First came Google, Microsoft, Mozilla, Cloudflare, and others IT giants. Now Apple has announced at this year’s annual WWDC developer event that they are joining the encrypted DNS trend. Here we take a look at how this change impacts consumer security and privacy, especially in the context of telecoms and internet service providers.
What is encrypted DNS about?
Encrypted DNS, whether via DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT), is in theory aimed to improve consumer privacy. The ideas arise especially out of the context of scandals around US telecoms providers selling user data to governments, police, bounty hunters, and more unsavory predators.
Domain Name Service (DNS) requests are how your browser/apps ask the internet on your behalf where to find the online services you are using. Most of the internet is now encrypted via HTTPS, so normally nobody except the online services themselves are able to see the exact contents of what you are browsing and doing online.
That said, if I can watch your DNS requests, I know exactly which websites and services you are using. Basic metadata is more than enough for very intrusive surveillance, as you can see in this humorous (fake) report to the British government by a 1770s data scientist.
For example, if I can watch your DNS requests, while I may not know exactly which pornographic video you watched, I know which pornographic services you used (it doesn’t matter whether you access it via a browser or via a specific app).
While I may not know your exact health problems, I do know that you are looking at mental or reproductive health services.
While I may not know exactly what you are saying to journalists or to regulatory agencies, I do know you are talking to or researching them and could be a whistleblower.
The idea behind both DoH and DoT is to encrypt these DNS requests, specifically in a way that hides them from the network you are connecting to.
This has obvious advantages if you are living under a repressive regime who are spying on their whole population’s internet traffic in order to target harassment of certain vulnerable groups, or if your internet service provider is selling your data to nasty people, or even if you working for an abusive employer. Unfortunately, widespread injustices mean that a lot more people than many might think are at heightened cybersecurity risk from this kind of threat.
Like many privacy technologies, DoH and DoT are not inherently better (or worse) for an ordinary person’s privacy than the alternative.
Instead, these technologies move the privacy problem from one (presumably untrusted) provider, in this case an ethically challenged network provider, to another (hopefully more trusted) provider. The DoH or DoT provider still sees all your DNS requests – the hope is that they behave ethically, and do not try to monetize or otherwise snoop on, store, and sell your requests.
Privacy technology is an area that is rife for scams and dubious providers who often do more harm than good, as we see in the VPN business or in the blockchain business.
DoH and DoT are no exception. Companies are not providing these expensive services out of the goodness of their hearts. There are reasonable arguments to be made for whether an unethical ISP or a surveillance economy giant is worse for your browsing privacy. For those interested in the gory history of DNS, attempts to secure DNS, and attempts by unscrupulous businesses to twist DNS standards to their advantage, I highly recommend watching one of DNS pioneer Paul Vixie’s highly sarcastic DNS history talks.
How consumer security works today
Most current thinking about cybersecurity involves a 3-layer model.
Layer 1 is centralized security in the network.
This gives more or less 100% coverage of users and devices while on that network, which can thus potentially be protected. Almost all large-scale network security works via scanning DNS requests and blocking browsing to sites that are classified as harmful. This is a necessarily very basic level of protection because all more advanced malware – especially new ransomware and banking trojans variants – will not raise warning flags until the user runs the program on their device, which is technically impossible to see from the network.
Layer 2 is security in the home or office router.
This gives coverage to all the devices in that home or office – including IoT gadgets like TVs and gaming consoles. A higher level of protection is possible here, due to more granular visibility into the individual devices and network behaviors, as well as more advanced complementary technologies that do not rely on DNS alone. Like for network security, there are still some necessary limits to coverage of certain security threats, and protection is limited to devices connected to that router’s network.
Layer 3 is end-point protection (EPP) – i.e. traditional anti-virus / anti-malware software.
The main disadvantage is that EPP requires users to install something on each device. This makes complete device and user coverage very challenging. In addition, cybersecurity companies are never going to make EPP for your coffee maker, your fridge, or your fire alarm, so these devices can never have EPP installed.
There are two advantages to EPP. First, it is the only way to provide the most comprehensive level of security. For example, this is the only layer which gives full protection against new ransomware and banking trojans variants, because it is the only place where behavioral analysis and behavioral-based blocking is possible. Second, it is the only way to protect users and devices no matter where they are, including while roaming or using different public Wi-Fi hotspots.
