back to article DoHn't believe the hype! You are being lied to by data-hungry ISPs, Mozilla warns lawmakers

Mozilla has asked American politicians to probe the data-collecting policies of US broadband giants, claiming the ISPs made false statements to derail DNS-over-HTTPS so that they can continue to snoop on subscribers' internet activities. DNS-over-HTTPS (DoH) is a recently-ish developed technique to transmit domain-name queries …

  1. Dinsdale247

    Ya cause you know, the whole push to use TLS on all communications had nothing to do with large service providers protecting the value of the data they are collecting on you. Just like the new push for DNS Sec has nothing to do with protecting the value of the data on your web requests.

    Hint: THIS HAS EVERYTHING TO DO WITH LARGE SERVICE PROVIDERS PROTECTING THE VALUE OF THE DATA THEY ARE COLLECTING ON YOU AND HAS NOTHING TO DO WITH PRIVACY.

    1. Danny Boyd

      Marshall Erwin seems to have said the same thing but not in capital letters.

      1. Michael Wojcik Silver badge

        BLOCK CAPITALS MAKE EVERYTHING TRUER.

  2. simmondp

    Can't get my phone to work in the US

    I have DoH enabled on my phone - works fine in the UK and Europe, but in the US nothing works until I disable it!

  3. Anonymous Coward
    Anonymous Coward

    Personally I'm not going to use DoH because I like my spatula adverts and suggestions everywhere I go on the internet. Icing, turner, slotted, fish, offset, flatula and my favourite one, rubber. I would flip if I didn't get them.

    1. JohnFen

      Don't worry -- the only effect that DoH will have on advertisers tracking you is that it will make the tracking a bit harder to stop.

      1. Anonymous Coward
        Anonymous Coward

        Especially since most queries will go to the slurping Goliath called Google. So advertising tracking won't stop at all - just Google will have even more power over that market. If there is something worse that having many ISPs collecting data, it's exactly having a single huge collector with an enormous power over the internet.

        I still remember when Mozilla was against the "do not track" flag. The whole thing without a law enforcing its use was useless, but that was not the reason Mozilla was against it. It was because most of its money came from advertisers.

        Now I think Mozilla believes it can sell the default DoH provider in its browser and collect the money.

        1. Anonymous Coward
          Anonymous Coward

          Mozilla has chosen Cloudflare as its default DoH provider but makes it really easy to set your own. According to Wikipedia: "The Do Not Track header was originally proposed in 2009, Mozilla Firefox became the first browser to implement the feature". I do remember Google stating that they would not honour the "do not track" flag (even after they added it to Chrome) because "users don't really know what they are asking for". I also seem to recall that the Tor project chose Firefox as it's go-to browser. Also, lest we forget, Mozilla is a not-for-profit organisation. I'm not saying that they have never taken a misstep. I know they take money to make Google their default search provider but that is what most people want and they make it as easy as they can to change that. Personally I think the world is a better place for Mozilla existing.

          https://www.theregister.co.uk/2018/08/30/mozilla_will_not_track/

          1. Anonymous Coward
            Anonymous Coward

            And Cloudflare didn't pay for it? Would Mozilla never change it? Will Cloudflare never use such data? Do you have a binding contract with them?

            Why a browser should not abide to the OS settings, but use its own resolver instead? Do you know it will bypass any anti-slurping systems like pihole and the like?

            Remember that being HTTP DoH allows for a much greater fingerprinting than plain DNS. Far more data to be collected and used.

            One day you all will start to complain how much DoH gave a lot of tracking data to a very few Internet goliaths, and brought them more power. And ot will be too late.

            You keep on being blindsided by the magic word 'encryption', but it doesn't help at all when you're communicating with a bad endpoint which will do whatever it likes with your data. They're throwing dust in your eyes, and you ask for more.

            Mozilla implemented the do not track feature but kept it disabled and complained when MS enabled it by default (ironic, since MS turned into a slurping entity soon after), saying it should have been a user affirmative choice.

            'Non profit' doesn't mean they don't need money, and their executives are still handsomely paid....

            1. A.P. Veening Silver badge

              Why a browser should not abide to the OS settings, but use its own resolver instead? Do you know it will bypass any anti-slurping systems like pihole and the like?

              Time to convince the people behind Pi-Hole to change Pi-Hole to accept DoH queries as well and send those on through an Unbound server on the same Rapsberry Pi. After that, it shouldn't be too much of a problem to point the browser to your Pi-Hole for DoH as well.

              1. Anonymous Coward
                Anonymous Coward

                Just, the pihole will need to generate (or have installed) a proper cert, people will need to trust the cert or the CA on each machine (and application, if like Mozilla they use their own store), and then change the DoH server on each application using its own... something that requires some skills.

                But I think people will start to complain only when Microsoft will run its own DoH system and will make it the default one in Windows....

                1. Rich 2 Silver badge

                  Self-sign

                  You can generate a self-signed certificate yourself, and install it on the pihole and your laptop, either just in the browser or globally for the user or system.

                  It's a faff but it's not difficult.

                  1. Anonymous Coward
                    Anonymous Coward

                    Re: Self-sign

                    It's not difficult but requires to know what you're doing - generating a correct certificate is not exactly very simple, especially since some browsers started to warn about alternatives names not set, etc.

                    A self-signed certificate is probably the worst choice, security wise - no way to know if it has been replaced.

                    Using Let's Encrypt for internal certificates is more complex, and you'll still need to own a domain to validate them.

                    Sure, it can be done if you're an IT guy, far more difficult for the average users that just wants to stop tracking and slurping just pointing its DNS at a PiHole.

