We still need to encrypt the accessed resource and DNS queries everywhere.
Even once that’s done, things like opencaching will be used by SPs to gather tons of data where they participate.
edit: you can see this clearly in the way they pay lip service to "breaking up big tech" (whether or not that's a good idea, this comment is not a statement of opinion on that subject) because it's politically sexy on both sides, while all these other, arguably more egregious abuses of consumer data are so far off the radar that most people probably aren't aware they're happening.
Everyone is not obsessed with turning data into revenue. Most smaller tech companies (ie. Sub billions in revenue) are not in the game of monetizing data. My feeling is the market exists mostly between very well establish and very large companies (such as ISPs, advertising networks), but that same market doesn’t exist between newer / smaller companies that haven’t reached massive scale.
To anyone in the EU: is GDPR something that your non-technical friend will have heard of and knows what it is? Or is it similar to the US, where 75% of people probably haven’t heard of it or if they have, couldn’t say what the regulation does.
As far as I remember, they still sell some anonymized data (they had some demos on how to plan public transport with location data) and I'd bet they are not doing much with DNS data.
Basically everyone who is in EU needs to keep GDPR in mind. Especially if you are employed, then you need to keep in mind GDPR for the interests of your employer so that they are abiding the law, and won't get fined. It is actually legal people who know GDPR very well; not so much tech people. In a lot of Dutch companies a "functionaris gegevensbescherming" (FG; data protection officer) is mandatory, who basically deal with PII, and have known about GDPR (AVG) ever since it was announced it was going to be active (2 years before it was active). The Dutch professional association for the data protection officer was founded in 2003 .
On top of that, it was widely covered in newspapers, daily news, etc. If you are in EU and you have not heard about it you are living under a rock, or you're not a working adult (nothing wrong with either).
Maybe people will know it as the cause of cookie popup screens. But I'm also grossly over-estimating computer literacy among the general population so maybe not.
I'm guessing we're just trusting Google here (and Cloudflare 22.214.171.124 who now also does 10gb free VPNs) + the good will of engineers with access to this information within Google.
... and I'm sure their shareholders are pressing them to forego the greater revenue from subscriber data so they can keep their dividend cheques comfortably small.
The last time I looked, the csrf token issued by the homepage of one of the big three mobile carriers was "undefined."
But the limits of using google DNS (or even encrypted DNS) is that most commercial websites aren’t sharing IP addresses, so I bet the ISP can pretty much reconstruct the data it would get from DNS with very little effort just by looking at your IP traffic and mapping IP addresses to domains from other users DNS queries.
Google was buying MasterCard records: https://www.bloomberg.com/news/articles/2018-08-30/google-an...
But I don't believe they can't do much from an IP alone. Unless the ISP starts ratting us out.
Thinking knowledge, intelligence or capability correlates with ethics is a category error.
Courses like that don't fix unethical people, but they make the rest of us aware that ethical concerns exist. Software/Computer Science is such a young discipline that, industry-wide, I don't think we've learnt that one from the other industries yet.
The bigger problem, IMO, is that many tech companies have started handing out kool-aid that data collection and analytics is ethical. They justify it by saying that it helps people avoid spam, or get better advertisements, or whatever, and then the engineers think they are being ethical and beneficial to society by building these systems.
I took a business ethics course in undergrad, and it was surprising how many students advocated all sorts of (to me) aberrant ethical views. (Note I’m pretty traditional, morally speaking. The environment was strongly postmodern, and this was before all the modern insanity about “free speech is bad because some people say bad/offensive things”.)
Not that I minded personally, but it was a strong lesson to me that teaching people categories and how to think won’t give them a desire to respect any particular brand of morality.
To be totally fair, the idea "free speech is bad because some people say bad things" is older than the mind of man can remember.
Yes, it's just that we've only recently been allowed to talk about it openly.
Would you please review https://news.ycombinator.com/newsguidelines.html and stick to the rules when posting here? We'd appreciate it.
You've concluded that the absolute morality expressed by public consciousness should be the arbiter of publicly expressible speech. Maybe the next thing that gets people killed is not allowing public discourse to challenge socially accepted, morally unacceptable beliefs.
Many people use “free speech” to describe more than what is covered by the First Amendment in the USA. For instance, freedom from retaliation, by being fired from your job. According to that view, entities other than the government can engage in suppressing free speech.
As for the argument that, opinion gets people killed, I can only reply with the following.
Opinions don't kill people. People kill people. It is important to know the difference.
More seriously, limiting speech should not be necessary in a good society were people don't let such stuff spread. But that doesn't seem to be how humans work. The marketplace of ideas does not necessarily prevent bad outcomes. And pretending that a root cause analysis for a genocide doesn't include speech as a vital segment in the chain leading to that atrocity seems illusory to me.
