Cloudflare and Apple's Novel "Oblivious" Protocol May Signify the Demise of Telecom Surveillance
Hey there! Today, Cloudfare, along with Apple and Fastly, announced a new plan to safeguard your web activity from your internet service provider's (ISP) prying eyes. The name of this savvy protection mechanism? Oblivious DNS-over-HTTPS, or ODoH, for short.
ODoH is a nifty twist on the good ol' domain name system (DNS) – the phonebook of the internet, if you will. When you type in "Google.com" into your browser's address bar, it's DNS that translates that to Google's IP address (172.217.164.142.), making sure you end up on the right webpage.
Now, by default, your internet service provider (like Comcast, Verizon, or AT&T) is likely the owner of your DNS resolver. With ODoH, a new, anonymous step gets inserted between you and the DNS resolver, keeping your IP address a secret from those pesky third-party eyes.
But why go through all this hassle, you ask? Well, ISPs can collect a ton of info about your online activities, such as your age, gender, and usage habits. And thanks to a 2017 bill Trump signed into law, they don't even need your permission to track and sell that data. While some ISPs do offer an opt-out option, it's usually hidden away in a tangle of jargon.
"The DNS ecosystem isn't exactly the poster child for encryption or privacy," Cloudfare's Head of Research Nick Sullivan told Gizmodo. "It was designed more as a control system for the internet."
Cloudfare sees ODoH as part of their broad web security mission, much like their project 1.1.1.1, which offers a privacy-centric DNS resolver and directory. By supporting ODoH-like protocols, they hope to create a more secure internet for all.
Although a few resolvers (like 1.1.1.1, 8.8.8.8, and 9.9.9.9) already accept ODoH requests, it might be a while before you can enjoy its benefits without diving into some serious coding. Think of it as an emerging protocol that still needs some TLC to gain mainstream adoption.
However, if you're up for the challenge, Cloudflare has open-sourced implementations in both Go and Rust, just in case you're feeling particularly adventurous.
Now, how does ODoH actually do its cloak-and-dagger act? Let's break it down:
- Encrypted Query: The client encrypts the DNS query and adds a fake domain name. The encryption turns the actual query into a guessing game for the first recursive DNS resolver.
- Decryption at Authoritative Server: The first recursive DNS resolver forwards the encrypted query to an authoritative server for the fake domain. The authoritative server, aware of ODoH, decrypts the message and sends back the actual query information.
- Separation of Duties: By using two separate entities, it's tough for anyone to track the user's DNS queries, even if the two DNS providers join forces.
In the world of internet privacy, ODoH is the new kid on the block – a promising up-and-comer set to give you peace of mind while browsing the web. Fancy ending up on the right side of history? Try it out and stay one step ahead of those who might be sniffing around your browsing habits!
The new protection mechanism announced by Cloudfare, Apple, and Fastly is named Oblivious DNS-over-HTTPS, or ODoH. This technology is a twist on the DNS, often called the internet's phonebook, which translates domain names into IP addresses.
With ODoH, a new, anonymous step is inserted between the user and the DNS resolver, keeping IP addresses secret from third-party eyes. This is particularly important considering that ISPs can collect a lot of information about users' online activities.
Cloudfare sees ODoH as part of their broader web security mission, with the goal of creating a more secure internet for all. They have open-sourced implementations of ODoH in both Go and Rust for those who are interested in implementing it themselves.
