Cloudflare and Apple Design a New Privacy-Friendly Internet Protocol (techcrunch.com) 90
Engineers at Cloudflare and Apple say they've developed a new internet protocol that will shore up one of the biggest holes in internet privacy that many don't know even exists. Dubbed Oblivious DNS-over-HTTPS, or ODoH for short, the new protocol makes it far more difficult for internet providers to know which websites you visit. From a report: [...] Recent developments like DNS-over-HTTPS (or DoH) have added encryption to DNS queries, making it harder for attackers to hijack DNS queries and point victims to malicious websites instead of the real website you wanted to visit. But that still doesn't stop the DNS resolvers from seeing which website you're trying to visit. Enter ODoH, which decouples DNS queries from the internet user, preventing the DNS resolver from knowing which sites you visit. Here's how it works: ODoH wraps a layer of encryption around the DNS query and passes it through a proxy server, which acts as a go-between the internet user and the website they want to visit. Because the DNS query is encrypted, the proxy can't see what's inside, but acts as a shield to prevent the DNS resolver from seeing who sent the query to begin with. "What ODoH is meant to do is separate the information about who is making the query and what the query is," said Nick Sullivan, Cloudflare's head of research.
Privacy friendly or (Score:2, Insightful)
Are they just trying to make your data more valuable by limiting who can gather it and who can sell it, thus monopolizing the market.
Re:Privacy friendly or (Score:5, Informative)
Are they just trying to make your data more valuable by limiting who can gather it and who can sell it, thus monopolizing the market.
Yes and it is being paid for by George Soros at the behest of the ZOG, the Deep state, the Gray Aliens and the Lizard people ... oh for god's sake, as long as you are careful to use different parties for DNS and Proxy services to maintain 'separation of knowledge', this will severely limit how much of the global DNS traffic any one party can see. This compares favourably with the current situation where your DNS service providers can basically monitor every unencrypted move you make. The DNS resolver can't keep track of you because they do not know who the originator is and the proxy operator cannot tell what you are trying to resolve because the query is encrypted and as long as they can't compare notes their customer tracking and data selling departments have a problem. If you then use a random proxy for every transaction anybody trying to track you has an even bigger set of headaches ... that is, as long as you maintain 'separation of knowledge'
Re: Privacy friendly or (Score:1, Troll)
Yeah, and conspiracy theorists are hiding iunder your bed and lurking in the shadows of your closet too.
Get a therapy.
Re: Privacy friendly or (Score:2)
Sorry, I have seen worse things said in complete seriousness.
It's not sarcasm if it could be meant seriously.
You need to update your sarcasm.
Oh, and HOW THE FUCK IS IT TROLLING?? ... But I have seen moderatards mod me down *for being against murder*... So... what do I expect...
I *know* you moderatards only abused that moderation to silence it, not because itis actual trolling.
Re: (Score:1)
as long as you are careful to use different parties for DNS and Proxy services to maintain 'separation of knowledge', this will severely limit how much of the global DNS traffic any one party can see.'
Yup, just like location data on your cell phone or your credit card purchases - wait a minute!
Re: (Score:2)
as long as you are careful to use different parties for DNS and Proxy services to maintain 'separation of knowledge', this will severely limit how much of the global DNS traffic any one party can see.'
Yup, just like location data on your cell phone or your credit card purchases - wait a minute!
No, try reading the article. What you are talking about is harvesting from a single data source where you as a data harvester have full access to what is being purchased and the identity of the purchaser. This is data being encrypted by the DNS query generator. That encrypted data is then routed through a third party that masks the identity of the DNS query generator by routing it on to the DNS service provider after stripping away any identifying data. This blocks the DNS service provider from being able t
Re:Cloudflare, the Internet's Man in the Middle (Score:5, Informative)
The Cloudflare blog post [cloudflare.com] about this is very up-front about that limitation: "However, each of these guarantees relies on one fundamental property -- that the proxy and the target servers do not collude. [....] The only real requirement, remember, is that the proxy and target never collude." (Emphasis in the original.)
Re: Cloudflare, the Internet's Man in the Middle (Score:1)
Yes, of you say it openly, everybody will believe you don't do that. "Eww, /SoMeBoDy/ farted in here!"
