Is privacy making you less secure?
"If a user has chosen to manually enable DoH, the signal from the network will be ignored and the user’s preference will be honored." Crap!
While performing my regular upgrading of my systems I went to some of my often visited new pages to pass the time while waiting for the upgrading to complete. I was surprised to see advertisements pop up on those pages. It's been quite a long time since I've seen ads get past my DNS filtering. I began investigating my browser settings, Firefox in this case, and figured out that the DNS over HTTPS setting was clicked. No problem I thought, I have enabled the use-application-dns.net canary domain so the browser, while on my network, should use my DNS. Right? Not so.
Hmm. Digging deeper and reading more on Mozilla's site they state that "If a user has chosen to manually enable DoH, the signal from the network will be ignored and the user’s preference will be honored." Crap!
So now I have the situation where I must allow ads, 3rd party cookies, javascript (malicious?) etc stream into my home or I must disable DoH on the browser completely and remember to turn it on when I'm traveling. What can I do now? Deploy an Enterprise Policy? <sarcasm>That looks like a lot of fun to maintain!</sarcasm>
Believe me, I understand the pros and cons and what the browser manufactures are trying to do. Provide privacy to their customers? By the way, who are their customers? When was the last time you paid for a browser? Hmm. Maybe I'm not their customer. What am I then? And where are all the queries going? They are no longer going to my ISP. So where? Who is collecting all those queries? What are they doing with them?
Let me put this another way and see if we can find some answers. HTTP Cookies have been abused to track people across sites creating evasive profiles of individuals and their habits with the goal of selling this information for advertising and other less innocent activities. DNS scrapping has been used by ISPs to create profiles of individuals subscribers with the goal of selling information for advertising activities. Ok, so DoH has eliminated that! Right? Wrong! DNS over HTTP has created the best of both worlds. HTTP Cookies can now be directly downloaded to your browser for tracking by a single DNS service no matter where you are in the world. You have now given a single service the ability to track your every query.
I hear the argument now, "the protocol doesn't support cookies" or "company X promises to not abuse the information". Really? Can protocols not be extended? Companies never change their mind/corporate direction. If you listen hard enough you can hear the words "don't be evil" fading away in the background.
In the end, neither privacy nor security has been achieved with DoH. The only thing that has occurred is one surveillance regime has been swapped out for another. But, I guess you got to choose... so that's progress. Right?