In an ideal world, consumers have protection working at all three layers which are connected together in a seamless way so that all these tricky technical details are hidden, and at the same time people are properly protected in a user-friendly way. Just because one case requires router security, another case requires EPP, a third case requires network security, and yet another case could work from multiple layers – this does not mean consumers need to know and understand these details. For consumers, it should just work, like magic.
This obviously means that telecoms and internet service providers are in prime position to provide high-value converged consumer security and privacy solutions, because they already own the network and router layers and they already have experience providing value-added apps to consumers.
F-Secure are a leading cybersecurity company working with service provider partners worldwide for both layer 2 (F-Secure SENSE integrated as an SDK or a container within the partner’s routers) and layer 3 (F-Secure TOTAL and F-Secure ID PROTECTION), as well as allowing network security providers to enhance their layer 1 coverage via integration with the F-Secure Security Cloud.
The Apple DoH/DoT approach
The Apple approach announced at WWDC is to allow developers to create apps that either provide DoH/DoT global services or specifically use DoH/DoT only for their own applications. As can generally be expected from Apple around privacy subjects, there is a lot of attention paid to making sure this can only be enabled under explicit opt-in user consent.
Specifically, unless you have a corporate Apple device under remote device management from your employer, you will need to be a very informed and determined user to turn this on. You will need to find and download an app or profile, and then find the correct toggle buried deep in the settings to turn it on. In other words, it is probably going to be a very small minority of users who have DoH/DoT turned on.
This limited opt-in approach by Apple matches well with approaches taken by other major O/S and browser vendors. This is in part down to the huge joint international push-back efforts from ISPs and DNS security vendors against DoH/DoT. These efforts are very understandable given DoH and DoT’s potential to catastrophically disrupt both business models and regulatory compliance approaches that are based entirely on DNS. These efforts have, for example, resulted in concessions from Google that ISPs’ own DoH servers will be used in preference to Google’s own public servers.
F-Secure do not see a short-term impact from DoH/DoT rollout, including with Apple joining the game.
F-Secure’s approach, today & future
Obviously DoH/DoT usage does impact DNS based solutions, whether it is network security or router security. F-Secure SENSE does use DNS for protection on the home network, it is just not the only arrow in the quiver. Protection is also provided via HTTP(S) and even with additional advanced IoT security functionalities (anomaly detection and Packet Flow Inspection features) which are all independent of DNS and DNS encryption.
Even for DNS-based protection, by the time DoH/DoT usage becomes widespread amongst users (assuming that does ever happen), we expect to have additional solutions in place.
There are two likely parts to these future solutions, both parts already exist elsewhere in F-Secure solutions.
Part 1 is why F-Secure’s EPP solutions (which are already usually provided along with router security as part of an overall seamless service to end-users) are completely unaffected by DoH/DoT. Desktop browser plugins and mobile VPN mean that our solution has access to the qualified domains (and with browser plugins the full URLs), independent of both HTTPS encryption and DoH/DoT hiding of DNS lookups. This is how we continue to provide award-winning protection to our users.
On Mac, the browser plugins means that even for the very few users with DoH/DoT enabled, we are still able to fully protect the user and fully able to provide Family Rules filtering. On iOS, the VPN that is part of F-Secure TOTAL means that even for the very few users with DoH/DoT enabled, we are still able to fully protect the user and provide Family Rules filtering because, as explained in their developer video, Apple specifically bypasses DoH/DoT at the O/S level for VPNs.
Part 2 is an AI innovation F-Secure started in 2018 and announced in 2019 – Swarm AI (Project BlackFin). Swarm AI is already deployed with some of our enterprise solutions, and is a technology that we expect to trickle down to consumer security cases such as router security. Swarm AI allows for much more local decision-making intelligence based on incomplete information, which is exactly what is needed to take decisions on the security of HTTPS and DoH/DoT protected traffic.
In conclusion, whether you are a consumer or a service provider, there is no reason to worry about this move by Apple, or about DoH and DoT in general. At worst, it is harmless; at best, and with due caution as to who you put your trust in, these changes can potentially help patch an important privacy hole for many vulnerable user communities.