English, Nederlands

DoH, DoT, QUIC and our stance on privacy and security

Posted on february 22, 2021 by ASK-Solutions in discussion

Image of a lockBoth privacy and security are complex topics and often underrated and misunderstood. Some ideas sound great, but if you look closely ‘under the hood’, things quickly turn sour. Other ideas sound trivial, but after reaching a deeper understanding turn into critical details.

Malicious attacks and invaded privacy

Let’s start with DNS over HTTPS (“DoH”). A lot, but certainly not all of the cyberattacks, identity theft, phishing, malware, and ransomware we can become a victim of, are accomplished through DNS (Domain Name Services – the service that translates humanly recognizable website and online services names to computer usable addresses) spoofing. Spoofing works by altering the addresses returned to your computer when you try to visit a website or access a service. Instead of visiting the website you intended, you visit a similar looking website that delivers a bad payload to your computer or steals your banking credentials. This is obviously very bad and something should be done about this form of attack being possible.

At the same time DNS traffic is sent plainly over the internet, most probably to the DNS servers of your ISP. Therefore they know all websites you visit and all services you use. They can use this information to sell valuable data on what you do and what you like. Again this is very bad and something should be done against it.

This is were DoH comes to the rescue. An existing transport protocol which utilizes good and reliable point to point encryption can be used for DNS requests. This solves both problems at the same time. Nobody is able to alter or manipulate the addresses returned, and your ISP or the fast food restaurant you happen to connect to on your laptop to check your mail and social media, can no longer see which sites you visit and which services you use. They can no longer use and sell information about you.

The deadly viper

Wrong. The people running the DoH and everybody who can gain control over them, either legally or illegally, can still alter and manipulate the addresses returned. In fact, this has become easier. Instead of having to manipulate thousands of DNS servers all over the world, only a few servers have to be manipulated to target millions of people. That this is reality, has already been proven. The companies promoting the use of DoH are not only the companies running the DoH services, but they are also the same companies that have already proven themselves to be okay with manipulating what you can and cannot find online. They have already shown to actively influence political outcomes, to censor individual people and certain groups, and to target people of certain faith, race, demographic and beliefs, in order to change their behavior. This goes well beyond the scope of the YouTube, Facebook, and Instagram algorithm. By using DoH we’re directly giving them control over what we can and can’t find, visit and use.

Also, your ISP and that fast food restaurant, can still see what websites you visit and what services you use. You connect though their network to those websites and services. They see your traffic and thus nothing much has changed. It only became slightly more complicated. They have to translate the addresses back into names. True: some data is lost, especially with shared hosting, but those are only the minority. And some, if not most of data lost can still be obtained through other means.

In fact, your privacy got worse. Instead of many places and parties seeing some of your data, your data is now centralized directly to the big data mining companies. Yes, the companies promoting the use of DoH, are the big data collection parties. The companies who are already profiling you, are receiving tons more about everybody who uses DoH.

Third side of the coin

But there’s even yet another side to this story. Altering and manipulating the addresses returned by DNS is not by definition a bad thing. It can be used for malicious purposes, but it can also be used for good. It can be used to block malware, it can be used to protect your privacy, it can be used to block ads, and block improper content. Products such as PiHole, PFSense, Untangle and Cisco Miraki use DNS alteration to protect individuals, enterprises, and systems from malware and privacy invasion. Using DoH renders these protections ineffective. You’re once again vulnerable to malware, you’re once again tracked and your data is once again leaked without anybody able to stop or prevent this from happening.

But what about using a HTTPS proxy to filter out DoH requests? Yes, this can be done. However, this requires quite a bit more processing power to do and thus energy. Also in an individual’s home or enterprise, all machines and devices need to have the certificate of the encryption key pair of the HTTP proxy installed. This is a laborious task and can not be done with all devices and applications. In fact, some applications, like Chrome browser, have mechanisms build in to prevent you from being able to do this - to prevent you from doing just this. Also this is impossible to do for visitor’s devices and public places.

Most important: DoH is solving a problem that has already been solved. We have both DNS over TLS (“DoT”) and DNS Security Extensions (“DNSSEC”). With DoT, the DNS traffic is encrypted, does not go to centralized places, and we can still protect our privacy and filter out unwanted content. With DNSSEC, we can verify the authenticity of the addresses returned by the DNS server; we can detect if the addresses returned have been manipulated or are authentic. DNSSEC can both be used by network security and privacy products as well as by your web browser and other applications you use.

QUIC Improves the speed of the internet

The QUIC protocol is another good example of solving a problem that has already been solved. QUIC basically is HTTPS but uses UDP packets instead of TCP streams as it’s transport layer. A TCP stream has overhead for managing the stream and making your connection reliable. It provides detection and retransmission of lost packets and offers reordering of data which it received out of order because of packets that took a different route due to traffic shaping and loadbalancing on the internet. This introduces some overhead and thus lag. UDP removes this overhead, improving your internet experience. Al least this is what is claimed in order to promote the usage of this protocol. The internet gets slower and slower and the QUIC protocol solves this problem by reducing overhead, thus latency and lag. Although this is true, it’s also not true. Only a minute fraction of the time it takes to load up a webpage is caused by this overhead. The UDP transport mechanism provides nothing to solve reordering out of order data or retransmission of missing data. Both are still nessesary for a website to load successfully. With QUIC, the network layer does not solve these issues, these issues are now moved from the network layer into the webbrowser and webserver. Reordering data and retransmission of missing data is now done not in the operating system and network equipment, but in the less secure and less robust application layer. Which reintroduces a similar overhead in just a different place. The real delay comes from connecting to all those tracking services, looking up the data stored about you, loading the ads, loading script after script invoking framework after framework. The real HTTP and HTTPS overhead, has already been dealt with by the keep alive capability aka persistent connection introduced decades ago and improved upon multiple times.

The real effect of the QUIC protocol is that it becomes very hard to track connections from a security perspective. It becomes hard, if not almost impossible to block content such as ads and prevent tracking and collecting private data without breaking the functionality. It partly prevents prying eyes from tracking you, but introduces extra, shown and proven, privacy issues. It is centralizing privacy invasion to a single entity, which now knows even more about you. Whilst simultaneously obscuring information about you to other entities.

Yes, but it is really quicker, look! No, that’s not because of the QUIC protocol, that because the services have been programmed more efficiently, using less scripts, and frameworks. Something that can be as easily done with HTTP as well as HTTPS.

Destination: software freedomOur stance

We as a company believe in a free and open world where individuals, groups, and entities such as businesses’ privacy is respected. In 2002, when we officially formed, our main focus and primary goal was to support freedom and promote open exchange of ideas and knowledge. Over the years, we’ve supported multiple organizations such as the Free Software Foundation, Bits of Freedom and EDRI. We use and promote the use of freedom respecting hardware and software.

We don’t spy on our website’s visitors and our customers, therefore you will not be nagged about cookies on our website. We don’t use services like Google Analytics or Facebook embedded apps on our website. We don’t use tracking images in our emails. We only want to know, what you want us to know.

With longstanding expertise in IT and having actively participated in the development of the modern day internet, we can give solid advise on security, privacy and freedom. On the other hand we’ve also got the knowledge to utilize modern techniques and services without compromising too much on ones privacy and freedom.

LinkedIn, Facebook, Follow us on Twitter, Follow us on Instagram, Watch out videos, Support us at Patreon
ASK-Solutions complies with ISO 9001:2008 quality assurance