Lesson 101.
Lesson 102: Black-eyed people will believe *everything*, as long as it makes them feel safe and like everything is in order.
Lesson 103: How to silence whistleblowers by making up a conspiracy theory about them being conspircy theorists.
Lesson 104: How to pose as a conspiracry theorist in order to mix some insanity in with the actual concerns so whenever somebody mentions the actual concerns, you
Re: (Score:2)
It's a Pavlovian response for some people, anyone goes near their DNS and they shit a brick.
Re: (Score:2)
And that's a requirement that I, as an end-user, cannot guarantee.
Seriously, just set up dnsmasq locally and point it at Tor's DNS resolver. Thqt accomplishes what this claims to, without relying on two specific servers not to collude.
Re: (Score:2)
But it's even more ridiulous when you decide to make a press release about "improving privacy" as a partnership between the gay fruity company (who's latest OS circumvented privacy and VPN's to report back to the mothership every time you open an app) and the Internet's shady Man In the Middle proxying company.
Fact: OCSP is used to determine certificate revocations. Windows uses it, Linux uses it, macOS uses it. It is good. It's standardised under RFC 6960. Apple mandates that all 3rd party software is digitally signed and then 'notarised' (a fancy way of saying they countersign it as a centralised measure of trust), to which they use OCSP as an extra safety net to rapidly revoke any signed software which later turns out evil. Microsoft recommends 'authenticode' security (their fancy name for a signature tha
Re:Privacy friendly or (Score:4, Informative)
While your cynicism is well warranted, it's an undeniably good thing that customer data become more scarce. If the only companies with their hands on our data are the major Internet giants, that's an improvement from where we find ourselves today, where the companies with our data include not just those giants, but also thousands of other companies with far fewer scruples. Cutting those latter companies out of the loop is a win.
When it comes to privacy, our interests align with any company that is actually making things more private, regardless of if they happen to be doing so for self-serving reasons.
Of course, that doesn't necessarily mean that (O)DoH is a good technology. While it may make things more private, it comes with a number of downsides, such as greater complexity, latency, increased fragility of our connections as we depend on yet another service to visit a site, and so on, not to mention the fact that (O)DoH still lives in the browser, rather than in the OS.
Re: (Score:2)
While your cynicism is well warranted, it's an undeniably good thing that customer data become more scarce.
Nothing is becoming more scarce.
If the only companies with their hands on our data are the major Internet giants, that's an improvement from where we find ourselves today
Yea, that's the ticket. Cheerlead the growth of large centralized providers best positioned to maximally leverage/monetize their centralized position and denounce all small operators. Aggregation of power is a GOOD thing. Federation = bad, centralization = good.
where the companies with our data include not just those giants, but also thousands of other companies with far fewer scruples. Cutting those latter companies out of the loop is a win.
This is a false choice. There is no reason to accept either WRT DNS.
The answer to insecure DNS is DNS over TLS.
The answer to untrustworthy DNS servers is picking one you trust or running your own.
Re: (Score:2)
The answer to insecure DNS is DNS over TLS.
No it is not. As your DNS provider knows every DNS request you make. The article is about how to make DNS calls without the DNS provider being able to track you.
Sorry, but that is obvious from the summary. You perhaps should have taken the 30 seconds to read it.
Re: (Score:2)
No it is not. As your DN.S provider knows every DN.S request you make.
Sorry, but that is obvious from the summary. You perhaps should have taken the 30 seconds to read it.
Hence "The answer to untrustworthy D.N.S servers is picking one you trust or running your own."
Before you deride someone for not reading you should probably take the time to read what they have to say BEFORE clicking "submit".
The article is about how to make D.NS calls without the DN.S provider being able to track you.
What I was actually responding to was Anubis IV's generic commentary on centralized providers being a better deal than centralized providers AND presumably ISPs when in reality this is a false choice.
D.N.S is a federated system and by simply choosing a DN.S service you trust you don't
Re: (Score:2)
D.N.S is a federated system and by simply choosing a DN.S service you trust you don't have to suffer at the hands of either centralized DN.S resolvers or evil ISPs.
