rabanne
"Let's encrypt DNS queries but send them to the ISP which can associate the
query with subscriber info!"

------
daguava
Regardless of how good this deal actually is, I have a knee-jerk reaction to
anything regarding Comcast.

I would not trust them with anything whatsoever.

Mozilla even if they made a good decision here seems to be taking a step
backwards just by virtue of associating with Comcast in any slight form
whatsoever.

------
kodablah
How does FF know my DNS is a Comcast-provided one? Is there an IP list kept
inside of browsers and updated?

~~~
jlgaddis
Comcast's ASNs and networks are documented in ARIN's WHOIS database and
various route registries. Hell, Comcast probably publishes a list on their own
web site.

So, yeah, Mozilla can easily determine if a user is on the Comcast network
just from their IP address.

Also, while Comcast actually has a bunch of DNS servers spread across the
country, I believe that nowadays they're mostly "promoting" the use of
75.75.75.75 and 75.75.76.76 (which, AFAIK, are anycasted and direct end users
to their "local" DNS servers).

~~~
kodablah
> So, yeah, Mozilla can easily determine if a user is on the Comcast network
> just from their IP address.

I mean, how can the determine it's a Comcast DNS server configured on my
network? I might be a Comcast customer w/ a custom DNS server configured. If
it's a fixed IP check, I suppose that list is in the browser.

~~~
TheSwordsman
What makes you think they are doing that? To jlgaddis's point, they are likely
checking what IP address you are coming from over the public Internet. They
can see who operates it, and knows that it's Comcast. Then they change the
options in your browser.

------
surround
I’ve never understood the purpose of DOH. It doesn’t really hide your traffic
from any party, does it?

~~~
floatingatoll
It encrypts your DNS traffic over the public wire in a way that only the DOH
endpoint operator can decrypt, preventing plaintext interception/modification
attacks by unauthorized malicious actors positioned between you and the DOH
endpoint

It represents your DNS traffic over the wire as encrypted HTTPS traffic, which
decreases the effectiveness of deep packet inspection and traffic shaping
systems operated by some network providers.

When hosted at heavily-used CDN endpoints that receive other (non-DOH) HTTPS
traffic, it requires a network provider who wishes for whatever reason to
block your DNS traffic to block all HTTPS traffic to all CDN endpoints.

~~~
beezle
OK sure but what good is that when my next TCP/UDP activity after a dns lookup
is to actually connect to that host? The upstream ISP knows exactly where you
are going right? They can store and reverse that info and do with it as they
wish.

~~~
SheinhardtWigCo
An IP address is often less specific than a hostname, and will become less
useful over time due to IPv4 address space exhaustion and concentration of
internet services among a small number of cloud providers. Widespread use of
DOH therefore makes it harder for ISPs and middleboxes to interfere without
collateral damage. It's far from perfect, but it'll help.

~~~
pabs3
You might want to read this study on that topic:

"What can you learn from an IP?" [https://irtf.org/anrw/2019/slides-
anrw19-final44.pdf](https://irtf.org/anrw/2019/slides-anrw19-final44.pdf)

~~~
SheinhardtWigCo
Interesting reference, thanks. I’m surprised there are so many site-unique
IPs. Fingerprinting is less compelling in the case of blocking (I think?) but
is certainly still a privacy problem.

Ultimately, all security is about raising the cost for attackers, and I think
it’s a good thing that DOH will make middleboxes more expensive and less
accurate. It would be a mistake to pitch it as being even close to a perfect
solution to any problem, though.

------
CKN23-ARIN
If you can run your own local, recursive resolver, you should.

------
yarrel
Headline announces opposite of what has happened.

~~~
Nemo_bis
"Encrypt" !== "Protect"

------
saltedonion
Why can’t mozilla roll out a encrypted dns service in a form of a browser
setting or plugin? Does the browser not have control over how the dns is
resolved ?

------
stx
So Mozilla wanted encrypted DNS Comcast did not. Now they made a deal. Comcast
agreed in writing not to monitor DNS. So what did Mozilla give up to make this
deal? Mozilla wont encrypt DNS on Comcast connections? Something does not add
up.

