Comcast Is Lobbying Against Encryption That Could Prevent it From Learning Your Browsing History

Internet giant Comcast is lobbying U.S. lawmakers against plans to encrypt web traffic that would make it harder for internet service providers (ISPs) to determine your browsing history, Motherboard reported Wednesday, citing a lobbying presentation. From the report: The plan, which Google intends to implement soon, would enforce the encryption of DNS data made using Chrome, meaning the sites you visit. Privacy activists have praised Google's move. But ISPs are pushing back as part of a wider lobbying effort against encrypted DNS, according to the presentation. Technologists and activists say this encryption would make it harder for ISPs to leverage data for things such as targeted advertising, as well as block some forms of censorship by authoritarian regimes.

Mozilla, which makes Firefox, is also planning a version of this encryption. "The slides overall are extremely misleading and inaccurate, and frankly I would be somewhat embarrassed if my team had provided that slide deck to policy makers," Marshall Erwin, senior director of trust and safety at Mozilla, told Motherboard in a phone call after reviewing sections of the slide deck. "We are trying to essentially shift the power to collect and monetize peoples' data away from ISPs and providing users with control and a set of default protections," he added, regarding Mozilla's changes.

too late assholes

[Indy1]

I already have my firewall / gateway box performing all DNS lookups via DNS over TLS. And I don't use your shitty DNS servers in any case.

Re:

[Hentes]

Except your box won't do any good when browsers use their own DNS servers instead.

Re:

[kalpol]

Yep....the onleeeee reason this exists is so Google gets that sweet sweet browsing data instead of Comcast. They were worried about encryption of DNS lookups too, and headed it off by just having the browser do it. It's all bad.

Re:too late assholes

[93 Escort Wagon]

In the short term* - Google Chrome will not change which DNS servers are being contacted for the lookup. If the selected servers also offer DNS over HTTPS, it will use that - otherwise it falls back to "normal" DNS lookups.

However there are people like Paul Vixie (who helped design DNS) who argue that DoH is a fundamenetally bad idea on technical grounds [theregister.co.uk] - independent of who is handling it. Interestingly, Vixie thinks Firefox's implementation is worse than Google's [google.com] (again, that's Google's *current* implementation).

*I fully expect it will change over time to favor Google's own servers. But it doesn't do that now.

Re:

[swillden]

Yep....the onleeeee reason this exists is so Google gets that sweet sweet browsing data instead of Comcast. They were worried about encryption of DNS lookups too, and headed it off by just having the browser do it. It's all bad.

This makes no sense. If the browser maker wants the browsing data, they've got it. And a lot more of it than can be gotten from DNS.

Re: too late assholes

[reanjr]

Only if you allow user data to get sent back to the servers though.

Plus, lots of people use Google DNS for perfomance or stability reasons anyway. This is a way of hiding that shit from your ISP.

Re:

[Indy1]

Not concerned since I use Firefox, and I've already implemented a network wide solution telling Firefox to not use DoH

https://support.mozilla.org/en... [mozilla.org]

Browser DNS is Bad

[rjstanford]

The real problem not that secure DNS existis, its that DNS is being handled by the browsers instead of by the OS in these cases. Separate services for separate concerns, guys. We should't have to use tools like dnscrypt-proxy for something that's getting this much traction.

Re:

[PPH]

DNS is being handled by the browsers instead of by the OS

It's probably the first step in turning the web into a series of walled gardens. If your browser ignores your DHCP or manual settings and goes to its own DNS system, it can control who is inside or outside of your little world.

Re:

[DarkRookie2]

First? This is just the next. They are already heading that way.

Re:Browser DNS is Bad

[Sarten-X]

So... is Microsoft pushing for data privacy these days?

No?

The change has to start somewhere. Linux distros don't have the market share and Microsoft almost never leads new technologies. The only other players in the game are Mozilla and Google, who are leading this, and Apple. Apple has the capability to deploy privacy technology across their walled garden, but they also want to avoid political trouble with the telecom giants.

It looks like it'll be up to the browser leaders to build the technology demand. The rest will follow.

Yes they are

[SuperKendall]

So... is Microsoft pushing for data privacy these days?

Actually they are [microsoft.com].

And so is Apple [intego.com]

The change has to start somewhere

It has started all over the place, data privacy concerns are huge, both major OS makers are actually doing quite a lot to address this. Let's not rush to some terrible technical solution because it is "a step". So is your first step off a cliff, or a first taste of meth...