Yes you have. As the evil ISP sees all your DNS requests. (* facepalm *)
The proxy scheme is just punting trust to the proxy which is of limited utility vs selecting a D.N.S server you trust and communicating over a secure transport.
The proxy does not need to be "trusted" as he can do nothing with your requests (* facepalm *) again.
Re: (Score:2)
D.N.S is a federated system and by simply choosing a DN.S service you trust you don't have to suffer at the hands of either centralized DN.S resolvers or evil ISPs.
Yes you have. As the evil ISP sees all your DNS requests. (* facepalm *)
Garbage In = Garbage Out.
If you really want to trust an evil ISP to provide you with DNS service you should expect evil things to happen as a result.
The proxy does not need to be "trusted" as he can do nothing with your requests (* facepalm *) again.
This is like saying VPN providers don't need to be trusted because everything is encrypted anyway. Right here on Slashdot we have been treated to story after story spanning years of VPN services sell out its users.
The whole point of the proxy provider can be compromised by actions of the providers themselves as even TFA you claim I have not read explicitly men
Re: (Score:2)
That is something easily fixed, since the resolver in most OSes is just a stub resolver. Since (O)DoH is a replacement for the last mile DNS requests and implementable by every DNS server out there as part of the recursive resolver feature (not every DNS server needs to implement this - only recursive resolvers), it's a simple add on to the DNS library the OS provides.
When you make a call like getaddrinfo(), you call th st
Re: (Score:2)
I'm cool with that.
Oh good (Score:3)
Nice and complicated. The way Internet protocols ought to be...
"Proxy" (Score:2)
And guess who's lining up to proxy that data for you!
Re:"Proxy" (Score:4, Insightful)
And your ISP will still be able to see what IPs you're connecting to. So unless you're going to proxy the entire internet (isn't that what a VPN is for) this is really another way for "big tech" to datamine browsing data that they currently cannot access.
It's a major improvement (Score:3)
its' not the final issue but it's a major improvement. IP addresses don't correlate strictly with websites: you'd have to map a slowly changing set of IP addresses as sites like Amazon S3 or Amakai or cloudflare slowly remap their tumbled domain to IP maps. Second the HTTPS part of the fetch may obscure the subdomain as well. So it's an improvement. Finally for the paranoid do you need to trust the DNS server? not if you proxy the request with https.
Re: "Proxy" (Score:2)
Well, guess what Cloudflare's plan is...
Yep, being a CDN for ALL the sites out there.
I guess they've never heard of a NSL. ... Or did they?
Re: (Score:1)
Of course I heard of NSL. Just one question, which NSL are you talking about. NSL means a lot of things and context isn't helping. QSL?
Re: "Proxy" (Score:2)
Obviously in this context national security letter, a demand for action in the name of national security which is secret and may not be disclosed to third parties. A clear violation of first amendment rights which the feds use whenever they feel like it.
Re: (Score:2)
And your ISP will still be able to see what IPs you're connecting to. So unless you're going to proxy the entire internet (isn't that what a VPN is for) this is really another way for "big tech" to datamine browsing data that they currently cannot access.
This comment shows an incredible lack of understanding of privacy issues.
a) The ISP knows what IP you're connecting to and they see that 90% of time you're connecting to Cloudflare. Beyond that they know nothing if they can't see the hostname. The internet hasn't been a series of endpoints for an incredibly long time.
b) Cloudflare already sees who comes to them. So claiming that they are part of a conspiracy to create a protocol to mine data they already have access to isn't so much a conspiracy theory as m
Re: (Score:2)
This comment shows an incredible lack of understanding of privacy issues.
I'm lazy so this is a cut and paste of another comment of mine so only approximately addresses your comment.
Sure you can see what IP a machine is connecting to. But with ESNI and HTTPS all you can tell is that you're connecting to AWS, you have no idea which particular host you might be connecting to.
With ODoH you also cannot tell what DNS it is requesting. So you
Re: (Score:2)
Did you have a point counter to mine or did you not read my post?
Re: (Score:2)
I did indeed.
You have one idea of privacy and have completely missed that there are other aspects of privacy that ODoH, DoH, ESNI make worse.
Re: (Score:2)
Maybe you should re-write your post because I just read it again and it still looks like it agreed with me without explaining any of your downsides.