So yes, having reasonable rules doesn't seem that wrong to me. It certainly comes with all the usual problems of gov/regulation. I'm kind of fine with what we have here in Germany. Not that its perfect... but it kind of reminds me of that saying about aerospace rules... they are written in blood.
For the record, I personally dislike German approach despite understanding its genesis.
I can't really speak for aerospace rules, but I am not certain they say that much about speech.
edit. I just remembered. Internet has all manner of rather dangerous information out there. Materials may be highly difficult to procure, but knowledge is still at your fingertips.
The objective of those ethical classes is to move the neutral/good majority in hope in hope to counterbalance the unethical minority.
On top of that, companies which are usually regarded as some of the most unethical companies on the planet (especially in regards to privacy) are companies like Facebook, Amazon, Microsoft, and Google, which are worshipped by and have computer science people scrambling to get hired by them. Going back a little further in history, before FAANG, the companies that were revered by the tech world were the very same ISPs that this post is railing against.
Programmers as a whole seem to have no problem at all being unethical as long as it gets them either money or the chance to work on the latest tech fad.
Just look at the resistance on this forum to the idea of GDPR or data privacy bills. This is one of the most self-aware forums on the internet and still probably a majority of users are not only aware of who (and what) is signing their paychecks, but they actively endorse it in their personal discourse during their time off too.
Cisco collects more than 24TB of DNS query data every day. Here's a Cisco employee demonstrating the kinds of horrifying analytics they perform on this data https://www.first.org/resources/papers/conf2018/Mahjoub-Dhia...
The devs have often said things bad idea and raise concerns unfortunately you generally have no power, the decision to implement something is made above you. Generally the people making the decisions know things are questionable but you need to make your KPIs / get promoted / earn more money for the company etc etc.
If you don't follow a direct order and refuse to work on a piece of work in reality you will be fired.
That leaves you with the option of looking for a new job yourself or being forced to find a new job as you was kicked out.
While some people can take the moral highground, outright refuse and resign, others have to deal with life issues such as paying the bills and supporting a family which makes it extremely hard to pick a fight refusing to do something. We do not like to think it but we are just another cog in the wheel and dispensable.
Only negative I would mention is that some things are a little bit harder to setup, like a VPN for example (and it doesn't support OpenVPN over UDP).
The legal department would care about that.
(Does that make sense? No, he'd make more sense as an example. But that's not what the comment said.)
Implementing the mis-feature on a public ISP will be done by people who think the matter isn't worth risking their job by taking a stand on, and just saying no once the decision has been made several levels above their rank won't help anyone because if they don't implement the feature their replacement will.
The age-old answer: money.
Developers may be in a pretty sweet situation, generally, but if you don't have money saved or another job lined up you don't have much choice.
I also think that people are great at finding excuses for what we're doing. I've read somewhere about a hypothesis that conscious thought is mostly just intellectual justification for subconscious urges.
Modern silicon valley is built off people implementing similar pervasive tracking, without it there is no google, facebook and many other startups. Not to mention online newspapers and everyone who makes money indirectly from the tracking.
I agree it's a bad thing, but that ship sailed long ago and things like the GDPR are only just starting to bring it back.
And that's why I use VPN services. But the same is true for VPN services, regarding US and/or other TLAs. So I use nested VPN chains, to make it harder to get complete data.
And when it really matters, I add Tor to the mix. Even if it's heavily infiltrated by US TLAs, there's at least the chance that it's also heavily infiltrated by TLAs of US adversaries. So, Dog willing, maybe they cancel each other out, at least somewhat.
I don't agree with that argument. Because ISPs can already do that. And for most people, their ISP is far more likely to be cooperating with their local adversaries than some random VPN service is.
And for what it's worth, one of Tor's inventors (Paul Syverson) has agreed publicly that there are reasons to access Tor through VPNs. Basically, when you don't want your ISP to know that you're using Tor. Indeed, if I were a CIA agent using Tor in Iran, I probably wouldn't want the ISP to know that I was using Tor.
But I don't trust VPN services either. So I use nested VPN chains. That's basically the same approach that Tor itself uses, routing traffic through multiple (three) relays. So no one relay (or for me, VPN service) knows both who I am, and what I'm doing online.
There's also the issue of trusting the Tor network. Some argue that it's compromised by US TLAs. So with a nested VPN chain between me and entry guards, I'm less concerned that some TLA is running them. But even if that's just paranoia, there have been bugs that deanonymized users.
For example, some years ago, CMU researchers exploited the "relay-early" bug to allow malicious entry guards and exit relays to exchange information, and so learn that they were routing the same circuit. That allowed said CMU researchers to deanonymize Tor users. The FBI learned of this, and subpoenaed the data. And lots of people went to jail over it. Mostly drug dealers and child pornographers, but whatever.
