Comcast And Mozilla Partner Up To Help Encrypt DNS
from the strange-bedfellows dept
Over at our Tech Policy Greenhouse, Article19’s Joey Salazar and Consumer Reports’ Benjamin Moskowitz just discussed how it’s long past time to encrypt the Domain Name Server (DNS) system at the heart of the internet. Thanks to the GOP demolishing of FCC broadband privacy rules in 2017, ISPs have carte blanche to monetize this data as they see fit, storing and selling access to your DNS browsing data to data brokers who continue to build detailed user profiles with little to no meaningful oversight.
At the forefront of encrypting DNS have been Google and Mozilla, both of which have been pushing for a standard known as “DNS over HTTPS,” a significant security upgrade to DNS that encrypts and obscures your domain requests, making it more difficult (though not impossible) to see which websites a user is visiting. The proposal doesn’t come without downsides, and has seen opposition from ISPs that are either eager to continue to profit off of this data, or are worried that somebody else will (usually Google) if they can’t.
Comcast, AT&T, and others had previously been trying to demonize the Google and Mozilla efforts any way they could, from insisting the move constitutes an antitrust violation on Google’s part (it doesn’t), to saying it’s a threat to national security (it’s not), to suggesting it even poses a risk to 5G deployments (nah).
After Mozilla claimed to Congress that ISPs were being disingenuous with their opposition to the plan, at least one major ISP appears to have come around to the proposal. This week Mozilla announced that Comcast had joined the Firefox Trusted Recursive Resolver (TRR) program, which requires encrypted-DNS providers to not only meet privacy and transparency standards, but to promise not to block or filter domains by default “unless specifically required by law in the jurisdiction in which the resolver operates.” From the blog post:
“This program aims to standardize requirements in three areas: limiting data collection and retention from the resolver, ensuring transparency for any data retention that does occur, and limiting any potential use of the resolver to block access or modify content. By combining the technology, DoH, with strict operational requirements for those implementing it, participants take an important step toward improving user privacy.”
While Comcast has a well-deserved and terrible reputation for anti-competitive behavior, lobbying shenanigans and comically awful customer service, the company’s engineering folks remain top notch, and obviously appreciate the benefits of encrypting the DNS in the wholesale snoopvertising age. In conversations, the company continues to insist to be they’ve never monetized this data (not that anybody in government would ever have the ability or courage to confirm this), and had been running a beta version of its own encrypted DNS offering since last year.
Mozilla helping to standardize this and forming a coalition with Comcast is foundational, and under the partnership, Comcast is promising to not “retain, sell, or transfer to any third party (except as may be required by law) any personal information, IP addresses, or other user identifiers, or user query patterns from the DNS queries sent from the Firefox browser.” Now it’s just a matter of Comcast transparently proving that they’re actually adhering to those standards.
Filed Under: dns, dns over https, encryption
Companies: comcast, mozilla
Comments on “Comcast And Mozilla Partner Up To Help Encrypt DNS”
Questionable
I don’t trust Comcast. Like, at all. Then again, Microsoft embraced Linux and FLOSS is still a thing, so this could work out. However, I fear the worst.
Re: I know one thing
Wait and see.
Yes, it’s a bit of a cliche, but we’ll have to do that.
Hard luck if you use any other browser.
Re: Re:
Why? Firefox supporting the encryption won’t make unencrypted DNS go away, unless it’s effective enough that other browsers follow suit.
Re: Re: Re:
Full quote:
Rather then:
Not to retain…….made to our DNS servers from any program..
Re: Re: Re: Re:
The statement is directly about this browser so it makes sense to specify it in the statement. That doesn’t necessarily mean they’re doing all those things elsewhere, just that they’re stating they won’t be doing it here.
If course, if you’re concerned about this, your main complaint should be that the market is so bad over there that you can’t just move to another ISP if you don’t trust Comcast.
"the company continues to insist to be they’ve never monetized this data "
Lot of pants on fire at that company….
The fact that they are now in sudden agreement to encrypt DNS, just tells me their "top notch" engineers have found a way around the obstacle of deciphering the data so they can still "not monetize" it.
Re: Re:
As a DNS server, they decrypt the data so that they can handle the query, no clever tricks required as they are the other end of the encrypted link.
Re: Re: Re:
Doesn’t that depend upon whether one selects their own set of DNS servers or not? If a Comcast customer allows Comcast to select the DNS servers, then your right, but if there was say a tool that reset DNS servers to ones that weren’t Comcast but were enabled to handle the encrypted requests then something different would be needed for Comcast to monetize those requests.
Re: Re: Re: Re:
For other than Comcast DNS that is the same as Comcast breaking HTTPS by some means, like forcing people to use their proxy server and certificate.