Re:Browser DNS is Bad

[mysidia]

its that DNS is being handled by the browsers instead of by the OS in these cases

Modern browsers have had their own builtin dns resolver instead of using the system one for a long time: Its just that until now they were using DNS servers configured in the operating system. A trouble is that the desire is to bring about a privacy orsecurity improvement and get end users actually benefitting.
Currently operating systems have no way to configure, enable, and support DoH or DNS over TLS. Furthermore, even if they did, as a nondefault it would likely be ignored by most users and too hard to find and setup. Next, manual configuration would be fragile and prone to errors.
Many providers would simply not support doh or Dns over Tls on their own servers as is the case right now.
Also; if configuration comes from Dhcp, then how do you establish whether the server and its offered resolver host ip addresses are safe to trust? Slashdot "lameness filter" sucks.

Re:

[MobyDisk]

Currently operating systems have no way to configure, enable, and support DoH or DNS over TLS.

We need to fix that ASAP, before every application starts building-in its own DNS service. It should be able to use the existing API calls transparently, so applications should not need to change.

Re:

[mysidia]

They could start by implementing the configuration methods and support for DHCP options noted in RFC 8310 -- although it would also be necessary for recursive DNS server operators to also add support to their servers.

I am all for client operating systems fixing this; but Its at the 11th hour at this point -- as in this rollout of DoH by Chrome etc has been announced for a long time, so I would expect the browsers to continue with their plans at this point: even if the beginnings of a solution in system r

Re:

[amxcoder]

On the flip side, what do you do when you want to use a specific DNS server on your network, whether for intranet resolves, shortcuts, or family/kid blocking, or malware blocking (like OpenDNS or PieHold or other such types of DNS services). and every application that you have that uses the internet has it's own hardcoded DNS server implemented to ignore the one you dish out on your network over DHCP to the OS?

It's already getting to be a pain, as I have a canary for Firefox blocked, but I'm not sure wh

Re:Browser DNS is Bad (what about my own DNS?)

[rduke15]

The real problem not that secure DNS existis, its that DNS is being handled by the browsers instead of by the OS

Do I understand correctly that browsers would use their own DNS servers instead of the ones I have configured in the OS (or through my DHCP server)?

That sounds really bad indeed. And what does it mean for office LANs, which often have their own DNS for excellent reasons. Mainly because the internal DNS is also the only one to know about the intranet domain(s).

Re:

[amxcoder]

That is exactly the problem. So far, Firefox is really bad and doing it now, and Chrome is also doing it, but I'm not sure if it's as bad. The way Firefox does it, it will use it's own DNS provider (CloudFlare?) by default, no matter what, unless you do 1 of the 2 following options:

1) Change the setting in the browser itself to tell it not to do this, however, this is a browser specific setting, so this to me is pointless, as you can't go around and change 100+ peoples browser settings, or gurantee tha

Re: Browser DNS is Bad

[reanjr]

They only started putting DNS in browsers because ISP-provided DNS is unreliable and can lead to security problems for the average user who does not check their TLS state.

DNS without TLS is user hostile.

Your taking money from a poor company.

[Revek]

Won't you think of the shareholders. They do nothing but buy their stock and wait to get paid. They don't deserve this.

Re:You're taking money from a poor company.

[Anonymous Coward]

If their stock goes down, the outrageous pay for the C suite - usually stock options - also goes down. Since it's Comcast, seems like a great idea to me.

Re:

[Darinbob]

I dunno, people pay a ton of money per month for their ISPs. Any added value from selling customer data or offering advertising is a tiny pittance in comparison. It's like the guy selling you the new car trying to hussle a cardboard air freshener in the deal.

Only a matter of time before...

[nwaack]

...terrorists start going after disgusting corporations like this instead of targeting the general public. I'd like to see the media's spin on that one.

Re:

[Nidi62]

...terrorists start going after disgusting corporations like this instead of targeting the general public. I'd like to see the media's spin on that one.

One man's terrorist is another man's freedom fighter.

Re:

[Alwin Barni]

...terrorists start going after disgusting corporations like this instead of targeting the general public. I'd like to see the media's spin on that one.

One man's terrorist is another man's freedom fighter.

I think you're wrong, a terrorist is a terrorist by definition, as only a really twisted ideology would consider purposeful killing of bystanders in a remote country as a form of fighting for freedom.

terrorism
/terrizm/
noun: terrorism

the unlawful use of violence and intimidation, especially against civilians, in the pursuit of political aims.
"the fight against terrorism"

Re:

[suutar]

The definition of terrorism has frequently depended heavily on who was writing the story, the dictionary notwithstanding. For example, the entire American revolution was "the unlawful use of violence in the pursuit of political aims" but they don't usually get called terrorists.

Re:

[amxcoder]

The term comes from who is point of view you are seeing things.

As mentioned, the American Revolution fighters were described and called Terrorists by the King of England, who was trying to subjugate them and keep them under British rule.

While we Americans call them Freedom Fighters because they were fighting to break free from England and it's oppressive rule of a colony thousands of miles away by using soldiers and force of the military to do it.