However, routing VPN services through Tor is a totally different matter. If you do that, your anonymity depends entirely on how anonymously you've obtained, paid for, and used the VPN service. If you used an email address that's linked to you, you're screwed. If there's a money trail in paying for the VPN service, you're screwed. If you ever use the VPN account without Tor, you're screwed.
And even if you manage all that anonymously, the very fact of using a VPN through Tor decreases your anonymity. That's because Tor by default switches circuits at ten minute intervals. But when a VPN is connected through a Tor circuit, that circuit is pinned. So by using a VPN through Tor, you've blocked one way it increases anonymity.
Even if there were laws and regulations that better protected privacy, you couldn't count on that. You can't trust government agencies, because they stretch the limits, and outright lie about what they do.
I also do it because it's fun.
Almost by definition, that means you're worth taking a closer look at.
Once you're under the microscope, you'd better hope your opsec is flawless or that your activities are completely boring, or else the $TLA knows exactly what you've been up to, TOR or not.
Disclosure: my activities are completely boring, and I don't use Tor, VPNs, or anything like them.
That's not what our logs show.
Self-interest rears its head, though. If you don't have anything to hide, running Tor is extra work you don't gain any benefit from. Arguably you just subsidize those who use the tools for evil.
I have yet to be convinced that full anonymity is actually a societal good.
As a pragmatic defense against corrupt governmental agencies, it is probably useful.
I'm not so sure it's a net gain for society as a whole.
And, in a nutshell, I suppose that's why I've never gone down this road.
I'm not trying to say Tor is all bad, just explain why I don't use it and why I'm not sure it's an unmitigated good.
Not if you access tor over VPN. VPN hides all traffic from ISP and Gov. Obviously, make sure your browser does not use Google or Cloudflare DNS.
Except that you don't need to trust anyone, entirely.
That's the point of nested VPN chains. Let's say that you have three different VPN services in the chain. The first VPN knows your ISP-assigned IP address, and the IP address of the second VPN server. The second VPN knows the IP address of the first VPN server, and the IP address of the third VPN server. The third VPN knows the IP address of the second VPN server, and the IP address of the site that you're accessing.
An adversary would need information from all three VPNs, or from their data centers and/or ISPs.
I don't use hardware that I've purchased using my meatspace identity. The machines mainly come from yard sales and swap meets. Typically nowhere near where I've lived. And all purchased with cash. So I'm pretty confident that they're not backdoored. I have purchased SSDs from stores, but also for cash.
I'm relatively confident that Debian hasn't been backdoored. Windows perhaps, but I rarely use it, and only in VMs.
But no, I haven't done that.
I mainly depend on compartmentalization. This VM runs on a host that contains no information about my meatspace identity. And the machine with that information is on a different LAN.
Edit: But upon reflection, I have done something like that. Sometimes I run remote dedicated servers. Accessed via Tor (via nested VPNs) and paid with well-mixed Bitcoin. With LUKS and dropbear, of course.
If I run VirtualBox, I can basically do the same thing I do locally. I use pfSense VMs as VPN gateways, to create nested VPN chains. And then Whonix instances, which hit Tor through those VPNs. And I access the remote VMs via VRDP via SSH via Tor etc.
It is expensive, I suppose. In that you must pay for multiple VPN services. I probably spend a few hundred dollars per year, on average. But that's ~nothing for me.
But it's not that difficult to configure. I use pfSense VMs as VPN routers. And pfSense has a very intuitive WebGUI. To create nested VPN chains, I just successively NAT one VPN router through another. Using VirtualBox internal networks. And pfSense optimizes MTU automatically.
Once it's setup, you just run the VMs, and it works.
VPN like... Onavo?
No, VPN like AirVPN, IVPN, Mullvad or PIA.
And anything that likes a persisted connection is likely to get a lot of connection resets. Like websockets (slack) or irc
VPNs through Tor also aren't substantially slower than Tor alone. And indeed, one can use MPTCP to aggregate multiple VPN-via-Tor connections. But only between suitably configured devices, of course.
Seriously, higher latencies and lower traffic peaks likely improve anonymity.
But Mozilla switching people is a worry for me. Sure people “have a choice” but in reality expecting the average Joe who doesn’t even know what DNS is to make an informed decision about it is unrealistic.
Meanwhile Mozilla has started sending a list of every domain you visit to a US company subject to US law enforcement. Not ideal.
Do you have an article which explains this?
- How was the DNS logged?
- Was every query logged, or only unique queries?
- Was it combined with other data?
- How long was it searchable for?
- What were the DNS queries used for? Simply sold to 3rd parties? If so, who was buying?