Mind you, you're also of the opinion that you can trust the ISP with your data (ISPs have repeatedly and on record simply sold user data without even deanonymising it), while you don't trust Google (a company that only ever provides access to you and never sells your eyeballs). So frankly I'm taking your knowledge of privacy with a 1kg bag of salt.
Re: (Score:2)
Beyond that they know nothing if they can't see the hostname
Unless you are ONLY using TLS 1.3 to connect to stuff that IS NOT TRUE. The SNI portion of the TLS handshake is clear text!
Ok domain fronting is a still a thing but that isn't widely implemented these days.
Re: (Score:3)
Let's make it even slower (Score:3)
DNS was supposed to be FAST. DoH already adds TCP handshaking and TLS encryption to slow things down. Now they're adding a proxy layer, on top of whatever proxying you might already have in your business environment. What's next? Generate random unrelated DNS queries from the browser to poison the cache? Do you WANT people to go back to hosts files?
Re: (Score:2)
Yeah, their numbers show that this doubles the median latency for a DNS lookup even compared to DoH (about 150 milliseconds to about 300 milliseconds). Maybe they do want people to go back to hosts files.
The approach seems like it could work reasonably well using a non-DoH transport. User sends encrypted request to a proxy, proxy forwards to the target, target decrypts and looks up the response, target encrypts response and sends back to proxy, proxy passes the encrypted response back to the user, and the
Re: (Score:2)
Re: (Score:2)
Back when the Internet was running on Sun 3/60's connected via 9600 baud modems, a fast, and lightweight protocol was a necessity. Now with high volume DNS servers running on big hardware, and the modern high-bandwidth network (unless you're stuck on some old POTS line or some such in which case most modern services will be so slow the DNS lookup won't matter), the added overhead of DoH and/or a proxy is negligible.
If privacy can be enhanced with a new protocol or process layer with a time penalty 95%+ of p
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
DNS was supposed to be FAST
And in a time when the internet was slow and free that design criteria mattered. Now that the internet is fast and everywhere you turn someone is hoovering up your data for profit the design criteria changed.
Car analogy: You're complaining that Ferrari makes sports cars because cars were fundamentally supposed to be used to replace commuting in a horse drawn carriage. The existence of Ferrari does not mean people will instead go back to riding horses.
That last part of your comment is particularly silly. Jus
Doom and Gloom again . . . (Score:3, Insightful)
So far, Apple and CloudFlare have erred on the side of the end-user . . . but when you consider where the median for "not monetizing" you, it makes them look a little more saintlike. I'm not saying don't be wary; I'm saying "Why is everything either the end of the world, or the second coming?"
Re: (Score:2)
Can't talk about apple but CloudFlare (and AWS) has made it much harder for me to control which devices are allowed to talk to what.
Have you seen how many domains firefox connects to at startup? Have you seen how many domains an IoT device connects to.
I now run a MitM proxy at home (mostly doing SNI inspection only but it can do full inspection) in order to limit some of these devices abilities to open holes in my firewall.
Re:Doom and Gloom again . . . (Score:5, Insightful)
Because a lot of us are not convinced it is the right direction. Stuffing DNS into HTTPS which itself started out as HTTP stuffed into SSL isnt design its kluge over kluge over kluge.
HTTPS happened because some folks realized that transport encryption was a minimal requirement to make commerce possible on the web. They already had all this HTTP server and client infrastructure so rather than invent a new protocol they just encapsulated the old protocol. Then people started discovering all the problems...Oh snap client caches give up the goods, have to disable those for HTTPS (until that became somewhat mitigated by multi user OS and untenable, but wait chrome is going back there...), oops this means either vhosts don't work or we have to bolt on SNI and SAN names... oops all kinds of crypto analysis is possible because of compression... whoops a lot of these CBC mode ciphers are not really a good fit of the situation.. dope..
Now rather than designing something again we are going to go with just sticking an old protocol into another old protocol designed originally to run plain-text and for use with entirely different media/data and hope it works out. Sure its easy because all the proxies, firewalls, client libraries, etc already speak these languages but that does really mean its the best thing to make core infrastructure dependent on.
