Mozilla Stirs Ire With DNS Over HTTPS

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
this is true you would never expect something as apparently clean simple and beneficial as enabling DNS lookups over HTTPS to stir up any controversy seems like a good thing we all know what a problem it is that despite every website we visit now being HTTPS with few exceptions where its identity is authenticated because we trust the the entity that signed its certificate asserting its identity and all of the communications back and forth are encrypted relying on this you know TLS technology but unless special measures are taken even though we've got all the sites we talked to our HTTPS unless we do something special all of our browser's DNS queries to those websites and all other domains each of the pages we receive from those websites and we as we know sometimes that could be hundreds of subsidiary domain queries because of all of the junk that is coming in from all corners every one of those pages spews forth of storm of unencrypted UDP packets carrying a DNS query formatted payload in order to you know care so outbound is the domain name that our browser needs to get the IP address for and the response is is an IP or a collection of IPs where we can access that resource they're all unencrypted they're all in the clear so so the concern has been that anybody passively monitoring our traffic like our ISP who's like four step off of our connection as as our data goes out to the internet or well anyone passively monitoring our connection is able to see everything that we're doing not not into our connection but they know where we're going based on the queries that we're making and then but then also it means that they because it's unencrypted and unauthenticated by default any active interception can manipulate the DNS replies to send our browser to some other server and if that other server has arranged to obtain a certificate that we trust and unfortunately with so many certificate authorities globally now and our browsers are trusting all of them that's not a stretch especially if the if the entity doing the the interception is highly placed then we don't really have any security so we've talked in the past about how Mozilla and Firefox and Google with chrome are moving toward this idea of doing dns in a different way of of tunneling DNS queries over TLS to a remote DNS server that establishes this a single connection so in this mode which is described in RFC 84-84 the browser no longer hands the job of DNS lookups over to its host operating system that's what all of our browsers do now is the os's do that job for the browser our OS has a DNS cache it has a DNS resolver so the browser just app makes a query through an an OS API saying hey but look this IP up for me that goes to the operating system and it's our our network adapters then that know the IP is to query for DNS typically get that from by making a DHCP dynamic host configuration protocol query - typically our router that we have for our local environment it may be a DNS server itself but more often it's just passing through the IPS that it in turn received when it made a DHCP query to our ISP using our ISPs DNS which makes sense because we want the answer to come back quickly and you want a DNS server to be close to you so that you're not because god because all of your connections wait on getting the IP to connect to after sending out DNS queries so DNS response time is is very important so about a year ago a more about a year and a half ago actually Mozilla began experimenting with this we talked about it at the time and it was by every measure a a complete success that is the idea of establishing a connection to it to a an HTTPS connection to a to a what's known as a do H DNS over HTTP a do H provider and then tunneling the same lookups through that connection so what that means is the browser no longer asks the OS it itself establishes the connection so what this provides of course is complete protection from DNS UDP passive monitoring or active interception CloudFlare offers a service Google offers a service quad nine offers a service so there are multiple places now who that have providers that are well connected global and offering DNS over HTTPS and it turns out for example Firefox you go to in Firefox go to options in the browsers menu scroll to the bottom of the first general page that is displayed click on settings there under network settings and at the bottom of the dialog that pops up you'll find a checkbox enable DNS over HTTP so you put a check in the box and unless you have some reason for choosing some other DNS provider you leave it set to CloudFlare which mozilla has established a relationship with for for this purpose and now all of your DNS queries are so at that point when you turn that check box on your firefox opens up a single persistent connection to a local CloudFlare endpoint using their their global geolocation aware technology so that you're connected into someone relatively close to you and all dns goes through this https tunnel and and there is replied to so from someone passively monitoring your your bandwidth whether they're on the intranet or out close to you like your isp on the internet suddenly like Oh what happened to DNS this person