And in anonymous, aggregated form (e.g. only include domains that were accessed by multiple customers, the frequency per day and domain name, maybe geographical data precise to a region corresponding to a million people), I would be perfectly fine with this, even if it gets sent to ad companies. I'd not like it, but I'd also not see the harm and there is a lot of money involved, so if we can't stop it then I'll be fine with it in a basic form (aggregated). At least until we decide that trying to optimize manipulating/influencing people is brainwashing (I'm undecided whether playing psychological tricks on people while they try to get groceries or look for information online or whatever is morally okay).
all the major ISP lobby groups signed on to a voluntary set of privacy principles based partly on the FTC framework. They specifically pledged to follow FTC guidance for opt-in consent before sharing sensitive information and to “offer an opt-out choice to use non-sensitive customer information for personalized third-party marketing.” Browsing history would be subject to an opt-out system.
Harris encourages Internet users to go to their ISP’s website or call the ISP to figure out exactly how they can opt out of tracking. It’s not convenient, but the option should be there.
But I’m fascinated by the legal implications. Right now in Portugal sites are DNS-blocked for copyright reasons (IIRC without the need for what you’d call full legal oversight, just a sort of loose arbitration with the local equivalent of the RIAA), and this is going to play merry havoc with that.
(Uber’s website was also DNS blocked for a while due to hassles with licensed cabs, which was interesting because the mobile app never stopped working — can’t remember if it was an actual court order, but this should give you an idea of how technically clueless some people are over here...)
I also use my own router so I assume it doesn't affect me or does this mean that their network doesn't allow other DNS servers?
How would that affect a VPN? I use PIA and they have their own DNS servers.
I'll need to experiment with this when I get home I think.
If your DNS requests are going over the VPN then you will be fine as they will be in the encrypted tunnel before they travel through your router so it can't do anything about them. A change to the router firmware won't be able to override DNS server settings on other individual hosts.
If your router is providing the local VPN endpoint then that is another matter, but IIRC PIA runs on your local station. Do check that it is in fact setting your machine to send DNS requests over the link. I'd be surprised if it wasn't, but you never know.
Say I manually set my dns to 126.96.36.199, is there a way to tell if the replies are really from 188.8.131.52?
Setup a simple DNS resolver in an external VM (use a service like DO where you can pay by the hour, and the test will cost you at most tens of pennies), configure it with a DNS zone that the rest of the Internet does not know about (thisdoesnotreallyexist.net). Then if you try query for that domain from that server but get an NXDOMAIN response your query was probably intercepted (of course test from other locations too, to make sure the problem isn't a mistake in the new resolver's config).
Or you could configure the test resolver to give different answers for an existing domain, of course, and check for which addresses you get back instead of checking for address or error - that would essentially be the same test.
Or, he says, thinking of the obvious after explaining the more long winded, if you have a DNS server in your control, simply turn on the relevant logging options and run a query against it and see if your query turns up in its logs.
This assumes they are intercepting and NATing all standard DNS requests (usually on UDP & TCP port 53), rather then just DNS traffic going to a list of known alternative DNS services. If they are doing the latter then there are tests you can do that rely on timing and TTL settings (get their server to cache a result, change the name->address mapping, then ask 184.108.40.206 or similar and see what answer you get).
If you run your own dns server at your local machine you can enable DNSSEC, which will protect against manipulations for domains that has that enabled. A recursive dns server is pretty easy to setup and it a step towards running your own authoritative server in the future for private domains.
If you want to resolve using googles DNS servers and be sure it is really them then the only method that I know that is also supported by google would be DoH. The other encryption method they support, DoT, do not provide authentication and draft-bortzmeyer-dprive-resolver-to-auth-00 is to my knowledge not implemented by google.
If you want a bit more privacy and have a mix of the two above then go with a VPN or build one yourself. Just note that without DoH you won't be authenticating between the VPN and google, so I would just use a resolver at the VPN.
The effectiveness of DNSSEC depend on where you are. If you live in Netherlands or Sweden and visits mostly Swedish or Dutch sites then a larger portion will be signed.
So far I have been unsuccessful in my attempts to get through to a technician who knows anything other than "try turning it on and off again". I suspect this policy is deliberate.
'cause DNS logs & users data brings them good money, so they just defends business.
Their tech support (the one that's "if we solve the problem we'll charge you") said they could not solve this for me.
For one some ISPs run content filtering services. Some users prefer to concede extreme privacy for what they view as a safer browsing experience. It might not be your jam, but it exists.
DNS is designed to be provider independent. It literally does not matter if a Google or Cloudflare or OpenDNS or DNSFilter or your ISP resolves requests. It was designed this way so that the system could be distributed and so that there is not a single point of failure for the internet’s arguably most important system.
Its distributed nature means there are technical performance advantages to doing the above: reduced request latency, localized traffic routing and reduced bandwidth, etc. You don’t need a giant any cast network to serve DNS. You just need to use the servers closest to you.
