23/04/2019
Your data may be encrypted when you use https, but what about your metadata? I wrote about metadata and eavesdropping earlier this year - it is, among other things, the URLs of the websites you visit. If attackers can access this information, they can learn some potentially confidential information about you, and you are unlikely to be aware that the information had been exposed. This is another example of information leakage.
DoT, DoH, and ESNI are coming to the (at least partial) rescue. The first two are ways to hide the contents of DNS queries so attackers cannot discover the sites for which you need addresses (and that is every one you visit), and the third is a way to hide some portions of the site name you actually request.
Let's look at DoT (DNS over TLS) and DoH (DNS over HTTPS). These two may seem a lot similar since HTTPS uses TLS to encrypt the transfer of information. But they are a bit different.
DoT uses a conventional TCP connection to the DNS server, but the server initiates a TLS handshake before the actual request is sent and the responses returned. That means that an attacker would only see the request to the DNS server, but have no idea what name was requested to be resolved. Not all resolvers support this, yet, and not all operating systems support it, either.
DoH is similar, but uses the HTTPS protocol and sends the DNS data to and from the server using a special MIME-type. The idea is that an end-user application or an application that makes the DNS queries (called a resolver) uses DoH to make queries to servers. DoH is not supported by any operating systems at this writing, but a few browsers - including the newest versions of Firefox - support it. The public servers that support it are called recursive name servers. That is, the servers ask other servers on the network to resolve queries for them. They may, in turn, use DoT to contact the other servers.
ESNI (Encrypted Server Name Indication) is a draft extension of, or upgrade to, TLS 1.3 that is used when servers support multiple hosts on a single IP address. The unencrypted version is used to tell the server what site you want to access at that IP address. It is sort of similar to dialing a single telephone number for a company and asking to speak to an individual. An eavesdropper could discover not only the company being called but could potentially listen in and discover what person was actually being requested. ESNI encrypts that part of the request that identifies the actual site out of many being served at a particular address.
Deployment of ESNI is still quite limited. At the time of this writing, it appears that the only real support is from Cloudflare, but it is likely that once the standard is approved, deployment will greatly expand.
These nascent protocols promise to significantly improve privacy on the web. Until all of these are widely deployed, users interesting in hiding their metadata - at least for part of the journey over the internet - can rely on a VPN solution.
We discuss VPNs, information leakage, and internet privacy in multiple Learning Tree Cybersecurity Courses.
To your safe computing,
John McDermott