There are other examples, but that is one big easy e

Re:

[roc97007]

Thing is, they get more media coverage when they go after the general public.

Time for some intersting packets.

[jellomizer]

If I allow the good guys to see my browsing history, I also allow the bad guys to see my history.
The ISP should be giving me connection to the internet, as speeds they advertise that I am paying for. No judging on how much I use or where I go. If I am doing wrong doing on the internet. I am sure investigators can track me down without the ISP.

Recent History shows that Telecom Companies sometimes will be to easy to comply with an illegal request of information, to where the government is fishing for bad guys. Where I may become a target, even though I didn't do anything wrong.

Based on the Ad's I get, for some reason the internet thinks I am Republican (I am not, I am moderate) and I get flooded with Pro Trump ads many distasteful and just evil, some which I report as hate speech. This is bad enough. Having my ISP try to gather this information will further place me in a bucket I do not belong to. Just because I may have tenancies

I pay my ISP to move bytes to/from the Internet

[Alain Williams]

not to abuse my privacy by looking at the bytes so that it can make money by spamming me with advertising.

Re:

[Teun]

Exactly.
An ISP that monetises their paying! client's browsing history should be dragged into court.

Re: I pay my ISP to move bytes to/from the Interne

[astrofurter]

No doubt what the ISPs are doing is fully badlawful. You signed away all your human rights when you clicked "I agree" on the ToS one-sided leonine shrink wrap "contact".

Badlaws FTW!

I'm all for privacy and Comcast is largely evil...

[XanC]

I'm all for privacy and Comcast is largely evil, but DNS-over-HTTPS, particularly as implemented with a non-system resolver inside an application, is a terrible idea.

Re:

[mea2214]

Is there a linux dns over https resolver? Couldn't Mozilla put an option in to use your own if you have your own resolver otherwise use Mozilla's? Why would that be bad?

Re:

[account_deleted]

Comment removed based on user account deletion

Comcast is against it? Then do it!!

[TigerPlish]

If Comcast opposes it it is a net good for The People.

I use cloudflare 1.1.1.1 anyway. Dunno if Comcast can capture my dns history that way.

Re:

[Anonymous Coward]

Of course it can, because DNS requests are not encrypted. It doesn't matter what DNS resovler you use, if your requests are not encrypted. Your ISP can sniff those packets and see the names you're requesting IP addresses for.

On top of that, Comcast will know what websites you browse by simply logging all of the IP addresses you connect to and reversing them.

Only a fully-wrapped TAP VPN tunnel via a secondary router will prevent your ISP seeing what's going on inside your network. (remember your comcast mode

Re:

[OneHundredAndTen]

I use cloudflare 1.1.1.1 anyway. Dunno if Comcast can capture my dns history that way.

So you do not want Comcast having access to your DNS activity, but you have no problems sharing it with Cloudflare: another for-profit company that will do whatever it takes - usually within the law, but probably without it if they can get away with it - in order to maximize profit for their shareholders. Interesting.

Re:

[serviscope_minor]

That's black and white thinning: not all for profit corporations are equally bad.

ISPs have much stroger history of being raving shitheads than cloud flare, so yes if I have to place my trust in cloud flare it the big American ISPs them cloud flare wins every time by a country mile. You see in my world while nothing is perfect there are is still the concept of "better" and "worse".

Re:

[TheRealQuestor]

That's black and white thinning: not all for profit corporations are equally bad.

examples of good ones? Because I can't think of a one corporation that is not evil in some way or another.

Re:

[serviscope_minor]

examples of good ones? Because I can't think of a one corporation that is not evil in some way or another.

Like I said, not all for profit corporations are equally bad. Cloudflare is objectively less obnoxious than the big US telcos.

Re:

[Agripa]

I use cloudflare 1.1.1.1 anyway. Dunno if Comcast can capture my dns history that way.

I do not know about Comcast specifically but all of the major ISPs that I have tested used a transparent proxy on DNS and HTTP.

Can someone explain how DNS encryption achieves

[clive27]

privacy? My Computer Networking class taught me that after DNS sends you the ip address, you still have to send your packets to the actual destination. What does the ISP gain by looking at packets sent to the DNS? ISP could easily look at the ip address and knew which websites I visited.

Re: Can someone explain how DNS encryption achieve

[fonos]

Unless the website uses Cloudfare. Then the ISP only knows that youâ(TM)re connecting to a Cloudfare site.

Re:

[fustakrakich]

And Cloudflare has the rest. What makes them any better than you ISP? In fact it's worse. They'll have everybody's DNS logs. One stop shopping for your TLAs

Re:

[Teun]

You'll have to trust Mozilla when they say their Cloudflare contract disallows them to log and monetise the client's history.
I tend to believe them more than a Comcast.
But have even more trust in my own ISP (xs4all.nl)

Re:

[fustakrakich]

"trust"? Don't think so. The correct word is "gamble"

I'm not sure why you would trust Cloudflare. Sounds more like a honeypot.