In Europe ISPs are under much stricter rules about data privacy and generally cannot do things like the above. Having worked for several ISPs here I’ve never found them misusing DNS data (although sometimes it was logged for a time for management / troubleshooting.)
For a European; with reasonable trust in my ISP, I don’t want Mozilla sending all my queries to a US company which can be forced to reveal that to the US govt, or use it for some other nefarious purpose.
FWIW I’ve never used my ISP DNS though have always run my own recursor at home.
I don't think the US govt can ask for data present/originated from the EU.
But that also highlights a huge misconception about DoT/DoH: it only provides privacy to the resolver. It does not make your requests private in the eyes of the server or spanning the recursive queries that may be required during resolution. I’m not particularly compelled to trust Cloudflare more than OpenDNS or whatever. It’s the same situation with VPN.
Anyway it’s well known that the actual solution for people concerned with utmost privacy is a round robin resolver selection strategy. It’s super easy to implement... why aren’t browsers providing this type of option?
Ha! Tell that to Verizon, 'cause I'm pretty sure they're not aware of it.
They can, and I would be fine using it if it were a) fast, b) reliable, and c) (here's the big one) legally required that they not log or do anything with my queries.
As it stands, Comcast's provided resolver is somehow slower than some of the third-party providers for me, and I don't care to give them the ability to sell my DNS data.
That’s the part of your comment I am replying to. Anyway I see you’re arguing ISPs shouldn’t care which provider you use, not that they shouldn’t want to default you to running their own. Perhaps I misunderstood your point.
Regardless I’d argue the problem in the us is that any DNS provider can abuse your data. Today it’s big ISPs, tomorrow it’s Cloudflare. Unless we actually prevent (technically and/or socially) DNS from being an open book and develop strategies to mitigate the privacy issues it’s just a game of pick your poison, and that‘s what bothers me.
> But to say there is no reason for an ISP to serve DNS is absurd.
The part of my comment that you quoted does not at all say that. (In fact, no part of my comment says, or even suggest, that.)
I agree that any DNS provider can abuse your data, but it's important to look at incentives. Comcast doesn't care one bit about its public image because it already has a terrible one, but customers have no choice in the matter, so Comcast's public image is mostly irrelevant.
Several DoH providers bill themselves as privacy-focused, and make privacy a big point in their marketing around their DNS service. Violating that privacy would be damaging to their product and reputation, in a way that they'd likely care quite a bit about.
I'd rather just have my local resolver have a list of 5 or so DNS providers with reasonably low-latency presence in my area (possibly including the local ISP, even, who knows), and just round-robin requests to them. There's really no way to make DNS not an "open book" as you put it; you can't ask someone to resolve a hostname for you without telling them what the hostname is.
So yes, we need ways to mitigate harm. Unless a provider has their reputation on the line, I don't really see a way to keep providers from doing sketchy things with your data, at least not without legal regulation. It's not like things like the EU's GDPR and California's CCPA were dreamed out of nothing; they came about because people have started to realize that companies just will not act as good stewards of our data unless we legally mandate toothy financial consequences as punishment.
My issue with this is that I've never been with an ISP that had a faster response time than Cloudflare/Google - and one would think they should, after all, my ISP should be able to reach me as quickly (or quicker) than any other corporation.
My current ISP has the fastest DNS benchmarks I've seen, and they're at 81ms for an uncached response, vs Cloudflare's 63ms and Google's 69ms. Cached response is similar (since I have a local cache).
In addition, my ISP does not provide DoH/DNSCrypt/DNSSec. None. Just 'vanilla' DNS. Furthermore, they also don't provide an unaltered DNS service: they block some websites from resolving, the list isn't made available, and is decided via extrajudicial means. You cannot opt-out, and all ISPs in the country adhere to this. They're not forced by law to do so. I'm also not in a normally thought of as a repressive country: it's a member state of the European Union, after all.
There are very good reasons for people to be outright hostile to ISPs and their shady underhanded practices, as you're seeing in this discussion. I feel that it is in any mostly online-based organisation's best interests to expose those practices.
Cloudflare and Google pay ISPs for the latency they get, FWIW. If I made my own resolver service today I would not be able to compete with your ISP without forking over $$$.
Perhaps you misunderstood my original topelevel comment. If that's the case, let me try to clarify: ISPs have zero technical reasons to complain that people are using alternative resolvers. I totally see why they want to provide DNS resolvers, and that makes perfect sense. Unfortunately, part of that "want" is so they can sell DNS query data to third parties, which is just another reason why I don't want to use them.
I think the main reason for this is even if your competitor grew like a weed, it would be a decade or two before you had the scale to justify rolling out a CDN/caching infrastructure like that of cloudflare. That's not a matter of simply paying ISPs money.
Regarding content filtering services, in that case the user is specifically opting in to that service, so they won't need or care to use an alternate resolver.
