You’ve probably never heard of it, but a new protocol called DOH could be a game-changer for online privacy. DOH stands for DNS-over-HTTPS. It would encrypt DNS traffic within your browser and hide requests and responses.
When you enter a website’s URL into a web browser, it’s sent to the internet as a DNS request. It’s a record of the website you’re visiting. Your Internet Service Provider (ISP) can see it — even in stealth mode — and can use this data to target advertising to you. It’s why who you choose as an ISP is so important. For example, Frontier vs Spectrum or Xfinity vs AT&T. Each ISP handles security and privacy slightly differently.
This would make the DNS traffic invisible to third-party networks. When you visit a website, your ISP wouldn’t be able to tell what sites you visit. This would make it harder for carriers to leverage data for targeted advertising. It would also make it much more difficult for hackers trying to initiate man-in-the-middle attacks, such as intercepting your traffic on a public Wi-Fi system. Since all of the traffic coming and going is encrypted, even if someone was to intercept it, they would have a difficult time decrypting it.
As you can imagine, network operators hate it. So did VPN (Virtual Private Network) providers that have built a business on software that encrypts internet traffic.
Major Browsers Rolling Out DOH
According to ZDNet, all major browsers are rolling out DOH. It’s already available in some browsers. Users have to enable it. You can read how to do it here for:
Safari has yet to make a public announcement on DOH, but experts expect it to be included.
NCTA, CTIA, US Telecom Respond
The Cellular Telecommunication Industry Association (CTIA), The Internet & Television Association (NCTA), and The Broadband Association (US Telecom) have a differing view.
They believe that this practice would centralize DNS information into the hands of the browsers. They specifically called out Google and Chrome.
“Google is unilaterally moving forward with centralizing encrypted domain name requests within Chrome and Android, rather than having DNS queries dispersed amongst hundreds of providers. When a consumer or enterprise uses Google’s Android phones or Chrome web browser, Android or Chrome would make Google the encrypted DNS lookup provider by default and most consumers would have limited practical knowledge or ability to detect or reject that choice. Because the majority of worldwide internet traffic (both wired and wireless) runs through the Chrome browser or the Android operating system, Google could become the overwhelmingly predominant DNS lookup provider.’ — NCTA, CTIA, US TELECOM letter to Congress
The group says it recognizing the “potential positive effects of encryption,” but they also say they are concerned about the “collection of the majority of worldwide DNS data by a single, global internet company.” They say this gives Google an unfair competitive advantage and inhibit competitors in advertising (and other industries) when you consider Google dominance in the browser and mobile operating system market.
Google says these allegations are baseless. ArsTechnica reports that Google says it will not switch Chrome users to its own DNS servers.
“Google has no plans to centralize or change people’s DNS providers to Google by default,” the company said in an email to Ars Technica. “Any claim that we are trying to become the centralized encrypted DNS provider is inaccurate.”
Mozilla Weighs In
Mozilla laid out its case for DOH to members of Congress this way. Here’s an excerpt:
We believe that such proactive measures have become necessary to protect users in light of the extensive record of ISP abuse of personal data, including the following incidents:
Providers sold the real-time location data of their mobile broadband customers to third parties without user knowledge or meaningful consent. In one particular case, an intermediary was found to be selling particularly sensitive GPS data, which can pinpoint the location of users within a building, for over five years.
ISPs have repeatedly manipulated DNS to serve advertisements to consumers.
Comcast has previously injected ads to users connected to its public wi-fi hotspots, potentially creating new security vulnerabilities in websites. And last year,
CenturyLink injected ads for its paid filtering software and disabled the internet access of its users until they acknowledged the offer.
Verizon tracked the internet activity of over 100 million users without their consent through “supercookies” that could not be deleted or circumvented. This allowed Verizon to closely monitor the sites that users visited and catalogue their interests without their knowledge.
AT&T operated a program that required users to pay an extra $29 per month to opt out of the collection and monetization of their browsing history for targeted ads. While the company ended the program after public criticism, it has considered reviving it in the current deregulated environment.