Re: Re: Re:2
True, but we need to wait and see if they’ll do that.
Re: Re: Re: Re:
That’s what I’d interpret from "Mozilla and Comcast will be jointly running tests to inform how Firefox can assign the best available TRR to each user." Comcast can ensure their servers are always the fastest for their customers, in which case Firefox would choose them.
I’m sure Firefox won’t force users to stick with those servers. But only a tiny fraction of people choose their own servers. Probably the same troublemakers that contact their ISPs to opt out of stuff like data-sharing and forced arbitration. Those numbers are too small to matter.
Re: Re: Re:2 Re:
Yeah, I can see.
Re: Re: Re:2 Re:
Which then breaks the entire point of Encrypted DNS: To ensure those you don’t want peeking at the lookup requests can’t see them. After all if you can just run a "web browser corporate-backer approved" encrypted DNS server that the web browser trusts, what prevents the browser from using it if the user doesn’t want to?
I say this because the whole point of normal DNS is decentralization of the lookup queries, and network traffic shaping. If the web browsers only trust certain servers, it’s trivial for an ISP or any other service provider to block all requests not destined for their
"trusted" servers and claim that using other servers violates their ToS, breaks security, "you must be up to no good", etc. I.e. It’s a very obvious trap that any enterprise network engineer has deployed to secure their networks against rogue users exfiltrating data. Further, given the current pushes for censorship and "neutrality" what’s to prevent these "trusted" servers from denying lookups to sites the operators disapprove of? Or worse logging and reporting it without the user having alternatives? That’s the whole problem with centralized services like DNS, but even more so when you start mandating who can be trusted and who cannot.
Re: Re: Re:3 Re:
The lack of any code to do that prevents the browser from doing it. Firefox’s idea, that Comcast’s server is the one that Comcast users will want to use, is certainly questionable. But at least there’s been no suggestion that browsers will make that the only option.
Sure, Comcast could block other servers. They could also block Tor, HTTPS, whatever. Even they haven’t yet shown signs of stooping to this level.
"At the forefront of encrypting DNS have been Google and Mozilla AND CLOUDFLARE"
Re: Re:
Cloudflare doesn’t have a isp though, but true.
This scares me
IMO, the purpose of encrypted DNS is that the ISPs like Comcast can’t get your DNS data. Well, if Comcast is in on it, then they’ll be building their own server, and we’re back where we started. Sadly, Comcast getting in on it will make all the other dumb ISPs realize they can do the same thing. We can still choose another DNS server, but there’ll be a lot of people who just leave it at default through DHCP.
Re: This scares me
Centralizing it all at Cloudflare has its own problems. An independent service in each country could be an improvement, if clients used more than one. Domain-blocking orders would then need to target over 100 countries to be effective, at which point it’s easier to target the registry or registrar. Running the DNS servers as onion services would additionally prevent court orders of the form "country X says to block all clients from country X", as geo-location would be impossible.
A lot of uses of DNS, however, are kind of pointless when we have DNSSEC. Once you can authenticate data, it doesn’t matter where you get it from. EG: when one website links to another, the target’s DNS records could be provided by the source site.
Re: This scares me
"IMO, the purpose of encrypted DNS is that the ISPs like Comcast can’t get your DNS data"
No, it’s to ensure that things like DNS injection attacks and cache poisoning are much more difficult.
"there’ll be a lot of people who just leave it at default through DHCP."
You’re thinking of the wrong use of DNS.
I’ll be sticking to the DNS provided by my VPN, thank you. I trust them way more than I trust Comcast. Sure, the VPN is a potential single point of failure, but that’s better than having multiple potential points of failure. And if the VPN is compromised, snooping on DNS is irrelevant.
Re: Re:
"I’ll be sticking to the DNS provided by my VPN, thank you."
Good for you. Why does that mean that those who don’t have one should not be protected?
Re: Re: Re:
Did you post this in the wrong thread? The comment you replied to didn’t make any such claim.
Re: Re: Re: Re:
Also, if Comcast didn’t participate in this, people without VPNs would be more protected from Comcast—because Firefox would’ve defaulted them to a non-Comcast DNS server. If one views Comcast as untrustworthy, that would be a better result.
Waitaminnit
Only a damned fool trusts comcast to get this right, which sheds light on how I feel about the direction Mozilla is going.
Re: Waitaminnit
It all depends on what Mozilla does or doesn’t do with the "help" from Comcast.
My hope is that they treat it as what it is and look for, circumvent but not tell them about any features added by comcast untill after the fact. In other words let Comcast do Comcast and be proactive when it comes to the shenanigans.