I agree that, ideally, you would use a resolver that's close to you in order to minimize latency and increase reliability, but:
1) This requires you to trust your ISP. Many people don't, and with good reason.
2) ISP DNS isn't exactly always the most reliable or fast thing anyway. I easily get better latency from Cloudflare or Quad9 (their old-school Do53 stuff, not the new-fangled DoH) than from Comcast's resolver.
And regardless, if your DoH provider of choice goes down, you can always fall back to a different one, or to your ISP's resolver.
Mozilla's move to reconfigure Firefox to use DoH is a bit sneakier, but it fits with their privacy stance and their low market share does give them cover.
But that is not a valid use case for filtering dns requests to other services.
At least Cloudflare has KPMG audit them on their privacy claims. Better than nothing.
There is this:
and then there is this:
At the end of the day, any grouping of individuals are a (partially biased) sample of the society in general. The role of media and education is fairly decisive in forming social norms. We may have one or two lost generations of engineers following orders, but as Joe said 'The future is unwritten".
This isn't true. If you're hosting it, you can control it and you can make sure that it's always operational. The last thing you want is a 100 phone call of "my internet isn't working" and then trying to explain it's not your fault, but rather it's "some other guy".
Or you can directly ask a domain's authoritative nameserver directly. Using an intermediate caching resolver isn't required. Recursively resolving the DNS query locally only requires asking a centralized nameserver for a domain's authoritative nameservers (the NS records) which can usually be cashed locally for a long time. Every other request is compartmentalized to different servers by domain delegation.
Or do both; configure your local resolver to try recursively resolving a request, and fall back to the ISP (other) cache if needed.
Regardless, impressive step to take.
“Seriously, April 1?
The only question that remained was when to launch the new service? This is the first consumer product Cloudflare has ever launched, so we wanted to reach a wider audience. At the same time, we're geeks at heart. 220.127.116.11 has 4 1s. So it seemed clear that 4/1 (April 1st) was the date we needed to launch it.”
Seems like they were pretty serious with it. :)
Same post mentions KPMG.
They’ve also injected permanently unique cookies in http requests.
ISPs can’t be trusted as dumb pipes, they’re closer to “clueless criminal” pipes.
But I agree with you, I don’t particularly trust google either.
Mozilla has explicitly stated on their blog that they don't intend to make any change to a user's DNS settings without getting the user's consent.
>When DoH is enabled, users will be notified and given the opportunity to opt out
As Bert Hubert pointed out, to most users it ends up looking like this:
As long as the people who don't want it can easily opt out, I'm not seeing the problem.
Because that seems MUCH more sensible than a lot of the stories/comments about this recently make it seem.
Most of the hulaboo is about Mozilla who are moving customers DNS queries to Cloudflare en mass, regardless of what DNS server they have already configured.
So in other words trust them with everything.
Google has promoted its own DNS service over others in the past, including for non-chrome users, and presumably would do the same when DoH (in whatever form) is the norm.
I was simply saying we already know that ISPs misbehave, but presuming that Google wouldn’t is not necessarily a clear cut decision.
There exist pure technical reasons too, from address translation to DNS-level routing and load balancing. For example for ipv6-only network to access ipv4 resources there needs to be something like NAT64 embedding ipv4 addresses into ipv6 ones, but that would require overwriting DNS responses with DNS64 to actually work 
Keep in mind, encryption is not privacy. Encrypting DNS queries to a 3rd party resolver doesn't improve your privacy, it's a fight for control, not privacy. ISPs will still violate your privacy to the same extent, except said 3rd party will be able to do that too. If your ISP is not trustworthy the only way to save yourself from it is to use something like a VPN which effectively gives you a different ISP of your choice.
How do you mean? Why should my ISPs hijack communication between me and a content provider and reroute it? This is as if I'm in a phone meeting and when I say "let me call you back at 15:00" the phone company injects "19:00" instead, because that's a time the phone network is less loaded so it'd help them.
> NAT64 embedding ipv4 addresses into ipv6 ones
NAT64 is a good point, actually. But at least in 2019 if you're on IPv6 and switch to your own DNS server that doesn't do DNS64, then it just plain won't work. I doubt Firefox or Chrome will have implementations that break like that.
> If your ISP is not trustworthy
Half of global loadbalancing is getting around ISPs doing stupid shit they shouldn't have been messing with.
