Cloudfare and Apple working on a new DNS to protect data from ISPs

[JoseGuya]

This is from a few weeks ago, but I didn't find anything with the search function so here it goes: 

 

Summary

 Apple and Cloudfare are proposing a new DNS standard:  Oblivious DNS over HTTPS (ODoH) to anonymize  user's data from ISPs

 

Quotes

Quote

Cloudflare is proposing a new DNS standard it developed with Apple that’s designed to help close a blindspot in my (and I’m sure many others’) internet privacy measures (via TechCrunch). The protocol is called Oblivious DNS over HTTPS (ODoH), and it’s meant to help anonymize the information that’s sent before you even make it onto a website. 

 

Basically, DNS lets us use the web without having to remember the IP address of every site we want to visit. While we humans can easily understand names like “theverge.com”, or “archive.org,” computers use IP addresses (like 207.241.224.2) to route their requests across the internet instead. This is where DNS comes in: when you type in a website’s name, your computer asks a DNS server (usually run by your ISP) to translate a name like “theverge.com” to the site’s actual IP. The DNS server will send it back, and your computer can load the site.

 

Usually, it’s your ISP running that server, and there’s nothing stopping them from selling that data to advertisers. This is the problem Cloudflare and co are looking to solve with ODoH.

 

The protocol works by introducing a proxy server between you and the DNS server. The proxy acts as a go-between, sending your requests to the DNS server, and delivering its responses back without ever letting it know who requested the data.

 

My thoughts

This is another step Apple is taking on privacy, now targeting ISPs. This combined with the recent feud against Facebook with the AppStore new guidelines on privacy, I'll say Apple is going very strong on privacy.

 

Sources

https://www.theverge.com/2020/12/8/22163871/cloudflare-apple-dns-protocol-online-privacy

[Prodigy_Smit]

Apple is singlehandedly doing near what the EU has done to protect online privacy.

[Lord Vile]

Nice to see some companies don't treat the customer like cattle. 

[Johnnyboyhogg]

Dosnt that just mean apple or whoever run the proxy thats forwarding you dns request can do the same as the isp was ?

[Guest willies leg]

There goes pi-hole and other blocking tools.

[williamcll]

Quote

The protocol works by introducing a proxy server between you and the DNS server. The proxy acts as a go-between, sending your requests to the DNS server, and delivering its responses back without ever letting it know who requested the data.

But what if the proxy is selling your data?

[piratemonkey]

I used to think Apple saying all these things about how they like privacy was a joke. It still does get some nose air from me, but I am starting to take them more seriously

[BuckGup]

2 hours ago, Smit Devrukhkar said:

Apple is singlehandedly doing near what the EU has done to protect online privacy.

 

1 hour ago, piratemonkey said:

I used to think Apple saying all these things about how they like privacy was a joke. It still does get some nose air from me, but I am starting to take them more seriously

Apple realized selling privacy is more profitable in the long run than selling data as their competitors solely exist on selling data. So market and sell the one thing your competitors can't do. It's a great strategy 

[piratemonkey]

4 minutes ago, BuckGup said:

 

Apple realized selling privacy is more profitable in the long run than selling data as their competitors solely exist on selling data. So market and sell the one thing your competitors can't do. It's a great strategy 

when I look at it that way (apple selling the product, rather than the consumer) it does make sense. never really looked at it that way

[StDragon]

DoH only exists to collect usage analytics and to prevent blocking of ads by hostname. All under the auspices of "security". Well, it's secure, for the providers.

[Doobeedoo]

Actually quite interesting. Having ISPs sniff your bits is not cool. 

[Blade of Grass]

3 hours ago, Johnnyboyhogg said:

Dosnt that just mean apple or whoever run the proxy thats forwarding you dns request can do the same as the isp was ?

 

51 minutes ago, StDragon said:

DoH only exists to collect usage analytics and to prevent blocking of ads by hostname. All under the auspices of "security". Well, it's secure, for the providers.

This is ODoH. The request is encrypted and unreadable by the proxy, the proxy removed the client address. In the end, the proxy knows who but not what was requested, the DNS server knows what but not who. 
 

edit: the only way the security can be broken is by collusion between proxy and DNS provider. 

Not sure why you think DoH is some malicious analytics collecting tool, do you somehow think it’s more fruitful to analyze then the plaintext DNS over port 53 that we’ve been using since forever? 

Edited December 19, 2020 by Blade of Grass

[TetraSky]

Interesting. But I wonder if there will be any limitations to it. Such as torrent protocols not going through. And whether or not it will be able to handle all the traffic.

[Beskamir]

7 hours ago, piratemonkey said:

I used to think Apple saying all these things about how they like privacy was a joke. It still does get some nose air from me, but I am starting to take them more seriously

Nah, I'm convinced it's just for PR while also letting them be the ones that collect all the data.

[Kisai]

5 hours ago, Beskamir said:

Nah, I'm convinced it's just for PR while also letting them be the ones that collect all the data.

