Mozilla says ISPs are lying to Congress about encrypted DNS

[sman]

Mozilla says ISPs are lying to Congress about encrypted DNS

Mozilla on Friday posted a letter urging Congress to take the broadband industry’s lobbying against encrypted DNS within Firefox and Chrome with a grain of salt – they’re dropping “factual inaccuracies” about “a plan that doesn’t exist,” it says.

Both of the entities behind those browsers – Mozilla and Google – have been moving to embrace the privacy technology, which is called DNS over HTTPS (DoH). Also backed by Cloudflare, DoH is poised to make it a lot tougher for ISPs to conduct web surveillance; to hoover up web browsing activity and, say, sell it to third parties without people’s consent; or to modify DNS queries so they can do things like inject self-promoting ads into browsers when people connect to public Wi-Fi hotspots.

https://nakedsecurity.sophos.com/2019/11/06/mozilla-says-isps-are-lying-to-congress-about-encrypted-dns/

 

Edited November 15, 2019 by AdvancedSetup
Corrected font isuse

[exile360]

Very interesting.  I use DNSCrypt myself and have been for years for this very reason (to prevent ISP snooping).  I didn't know that Mozilla and Google were both making efforts to natively support encrypted DNS in their browsers, but it's a good idea.

[sman]

https://techcommunity.microsoft.com/t5/Discussions/Is-there-a-plan-to-implement-DNS-over-HTTPS/m-p/843645

[sman]

hmm. DOH is not w/o issues as brought out in https://www.zdnet.com/article/dns-over-https-causes-more-problems-than-it-solves-experts-say/
DNS-over-HTTPS causes more problems than it solves, experts say
DOH DOESN'T ACTUALLY PREVENT ISPS USER TRACKING

One of the main points that DoH supporters have been blabbing about in the past year is that DoH prevents ISPs from tracking users' DNS requests, and hence prevents them from tracking users' web traffic habits.

Yes. DoH prevents the ISP from viewing a user's DNS requests.

However, DNS is not the only protocol involved in web browsing. There are still countless other data points that ISPs could track to know where a user is going. Anyone saying that DoH prevents ISPs from tracking users is either lying or doesn't understand how web traffic works.

Edited November 15, 2019 by AdvancedSetup
Corrected font isuse

[David H. Lipman]

Who cares what CloudFlare "thinks".  They act as a moat to protect the castle of malicious activity.

PS:  @sman can you please normalize those font sizes.

Edited November 14, 2019 by David H. Lipman

[sman]

@David H. Lipman  will use normalized fonts from now on..

 
Can Cloudflare be trusted?
Well, you conection is really encrypted, but only until the CloudFlare's servers. ... Or still can be encrypted (between CloudFlare servers and website servers) but the contents of what you're viewing and sending on that website remains visible toCloudFlare, even in the so-called full strict SSL.
 
there David has nailed Cloudflare and it seems Firefox is not going to stick only with Cloudflare but add other reslovers too in future..
 
OTHER DOH RESOLVERS TO BE ADDED IN THE FUTURE, BESIDES CLOUDFLARE

But most importantly, the FAQ explains why Mozilla choose Cloudflare as its initial default DoH resolver and said that it plans to add other DoH resolvers in the future, as long as they adhere to the same requirements that Cloudflare also agreed.

These requirements include a series of rules about user privacy and security, including a clause that "explicitly forbids" DoH resolvers like Cloudflare from monetizing DoH data they receive from Firefox users.

source - Cloudflare doesn't pay us for any DoH traffic https://www.zdnet.com/article/mozilla-cloudflare-doesnt-pay-us-for-any-doh-traffic/

 

Edited November 15, 2019 by AdvancedSetup
Corrected font isuse

[AdvancedSetup]

By copying directly from a Website or using Word to copy/paste it injects it's own settings and colors. If using the Dark Theme on the forum it makes the post very unreadable. Try copying and pasting using NOTEPAD instead before posting here. @sman

 

 

[sman]

yes. @AS - david too pointed it out, I have now been limiting font sizes to 18..

[sman]

oh.. I see that even bold face is a problem.. OK will take care of this too.

[sman]

Windows will improve user privacy with DNS over HTTPS

"https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-will-improve-user-privacy-with-DNS-over-HTTPS/ba-p/1014229"

[AdvancedSetup]

Yes, I've read that already, but we'll have to see how it pans out in practice, release. Microsoft is as bad or worse about telemetry and tracking as Google within the core of Windows 10. Personally I'd like to see it at the Internet CORE ROUTER level that could could be audited by many different levels of business instead of in encrypted operating system files that are proprietary and unable or very difficult to analyze and audit if it is in fact doing what it should do. But, that is part of the concern or issue here that more and more people nowadays have less and less trust in Tech companies abusing their privacy one way or another. I'm hopeful that Microsoft will do the right thing but won't know until it's in production Worldwide

 

[exile360]

Yes, that's one of the many reasons I flat out refuse to 'downgrade' to Windows 10 because I actually value my privacy (and I also believe that the owner of the device should be the individual that actually paid for it, not the company that developed the operating system running on it).  I've been using DNSCrypt for years so regardless of what Microsoft, Mozilla, Google or anyone else does, my DNS requests are already encrypted.