>Moreover, the centralized control of encrypted DNS threatens to harm consumers by interfering with a wide range of services provided by ISPs (both enterprise and public-facing) and others. Over the last several decades, DNS has been used to build other critical internet features and functionality including: (a) the provision of parental controls and IoT management for end users; (b) connecting end users to the nearest content delivery networks, thus ensuring the delivery of content in the fastest, cheapest, and most reliable manner; and (c) assisting rights holders’ and law enforcement’s efforts in enforcing judicial orders in combatting online piracy, as well as law enforcement’s efforts in enforcing judicial orders in combatting the exploitation of minors. Google’s centralization of DNS would bypass these critical features, undermining important consumer services and protections, and likely resulting in confusion because consumers will not understand why these features are no longer working. This centralization also raises serious cybersecurity risks and creates a single point of failure for global Internet services that is fundamentally at odds with the decentralized architecture of the internet. By limiting the ability to spot network threat indicators, it would also undermine federal government and private sector efforts to use DNS information to mitigate cybersecurity risks.
If your DNS server is in the cloud, your ISP can still see your unencrypted queries to that server. If it is at home, your ISP can still see the unencrypted queries of that server to the root servers.
Unless you encrypt the traffic, DNS is transparent to the ISP whichever way you set it up.
And unless you are also using a VPN, the ISP can learn most of what it can learn with DNS just by looking at the IPs you send packets too. Most commercial websites that matter aren’t sharing IPs.
And as you and others have said, it can be done by looking at IP addresses i connect to as well.
What I do achieve is that nobody has a "full" picture of me, but only some subset of data that I transmit.
I also use two independent ISPs in a loadbalancing/failover configuration, so that helps with the cause as well, thougb my primary use is fail-over since I am in this internet business :)
China is attacking it, ISP's are attacking it, all with loose arguments and fear-mongering.
First of all, I think the extent of the data collection that many companies engage in is sketchy.
That aside, if a website runs analytics that you don't like, you can stop using it. There are usually alternatives, if you're willing to give up some convenience. But if your local ISPs are monitoring you, not using the internet isn't really an option these days.
I really wish we didn't have to treat our ISPs as adversaries in that regard, but we've been at that point for a while.
I hope somebody in regulation will finally stop Google and others to monopolize the web.
let’s not munge it up either. they don’t care about encryption per se. they care about 3rd party resolvers.
So yeah, its going to chop off some of their revenue and they don't like it.
Google pissed in the punch bowl by offering google fiber.
This forced the carriers to perceive google as an existential threat they are absolutely dependent upon for cheap ass android and ISP revenue from YouTube.
The only move they could make was to make google bleed. So they start offering content monetization and competing advertising platforms. Their goal isn’t to win, it’s to HURT GOOGLE. Advertising prices go down when there is meaningful competition. So shitty content monetizatuon from Comcast and VZ & ATT forces the price of google advertising down.
There is a big part of me that is pulling for the carriers on this front. I’m bummed more people don’t see it this way.
Interference from browsers with network level operations is my real worry. As far as I'm concerned, as long as the browser speaks HTTPS to my router, and my router speaks HTTPS to the servers, no problem. I'm worried about the "to protect the users we've hijacked their DNS directly via the browser" possibility though.
I know it used to be that using ISP DNS servers gave you access to some of their local caching and such. I don't hear that talked about much in these discussions. Is that no longer a thing, and thus we truly don't need ISP DNS?
I don't understand how trading one ISP for another (Cloudflare?) is an improvement long-run. The system itself needs to be resilient, not just depend on the kindness of the upstream gods.
That link isn't very reassuring. Who are parties to the contract? Who can enforce it? What does it cost to breach?
That's the main mechanism for enforcement, but there are a few additional ways it could theoretically be enforced:
- The FTC and state attorneys general can sue companies for violations of their own privacy policies, as "unfair and deceptive acts and practices". For example, they sued Cambridge Analytica recently. 
- The California attorney general in particular would also be able to sue under the California Consumer Privacy Act once it goes into force.
So without DoH an ISP knows everything you request, even if you have a different DNS server set, and if they really wanted to they can simply hijack any connection you make.
Just seems very wrong to me to take the control away from the user/network-admin in any way.
I mean, if you're gonna do it, go whole-hog. Delete HTTP from the browser entirely, right? I don't think that would go over well either, although it could certainly be justified by the same logic.
Maybe I'm misunderstanding something about the issue, there has been a fair bit of FUD, but I simply don't feel good about the browser taking authority outside it's "please render this code into a webpage" scope.
You are confusing the network admin and the user. Most users have little reason to trust their router, they often don't own it, update it or have any clue about it. Even experts change roles here when they use any other entities network.
I understand your use case, but I personally think the end devices should increasingly allow interception by network devices only with user consent, not implicitly.
In other words, opt-in on the device with DNS settings and certificates. If you don't own the device (e.g. have root/admin/etc), you don't get to control it - beyond blocking it.
It’s not being deleted, but Chrome at least has been gradually phasing in a warning in the address bar whenever you visit an HTTP site.  (Firefox will apparently do the same starting soon.) I wouldn’t be surprised if the warning UIs get more aggressive a few years down the line, as HTTPS adoption continues to increase.