You do realize that Cloudflare is the one who ignores DMCA's, while Apple is the one who ignores requests for backdoors into their products right?

 

This is really a match made in hell for law enforcement, but really, when (mostly music) copyright holders go insane and want to make trivial copyright infringement into jailtime, perhaps this is the necessary evil needed to keep people out of jail for the stupidest of reasons. If you thought drug possession charges were extremely racist, just wait until the jails are full of dorky internet trolls who were making memes.

 

[Beskamir]

19 minutes ago, Kisai said:

You do realize that Cloudflare is the one who ignores DMCA's, while Apple is the one who ignores requests for backdoors into their products right?

 

This is really a match made in hell for law enforcement, but really, when (mostly music) copyright holders go insane and want to make trivial copyright infringement into jailtime, perhaps this is the necessary evil needed to keep people out of jail for the stupidest of reasons. If you thought drug possession charges were extremely racist, just wait until the jails are full of dorky internet trolls who were making memes.

 

For law enforcement maybe but Apple has made it pretty clear they still want your data for their own uses (ie advertising, improving the experience, etc). Example of Apple being awful:

 

[Tenelia]

1 hour ago, Beskamir said:

For law enforcement maybe but Apple has made it pretty clear they still want your data for their own uses (ie advertising, improving the experience, etc). Example of Apple being awful:

-snip-

After more investigation, the reason:

Quote

So what was going on? As I understand it, at app launch, Apple’s GateKeeper technology checks the certificates that Apple assigns to developers to sign their code. The name of the Apple server in question—ocsp.apple.com—points to Apple using OCSP (Online Certificate Status Protocol) to determine if an app’s certificate has been revoked. If that’s the case, macOS prevents the app from launching—it’s Apple’s way of ensuring that it can prevent an app discovered to be malicious from causing more damage.

Basically, a blogger being very disingenuous about what's actually happening or at stake. What GateKeeper does is not different from a TCP three-way handshake making calls to SSL/TLS root servers. What you're claiming and referencing is completely misaligned.

Even if you are still insisting Apple is awful because they ask for user data, you'd still have to explain why that's an issue, especially when users can simply reject and turn those options off. Are users not allowed to make their own choices when asked upfront?

[StDragon]

20 hours ago, Blade of Grass said:

Not sure why you think DoH is some malicious analytics collecting tool, do you somehow think it’s more fruitful to analyze then the plaintext DNS over port 53 that we’ve been using since forever? 

Firefox and Google won't be adopting ODoH. Firefox for example has embedded DoH into the latest build. So it doesn't matter if you're running your own internal DNS server or block port 53, because DoH runs over 443 anyways. The only way to intercept that traffic without blocking the entire internet behind the firewall is to implement MITM with your own installed cert on devices.

 

Anyways, because it's Firefox doing the name resolution through DoH, they can collect analytics on the backend as well. Bonus, you can't block ads within the browser so as to ensure a revenue stream.

 

And that's really the fundamental problem I have with DoH, is that it's embedded in the application and it gives a damn about what's defined in your own IP stack as far as preferred DNS servers are concerned. For now, DoH is optional. But we all know we're one update away from it being toggled as the default.

 

The solution to this problem? Don't use a browser that mandates (or will mandate) DoH to be used.

[Blade of Grass]

27 minutes ago, StDragon said:

Firefox and Google won't be adopting ODoH. Firefox for example has embedded DoH into the latest build. So it doesn't matter if you're running your own internal DNS server or block port 53, because DoH runs over 443 anyways. The only way to intercept that traffic without blocking the entire internet behind the firewall is to implement MITM with your own installed cert on devices.

 

Anyways, because it's Firefox doing the name resolution through DoH, they can collect analytics on the backend as well. Bonus, you can't block ads within the browser so as to ensure a revenue stream.

 

And that's really the fundamental problem I have with DoH, is that it's embedded in the application and it gives a damn about what's defined in your own IP stack as far as preferred DNS servers are concerned. For now, DoH is optional. But we all know we're one update away from it being toggled as the default.

 

The solution to this problem? Don't use a browser that mandates (or will mandate) DoH to be used.

Firefox doesn't even do the DoH name resolution, they use Cloudflare to do it (i.e. Firefox does not run a DoH backend, CF does, so there's no way for Mozilla to collect analytics). Users can even configure it to use different providers if they'd like.

 

Again, not sure how any of this is different from the cleartext DNS probes we currently used, that can be viewed by anyone on the network (i.e. network admins + all the ISPs) and mined for analytics data. I am not sure I agree with the fear that you can no longer control app DNS resolution, but if that is indeed one you have then surely you can setup an HTTP proxy to continue to do so. For the vast majority of people though, making DNS requests private to the network does far more to improve user privacy. 

[piratemonkey]

7 hours ago, huilun02 said:

Yes very innovative... not like we already have a bajillion affordable VPNs and ads for VPN on every other youtube video...

And? I don't always want to be running a VPN. Whether it's free or not doesn't change the fact that there's really no reason for ISPs to passively collect data