is not making DNS queries like they used to before okay so that seems all good what's the problem believe it or not entities in the UK are all up in arms they were pissed off yes they called them the Internet enemy I know Leo they're by the way since I read that article I started using Firefox I said that's it if they're the enemy the Internet I'm using oh I know they're the ISP a the Internet service providers Association has named Mozilla one of the three finalists for their internet villain of the year for for quote I'm quoting them they're proposed approach that is there as in Mozilla's proposed approach to introduce dns over HTTP in such a way as to bypass UK filtering obligations and parental controls undermining internet safety standards in the UK shocking and Leo okay so so I'm at this I go to this is PA page the Internet service providers Association as I'm pulling the pieces of this thing together and I just had to shake my head when at the bottom right hand corner I was presented with this pop-up that I have in the show notes here it says down in the lower right hand corner for me oh and you got it - yeah cuz I'm using Firefox uh-huh it says so this is the ISP a right who's who's upset that Mozilla is going to be is going to be tunneling DNS over HTTP for all the benefits that we just outlined the the pop-up reads it looks like your cookies are switched off oh yeah to ensure the best experience whilst visiting our website please consider allowing cookies yes you you can find out how to change your settings or more about cookies we use at the bottom of this page unfortunately I think it was covered up by the notice yes the ISP a has our best interests at heart that's right so if part of this is remember that the UK wants to do this licensing system the if you don't get a license you can't see porn on the internet so because they're trying to keep born out of kids hands so the people who are going to one of the groups you can go into a pub to get a life-sized no no you go to a pub to get a licence you have to prove here so you have to go with your pet your driver's license age proof and then you get a license it allows you to surf the internet freely one of the people who is doing this is a company called mind geek which runs youporn and pretty much every porn set you ever heard of is run by mine geek there so you have to get what could possibly go wrong go to a mind geek site give them your driver's license your passport proof of age and they will give you a license to use the internet freely this is such a bad idea I do think I remember seeing somewhere as I was just scanning this that you did they want your phone number as well oh yeah all sorts of stuff the funny thing is they they passed this bill and we're about to implement it when they realized they hadn't told the EU because they thought well by now we'll be out of the EU so they had a stuff they're not so among all the other brexit problems this is another one they actually had to put this change off until either they tell the EU about it or they're not new anymore and I don't think that you will allow it so it's just a mess it's such a mess oh my god so well yeah and so here we have a problem we have where we're advancing privacy and security for web browser users yet there's I mean it's you know we're mean that the other side of this is that so so what I what I from the research I did in the UK ISPs are legally forced to block certain types of websites such as those hosting copyright infringing or trademark content some ISPs also block other sites at their discretion such as those that show extremist content adult images child pornography and so forth these latter blocks are voluntary and are not the same across the UK but most ISPs usually tend to block child abuse content which seems like a good thing unfortunately of course we all know that this isn't a strong protection anyway I mean you know so that so the idea being that that there are filters that the ISP manages that match on known domain names and do not return an IP address or return you know some some placeholder IP you know redirection page if you try to get that in mid May Baroness Thornton MP for the Labour Party a brought up the do H protocol and it's impending support from browser makers in a session of the House of Commons calling it a threat to the UK's online safety and similarly GCHQ Britain's intelligence service that we'll be talking about later in the podcast has also criticized both Google and Mozilla claiming the new protocol would impede police investigations and of course I queued on that because of like wait a minute how would this impede police investigations unless there was passive eavesdropping going on over on the wires that that would cause matches and then GCHQ continues saying it would could undermine its existing government protections against malicious websites okay but how this and how how tunneling your DNS queries impede police investigations is really unclear the internet watch foundation ifw a British watchdog group also with the declared mission to minimize the availability of online child sexual abuse content also criticised both Google and Mozilla claiming the browser makers were ruining years of work in protecting the British public from abusive content