[AdvancedSetup]

Maybe they are maybe they're not. I'd like to see independent fully audited, verified, and confirmed that all round trip is encrypted and no one but you and the DNS server can decrypt the data. Then the DNS server should also either not log it or at a minimum delete the log within one week.

 

[sman]

A million dollar question.. if such a possibility exists, it would have been in place way back..

[AdvancedSetup]

I disagree. The technology to test and confirm is certainly there. No one has wanted to from any of the big tech companies until lately. I'm hopeful that the change in attitude may prove helpful for everyone concerned.

 

[sman]

Then why not bring in laws / acts to make it reality and adherence by the techies?

[exile360]

12 hours ago, sman said:

Then why not bring in laws / acts to make it reality and adherence by the techies?

The lobbiests would probably pay to shut it down.  They like being able to track everything that everyone does on the web and the data brokers like Microsoft, Google and a slew of companies you've probably never heard of (just do a web search for 'data brokers' and you'll see what I mean, there are some great articles on the subject out there) will fight against it tooth and nail because they want to track what everyone does.  Heck, that's probably why they're implementing/encouraging DNS encryption so that the ISP's will no longer be the exclusive holders of most of the client data.  They cut the ISP's out of the picture by encrypting traffic but then track it on their own servers that they're routing you through so that they (Microsoft, Google or whoever is providing the DNS) can still log every site you connect to.

While I cannot verify for certain that all of the DNS servers I use through DNSCrypt are not logging, they all claim not to be, but Ron is correct, without verification there is no way to know for sure.  Of course it helps that I use multiple servers rather than just one.  It means that no single server can log all of my traffic, so anyone wanting to track me fully would need access to logs from both (both servers which supposedly aren't keeping any logs, mind you).

[sman]

So, it's a hopeless situation, with no end.  So, no trusting what ever one may say, the techies with 'crocodile tears' may come up with.

[exile360]

Right, there's no way to know for certain unless you go through servers that you yourself have full physical control over.  That's just the reality.  Are Microsoft, Google and Mozilla doing this in the interest of protecting user privacy?  Maybe, but then why are they (particularly the first two; the latter one is more of a follower of Google than anything else these days) always trying to gather so much data about us all the time?  I mean the entire reason I don't use Windows 10 and have stuck with 7 and the entire reason I avoid using any Google services (including search; I use DuckDuckGo and Startpage for that) is centered around privacy because these products and services have so much embedded tracking/telemetry and advertising (I classify them as adware and spyware personally, though much of the industry has been far more forgiving in their judgments of the likes of Microsoft and Google with regards to their telemetry, targeted advertising and big data efforts) so to turn around and trust them to provide an alternative DNS to protect my privacy just makes me suspicious so i won't be using their servers and will instead continue to use my own.

[AdvancedSetup]

2 hours ago, sman said:

So, it's a hopeless situation, with no end.  So, no trusting what ever one may say, the techies with 'crocodile tears' may come up with.

Absolutely not. The situation is not hopeless but it is an uphill battle. There should be no gloom and doom. It is extremely easy to validate, confirm, and verify that all data is fully encrypted round-trip and that it's not being logged by anyone. Personally if it's encrypted I see no reason to store the logs of where users are going except for telemetry for things such as advertising sales, etc. they would not be useful for diagnostics or troubleshooting as no one should be able to decrypt it except the server. An admin at the console should not have the ability to do it but of course that probably will not be setup like that either.
 

Can it be done as explained above? - YES
Will it be done as explained above? - Very unlikely, but we can be hopeful.

Even if it's not fully setup as above just encrypting the data round-trip so that no one like Google, Microsoft, ISP, Government cannot snoop the data for their own purposes would be a great start, but again it must be validated by more than one security company that has no stake in it with any of the companies involved or any government entity. Otherwise, you will not be able to trust that it is what they say. Without the validation you simply have to trust them at their word. I cannot speak for you or others but for myself sorry I don't and won't trust them without some type of proof. You see it more and more where companies say they're doing something a certain way and then when the xxx hits the fan you find out they were not doing what they said. VPN companies claiming No Logs and then low and behold court documents show up proving that yes they did have logs and provided them to the courts.

 

 

 

 

[sman]

Absolutely on the mark, when you say something, one shoudld stand with it, not do anything deceptive in the background..

[sman]

How end-end encryption has been a farce in Whatsapp etc. with breaches every now & then , Wi-fi security even the latest WPA3 also with issues. so nothing is secure, encryption has to be fool-proof. But can it be?

[sman]

we hear of even 5G technology is also not secure and has issues..

[sman]

"https://arrow.dit.ie/cgi/viewcontent.cgi?article=1020&context=itbj"