Apple, Cloudflare solve huge web security flaw
One of the biggest flaws in internet privacy has always been that ISPs can track which websites you visit thanks to the way the DNS system works – now engineers from Apple, Fastly and Cloudflare have figured out a way to fix it.
Apple and Cloudflare introduce ODoH
The new tech is called Oblivious DNS-over-HTTPS (ODoH). It has been designed to make it much more difficult for ISPs to track where you go online.
The problem it addresses is that when you visit a URL, your browser converts the destination to a machine readable IP address to find that page.
The problem is that this means it must interrogate a DNS resolver (usually your ISP) to get that information, and that process means the resolver knows where you’ve been. ISPs have been known to sell this data.
How it works
ODoH changes the game by decoupling the DNS enquiry from the user, which means the resolving agent doesn’t know where you’ve been. This is of particular importance to enterprises attempting to maintain security/privacy with remote workers.
It works by adding a layer of public key encryption, as well as a network proxy between clients and DoH servers such as 184.108.40.206. The combination of these two added elements guarantees that only the user has access to both the DNS messages and their own IP address at the same time.
The people behind the technology say the process adds under 1ms to the process of finding the site. Cloudflare has published a deep explanation of how the ODoH works here.
The company also says partner organizations are already using the technology, which can also be accessed through Cloudflare’s existing 220.127.116.11 DNS resolver.
That’s promising, as while it will require the tech be placed inside browsers and operating systems before seeing real use, Apple was involved in the development, which suggests we should see it appear in iPhones, iPads and Macs (and Safari) fairly soon.
What they are saying
Firefox is also taking a close look. Eric Rescorla, CTO of Firefox, says,
“Oblivious DoH is a great addition to the secure DNS ecosystem. We’re excited to see it starting to take off and are looking forward to experimenting with it in Firefox.”
Michael Glynn, Vice President, Digital Automated Innovation, PCCW Global said:
“ODoH is a revolutionary new concept designed to keep users’ privacy at the center of everything. Our ODoH partnership with Cloudflare positions us well in the privacy and “Infrastructure of the Internet” space. As well as the enhanced security and performance of the underlying PCCW Global network, which can be accessed on-demand via Console Connect, the performance of the proxies on our network are now improved by Cloudflare’s 18.104.22.168 resolvers.
“This model for the first time completely decouples client proxy from the resolvers. This partnership strengthens our existing focus on privacy as the world moves to a more remote model and privacy becomes an even more critical feature.”