Re:Doom and Gloom again . . . (Score:5, Insightful)
> Sure its easy because all the proxies, firewalls, client libraries, etc already speak these languages but that does really mean its the best thing to make core infrastructure dependent on.
It's a problem that people aren't innovating faster and coordinating upgrades, but they aren't. Meanwhile surveillance is a problem, so fixing that in any way possible is better than not fixing it.
People are currently getting their networks pwned because their SOHO router has FTP ALG's in the NAT for non-PASV operation, which has been entirely unnecessary for 20 years. But "hey it works, we're done" is how the industry operates because tech support is expensive.
Nothing BUT the cybercriminals seems to be pushing us forward.
Where's my multicast backbone, anyway? Everything is so inefficient.
Re: (Score:2)
Stuffing DNS into HTTPS which itself started out as HTTP stuffed into SSL isnt design
It sounds like you're either confusing DoH with DoT or you fundamentally don't understand the problem DoH is trying to solve. Stuffing DNS into HTTPS *IS* the design goal. The complete end goal at that. The main design criteria. The singular point of DoH is to make it appear as though it's perfectly ordinary HTTPS traffic, even down to the ports it uses.
What you call a kludge was the upfront design intent. Don't like it, use DoT instead since it sounds like it's what you actually want.
Re: (Score:2)
it appear as though it's perfectly ordinary HTTPS traffic, even down to the ports it uses.
Except there is basically no legitimate reason to do that. DNS traffic itself is perfectly ordinary. Anyone with the capability to inspect HTTPS traffic, either sees DOH for what it is or its the instantly SUSPICIOUS HTTPS stream for which TLS negation on their MITM system fails and TCP proxy fallback is used.
Hiding DNS traffic among HTTPS flows where there isn't a 'allowed' MITM, your corporate firewall where the clients trust it as CA, or live in Kazakhstan isn't useful from a traffic analysis perspecti
Re: (Score:2)
Except there is basically no legitimate reason to do that. DNS traffic itself is perfectly ordinary.
Ahhh a privileged westerner. Good luck using "perfectly ordinary" DNS traffic when someone doesn't want you to. I mean you can pretend that the world is all democracy, privacy and first amendments, but other people realise that the world isn't like that and created DoH for specifically a purpose you seem to ignore.
There's a world of grey lines between a free and open internet and intercepting HTTPS traffic. And one of those shades of grey involves simply blocking DNS and forcing a single provider.
Learn a bi
Re:Doom and Gloom again . . . (Score:4, Insightful)
That's where we're at with the Internet. We've all had our privacy violated so many times in so many ways that anyone that comes along claiming they'll be nice and respect our privacy, are doing things to ensure our privacy, are viewed with the utmost of suspicion. We can't be blamed for that, we have every reason to be that way. Trust now has to be earned.
New Protocol? (Score:2)
This doesn't sound like a new protocol. It sounds like something anyone who knows how to use a proxy can do themselves.
Re: New Protocol? (Score:2)
Seconded.
But in the times where somebody thought is was a great invention to create a blog service and limit the length of the posts to n characters, and "everybody" was told to want to agree... not surprising.
I'm beginning to think, Idiocracy was way too nice of a documentary. This is more like a cocaine Idiocracy.
Re: (Score:2)
CloudFlare and privacy (Score:1, Troll)
two words that only go together with "rape", "violate", "exploit" or "monetize" in-between.
Another good reason to stay the hell away from Apple products (hint: Apple is just as rotten, they just managed to convince a lot of people they're not somhow.)
Re: (Score:2)
Only slashvertisement these days?! (Score:1)
Re: (Score:3)
Step 1. Turn your monitor on.
Re: Only slashvertisement these days?! (Score:1)
Re: (Score:2)
Step 1. Turn your smartphone on.
If that does not solve the problem, go to step 2.
Step 2. Have your smartphone repaired.
Re: (Score:2)
tech.slashdot.org##.article-nel-7170.grid_24.thumbs.usermode.article.fhitem-story.fhitem
tech.slashdot.org##.article-nel-7314.grid_24.thumbs.usermode.article.fhitem-story.fhitem
tech.slashdot.org##.article-nel-7313.grid_24.thumbs.usermode.article.fhitem-story.fhitem
Now do it without HTTP. (Score:3)
Because everybody knows that adding HTTP to it, is insanity at this point. Ok, everybody but the WhatWG, aka Google and its pawns.