by providing a new method for accessing ill egle content now of course remember that like any VPN does this right I mean this this is kind of a VPN for DNS whereas in the way it's always been is that we just been spraying unencrypted UDP out onto the Internet now it's it's in a browser tunnel I mean they're not able to see into HTTP content now we're simply HTTP tunneling DNS queries so yeah that's like no but aw it's a new method for accessing illegal content in their coverage of this ZDNet noted that essentially Google and Mozilla support for do H effectively narrows down to the same moral dilemma that surrounds the Tor project and the Tor network which yes it upsets people because it allows people to be anonymous browser makers ZDNet wrote browser makers must now decide if it's worth supporting a tool that brings privacy improvements to millions at the expense of a few that may have to suffer when ZDNet asked Mozilla for a comment on its nomination right the villain of the Year nomination Mozilla replied quote were surprised and disappointed that an industry association for ISPs decided to misrepresent an improvement to decades-old Internet infrastructure despite claims to the contrary a more private DNS would not prevent the use of content filtering or parental controls in the UK DNS over HTTPS doah would offer real security benefits to UK citizens our goal is to build a more secure Internet and we continue to have a serious constructive conversation with credible stakeholders in the UK about how to do that Mozilla said we have no current plans to enable do H by default in the UK however we are currently exploring potential do H partners in Europe to bring this important security feature to other Europeans more broadly I was unable to see anything that definitively talked about Mozilla 'z plans for default enablement we do know you know one of my favorite called coined terms is the tyranny of the default we know that most users will never dig down into any of their browser settings and flip any switches so our listeners and you Leo and I we you know we've got eight we have DNS over HTTPS it's I just explained how to do it if you are a Firefox user and it's coming soon to a Chrome browser and I'm probably a chromium based browser near you which expands that field even more broadly so it's a matter of turning that switch on what really matters then is whether our browser vendors decide to make it the default and so what Mozilla is saying is no no no well you know ok we're not we have no plans to make it the default in the UK I don't know it whether that will change over time who knows what but again I thought this was a perfect example of where yes just improving things making things more secure and private does have you know generate some backlash and unfortunately Mozilla there are two other contenders for villain of the year that the is that the this Association has named we'll see who ends up great Mozilla from the list because as of today the ISP has withdrawn oh yeah in the toilets I think they're a little stung in the 21 years the event has been running it is probably fair to say that no other nomination has generated such strong opinion we then they go on about to show all the great things the villain category is intended to draw attention to an important issue in a light-hearted manner but this year we clearly sent the wrong message one that doesn't reflect our genuine desire to engage in constructive dialogue we are therefore without drawing the Mozilla nomination yeah we still think it's important to scrutinize the plans and they say oh yeah data protection security online safety user choice user consent you've got to pay attention in Mozilla so they got there I mean the the award ceremonies day after tomorrow in case you're curious what this certainly does is if they want to impose these sorts of filters they'll have to do it in a different fashion but it is certainly I mean it's it's not robust to use DNS anyway so this probably means they they will end up with better filtering of the stuff they want to filter and in the vast majority of people will end up with way more privacy you
Info
Channel: TWiT Tech Podcast Network
Views: 5,720
Rating: undefined out of 5
Keywords: TWiT, This Week in Tech, TWiT.tv, technology, tech news
Id: 1--MWzrdwxM
Channel Id: undefined
Length: 21min 25sec (1285 seconds)
Published: Sun Jul 14 2019
Related Videos
NLNOG 2019 - DNS over HTTPS considerations - Bert Hubert
NLNOG
8.9K
Windows 11's New "Set As Default" Browser Button
TWiT Tech Podcast Network
509
Is A VPN Necessary For Secure Browsing?: The Tech Guy 1244
TWiT Tech Podcast Network
39K
Amazon Server Outage Reveals Cloud Reliance
TWiT Tech Podcast Network
1.6K
Exposed Cloud Databases - Security Now 721
Security Now
5.5K
Everything You Need to Know About KRACK
TWiT Tech Podcast Network
9.4K
DNS Over TLS On pfSense 2.4.5
Lawrence Systems
31K
Tim Cook's Deal With Chinese Authorities
TWiT Tech Podcast Network
581
HTTPS vs. VPN: Which Is More Secure?
TWiT Tech Podcast Network
10K
Inexpensive MP3 Player
TWiT Tech Podcast Network
1.8K
Apple Buys Intel's Modem Business
TWiT Tech Podcast Network
3.3K
DNS over HTTPS
F5 DevCentral
14K
What is a VPN? - Gary explains
Android Authority
1.2M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.