      2. Anonymous Coward
        Anonymous Coward

        How hard? Rubber, silicone or wood?

  4. InsaneGeek

    Google complains about data hungry ISP's??? Those are some swinging balls

    Where the ISP probably will sell your data, Google WILL sell your data. Seriously that's Google's whole point in existence to take user information and sell it. Not saying ISP's are better but come on Google's real complaint is that the ISP's have the DNS information they want and don't want to pay ISP's for it.

    1. doublelayer Silver badge

      Re: Google complains about data hungry ISP's??? Those are some swinging balls

      It's Mozilla making the argument here. And I completely agree with you about Google's willingness to collect and sell data. The solution to this, however, isn't to choose anyone and everyone who isn't Google and keep data flowing to them. Instead, technology promoting privacy should be supported, investigated, and adopted when feasible, no matter whose data collection is disrupted. If a certain endeavor doesn't do much to cut off the data pipe to Google but does to Facebook, it's still a good thing.

      DoH, unfortunately, is somewhere in the middle. It really does promote privacy; it's not difficult to change the provider in a browser and it's quite easy for a DNS provider to set it up. However, it can be used by programs and devices to evade DNS blockers and user controls, including the use of hard-coded servers. Even admitting this, I believe the balance is tilted toward the positive. Programs ranging from actively malicious to locked down by vendor will probably use DoH to hide their tracks, but that can't be helped. If DoH didn't exist, they could and would use something similar. Meanwhile, DoH does really help ensure the privacy of DNS lookups until the DNS server, which can be very useful at keeping data away from ISPs, malicious network devices, etc.

    2. big_D Silver badge

      Re: Google complains about data hungry ISP's??? Those are some swinging balls

      I use a private DNS server, which uses DNSSec and DNS over TLS to a major, non-commercial DNS server and my server blocks around 2.5 million tracking and malware sites, including 1,500 Facebook domains.

      I had a couple of devices that were bypassing this. I changed my firewall to block DoH and turn on Anycast DNS locally. So far, so good. I get the protection of my local DNS server at home and the lesser protection of DoH on the move.

    3. ratfox
      Devil

      Re: Google complains about data hungry ISP's??? Those are some swinging balls

      Astonishingly, Google claims they don't track users with the data from their DNS service

      I know, I know, I didn't believe it either...

      1. Anonymous Coward
        Anonymous Coward

        Re: Google complains about data hungry ISP's??? Those are some swinging balls

        Because DNS still carries little information, especially when most people are behind some form of NAT - it's very difficult to correlate DNS requests to a single individual - some could be just traffic created by local hardware and software.

        DoH will give them much more data to fingerprint users, while it allows to bypass a lot of local caches (router, OS, etc.), so they can see fresh data requests.

        Anyway Google tells you very little about how it processes "temporary logs" to spot "abnormal activities". Or why it stores "random samples".

        Yet those data tells Google about how much, for example, sites competing with its services are used, when, where, etc. etc. - data it couldn't gather if kept out of the loop.

        And even if it's not competing services that's a lot of data it can resell the analysis/usage of. Why do you believe ISPs don't want to be excluded from such market? Are we sure we want to create very few, if not The Only One, gatekeepers of the Internet?

        1. ratfox
          Devil

          Re: Google complains about data hungry ISP's??? Those are some swinging balls

          I guess just the traffic data of websites would be invaluable by itself. They probably can also get traffic data because so many people use Chrome. And again because so many people use Google search.

          But yeah, the fact that ISPs would not be able to get that data is certainly not going to make Google sad. Or anybody else.

  5. EnviableOne

    DoH! unable to resolve name server

    Resloution has been blocked by webfilter as resticted category Hosting sites.

    this message will appear everywhere in the corporate domain, as moving DNS over HTTPS causes the network to treat it the same, so its got to get scanned and then will get denied.

    DoT over 853 has exactly the same level of security, but allows it to be treated differently.

  6. Rich 2 Silver badge

    Trust noone

    The problem with this is that they all lying scum - Google just want to get hold of your data and so are rubbishing the ISPs. And the ISPs want to get hold of your data and so are fighting back.

    They're all blood-sucking leaches, and the only way to resolve this and many other similar spats is to legislate to make use of such data illegal. Then neither side will give a stuff, will shut up arguing and we can all get on

  7. Wade Burchette

    Mozilla has asked American politicians to probe US broadband giants

    US politicians remind me of Mayor Quimby in the Simpsons. When Mozilla asks the politicians to probe the rich US broadband companies, this clip from the Simpsons perfectly mirrors their response. There will be no investigation because these politicians depend on the lobbying money. As has been said, it is impossible to get someone to believe something when he is paid not to believe.

  8. Denarius Silver badge

    will upset Voldemort and Co

    Oz governments lust for metadata will also be affected. Will Mozilla get banned here or will that be just too obvious ?

  9. Anonymous Coward
    Anonymous Coward

    Don't Conflate Encryption with Privacy

    The tech companies keep trying to convince us that encryption gives us privacy; in the case of DoH this is simply not true. Yes my DNS requests may be obscured from my European ISP (which cannot exploit that data anyway due to GDPR), however Cloudflare, or whichever DoH resolver I use, has full visibility of my requests. And of course any data of mine with US tech companies has no protection whatsoever, can be accessed without a warrant by any US law enforcement agencies.

    Yes I can change the DoH resolver in some applications, however I'll have no idea which ones might be using DoH and many may decide not to give me a choice in the matter. DoH is a badly implemented standard designed to make it easier for tech companies to monetise data, is being foisted upon us under the false pretext of enhancing our privacy when the opposite is true.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like