If you set HSTS and then subsequently remove HTTPS from a site it should (will for Firefox, kind of for Chrome) brick wall you, saying that it isn't able to reach the HTTPS site without offering to let you see the insecure and perhaps compromised HTTP site even if you spell out the HTTP URL.
Unlike HPKP this isn't considered a foot gun because you can fix it by just enabling HTTPS, and why didn't you have HTTPS anyway?
The biggest forward pressure for HTTPS is that newer protocol versions (after HTTP/1.1) do not in practice exist for plain HTTP. The way to do plain HTTP/2 is documented but nobody has plans to implement it, and there isn't even intent to document a plain HTTP/3 because the stuff it's built on is all encrypted from the ground up. From my point of view this is good news.
Basically, you just give it the bad IP addresses and it will replace every query result containing them with an NXDOMAIN.
So moving the DNS to Cloudflare only means “now Cloudflare have my entire browsing history as well as my ISP.”
I do appreciate there is a draft on ESNI but it’s not there yet.
DoH is not a privacy boon.
DNS, whilst plaintext is at least federated, and is a network level service. That is, its not tied to a single session in a browser.
as I understand it, there is nothing stopping a browser from appending metadata to the get request, or putting extra headers in. This means that its perfectly possible to nail your complete browsing history, down to the server you've been given.
The browser isn't interfering in any of your network operations.
Sounds like interfering with the way my intranet operates to me.
This change is explicitly protecting users from malicious network operators. Since you control the endpoints it should be no big deal, you apply GPO, run Puppet, whatever and everybody is talking to your local DNS again but it is absolutely right to not trust local unencrypted DNS by default for every network you connect to.
Aren't there some "hijacks" that are actually valuable to users? For example, if I run a network inside an extremely limited internet environment, I can hijack the user's DNS and redirect them to a "Hey, we're sorry, but running Netflix here will ruin the network for everyone, we hope you understand" page. If their browser is ignoring my local DNS server my option would seem to be simply black-hole netflix packets in the firewall, which is a lot less friendly to the user. Would I be a malicious network operator in this case?
There has been work on allowing networks to communicate out-of-band to browsers for administrative purposes. Even this is risky in general because of the phishing possibilities, among other things. Showing users arbitrary messages from network operators in the middle of the users' other browsing activities is likely to make it even easier to confuse the users into taking actions that they really didn't intend to do.
There's a strong case to be made that the vast majority of Chrome users aren't equipped to evaluate this question. These users are very unlikely to know if they're on an untrusted network and thus unable to make use of the kind of very useful switch you wisely suggest.
Perhaps offering a configuration option for the small percentage of technically sophisticated users who are willing to look in settings for it? Certainly Chrome Enterprise (which is a configuration management system, not a pay-for enterprise software offering) offers strong settings management tools.
Strictly from a security perspective, you always assume your network is untrusted and untrustworthy (and use protocols designed to work just fine in such situations). Especially when serving users who aren't equipped to make their own educated decisions. Can you help me understand why Chrome might want to behave otherwise?
For example redirecting the user to a fake webpage asking for their username and password.
A user will learn that there's blocking if they try and access Netflix and it doesn't work.
You can get something like a Juniper SRX firewall which can recognise applications via signature and do blocking that way. Rather than against IP ranges only.
Also as a network admin you're not saying why you won't be able to block DNS over HTTPS providers.
Unless you're thinking there's going to be some unknown DNS server used by the browser.
But if that's your fear you'll need to block all the online DNS lookup websites.
What if a user just types the IP address directly? Totally circumnavigates DNS.
(And yes, I set up a similar easy makeshift DNS solution to "authenticate" for the un-encrypted WLAN i had many years ago)
The network is compromised. This is the fundamental assumption of networks. If you operate from this position you are much less likely to get burned.
Mozilla and Google become unsatisfied with gethostbyname but they cannot change that part of OS. So they are solving their problems on their side.
> the browser speaks HTTPS to my router, and my router speaks HTTPS to the servers
Usually this isn't the case. Browsers that aren't configured to use a proxy connect directly to some web server using TCP and as speak HTTP to it. On a lower level, it's being facilitated by IP traffic routed by your own router, the ISP and the Internet.
There are "Forward" HTTP proxies (e.g. software like Squid) that act like HTTP clients on the web and provide the real user with results. I suppose they're being set up at large organizations by IT, or at home by privacy geeks but I know no consumer router that does that out of the box.
The question is whether Chrome is going to ignore system settings by default.
If a malicious app was to use their own DoH server then there's nothing you can do.
Well you can get a MITM web security product to inspect traffic.
Or only allow internet traffic through a proxy on your network and then block DNS providers.
Local caching via DNS? Perhaps on unencrypted HTTP traffic.