Meanwhile, I run my own DNS server. Like everybody should.
Re: (Score:2)
Your own DNS server? My friend, that is not enough!
I run my own Internet!
Re: (Score:2)
Because everybody knows that adding HTTP to it, is insanity at this point.
There are three fundamental constants in physics:
1. The speed of light in a vacuum.
2. Plank's constant.
3. BAReFO0t announcing to the world yet again that he has no idea what problem DoH is designed to solve, despite being told time and time again.
I saw a Slashdot post on DNS and I got excited to come look for your post. You did not disapoint.
ODoH? (Score:2)
Since the "H" is silent, that would be pronounced ODo [cinemablend.com], right? (SFW)
Privacy for you or apple? (Score:1, Troll)
The only way to blacklist all these privacy invasive apple services is to capture the DNS and blackhole their telemetry hosts. It stands to reason that they want privacy from these prowling end-users that want to know what their devices are doing.
Don't forget, it's Apples macbook, you are just paying for the privilege to use Apples macbook. It's not yours.
Re: (Score:2)
The only way to blacklist all these privacy invasive Microsoft services is to capture the DNS and blackhole their telemetry hosts. It stands to reason that they want privacy from these prowling end-users that want to know what their devices are doing.
Don't forget, it's Microsofts' computer, you are just paying for the privilege to use Microsofts' computer. It's not yours.
If Apple was the United States and Microsoft was Al Qaeda/Taliban/ISIS/{terrorist group name} then we'd be saying "the terrorists have already won". :-(
"acts as a go-between" (Score:1)
Uh huh, sounds very trustworthy...
What we need is ad hoc. We already have too many "go-betweens". Besides, everything goes through Utah anyway.
Proxy server (Score:2)
Apparently the only way to win the privacy game is to not play. There is no such thing as a 'secure internet' or 'privacy on the internet' and not for any technological reason: no one respects peoples' privacy in the first place.
We used to have this. Now we don't. It needs to change back to the way it was before. Get your little brown noses out of our business, you asshole
Re: (Score:2)
Re: (Score:2)
What about advertisers and tracking companies. (Score:3)
Google, double-click, and all the others that drop 'analytics' onto every page you visit... Oh and stop trying to mess with DNS.
Re: (Score:2)
"Google, double-click, and all the others that drop 'analytics' onto every page you visit..."
If you don't use ad- and tracker blockers, just block doubleclick et al on the router level.
Re: (Score:2)
I'd challenge that. An advertiser / analytics company has a financial incentive to keep your data to themselves and sell "access" to you, usually via some API that doesn't even hand over your data to another party anonymously. It's like how CocaCola Co sells you a softdrink but not their recipe.
ISPs on the other hand have been time and time again caught simply bulk selling non-anonymised data to whoever shows up with some money.
THAT is the problem.
Re: (Score:2)
That bottle company sold me something, Advertisers/Analytics don't sell ME anything. In fact they take take take. I would rather pay sites directly as I visit them instead of baking the cost of this crap into everything I buy.
Re: (Score:2)
CocaCola does not stand around every place I visit and log everything I have done. Your analogy stinks and is completely wrong.
If you think the point of the analogy was the amount of the rate of engagement Cocacola has with you then you fundamentally didn't understand the analogy. In that case it's no surprise you think it's wrong, especially since you are focusing on the selling concept which wasn't even remotely the point of my post.
Try reading it again.
Nice (Score:2)
Don't use the DNS of your provider, ever.
Second, use a VPN if you want privacy.
Third, block ads and trackers.
Fourth, for sensitive stuff (grin) I use a portable version of firefox that I delete after each use.
Could this be used for voting? (Score:2)
I suppose a malicious proxy could side-channel the sender IP. Hmm. Hard.
Funny how (Score:1)
We've been making phone calls for decades and never once has anyone suggested we make the numbers dialed invisible to AT&T.
Yet amazingly, we're fine with two corporations knowing where every person in the world goes online.
hire front end developers (Score:1)