Re:

[dpidcoe]

Assuming for the sake of argument that cloudflare is run by flaming asshats (a different set than comcasts), I'd rather split my data between the two than let one of them snoop on all of it. That way each will have that much less to draw inferences from.

Re:

[mysidia]

The IP address of the destination might be on a hosting provider or CDN that uses IP-based virtual hosting, so many different websites are on each IP address, and the IP address you contact does not necessarily identify which resource you are accessing.

Re:

[mysidia]

People often use a Proxy service or VPN for privacy purposes as well. Despite using a VPN; one of the ways that users can accidentally leak information about what sites they are visiting -- is through DNS query leakage.

If the DNS over HTTPS/TLS browser solution prevents DNS Query leakage, then it will be helping close a hole by which some people already utilizing other privacy techniques are accidentally exposing information about their potential activities to an ISP.

Oh No!

[Fly Swatter]

They will have to do a reverse lookup of all the IPs we visit, this is hard! Maybe we need to encrypt IP numbers too. Or better yet IP number randomization.

Re:

[religionofpeas]

A reverse lookup that ends at a local CDN server doesn't give them any information on what site you're visiting.

Re:

[nuckfuts]

Reverse DNS lookups may not tell you much about what sites you visit. The IP address returned might be some kind of load balancer, or the address of a server hosting many different websites.

Re:

[Chromal]

Maybe ISPs need to stop eavesdropping to users of their Internet telecommunication network service, not just because it's unethical, but because it's invasive, degrading, and offensive, and this is made worse by the monopolies they've wrongfully been permitted to form over the course of these last twenty years.

What does this actually protect?

[Solandri]

DNS just translates the domain name into an IP address. Your ISP can already see the IP addresses of the web servers you're accessing - it needs to in order to send traffic between the server and you. If you have the IP address, it's trivial to run a reverse DNS lookup to figure out what site you're visiting. Except for servers hosting multiple websites (i.e. multiple sites have the same IP address), or sites using a web proxy like Cloudflare (which caches copies of multiple sites onto its local servers), your ISP doesn't need DNS to see what sties you're visiting.

Granted, a lot of big sites use Cloudflare. But I thought the purpose of encrypted DNS was to protect you from random people on the network being able to figure out what sites you're visiting. Since regular DNS isn't encrypted, anyone between you and the DNS server you're using could potentially capture your DNS request, and see what site you're trying to visit. It works against random people on the network. But trying to prevent your ISP from seeing what sites you're visiting is like trying to hide the delivery address from the Post Office. Without that address, they don't know where to send your mail/packets to. It can only be done if you relay your mail through someone else like a third party PO box (equivalent to a VPN or proxy).

The ISPs don't like it not because it hides your browsing history from them. But because using any third party DNS results in them losing ad revenue on the landing pages they've set up for their own DNS. When you type a bad URL, the ISP's DNS guesses what site you were trying to visit, and sends you to a page with ads related to that site. While not substantial revenue, it's basically free money for them. Chrome using its own DNS cuts off this free money entirely.

Re:

[twocows]

DNS just translates the domain name into an IP address. Your ISP can already see the IP addresses of the web servers you're accessing - it needs to in order to send traffic between the server and you. If you have the IP address, it's trivial to run a reverse DNS lookup to figure out what site you're visiting. Except for servers hosting multiple websites (i.e. multiple sites have the same IP address), or sites using a web proxy like Cloudflare (which caches copies of multiple sites onto its local servers), y

Re:

[dissy]

What does this actually protect?
DNS just translates the domain name into an IP address. Your ISP can already see the IP addresses of the web servers you're accessing - it needs to in order to send traffic between the server and you

I'm not at all defending them, but one part of the explanation is that it is far far cheaper to setup a huge number of low-ish power servers to run balanced DNS resolvers, compared to the cost of routing equipment that can both route packets at a high speed while also logging packet details that go through them.

15-20 or so years ago this cost was insane, and the logistics of structuring your network to do it without causing bottlenecks wasn't trivial.

I don't know about today, but for a ballpark figure, thin

DoH not perfect, but better

[twocows]

I've seen a lot of complaints about DoH that strike me as completely reasonable. One of these is that we're just shifting who our data goes through from our ISP to Google (for Chrome) or CloudFlare (for Firefox).

That's completely true, but it's still an improvement over the existing situation. At least with a third party DNS provider that the ISP can't snoop on, it's a lot harder for them to tie that data to me. It's trivial for my ISP to tie my DNS records to me because they have tons of personally identifiable information on me since I have an account with them. CloudFlare doesn't know whose DNS records those are. Google might, depending on how much personally identifiable information you give Chrome and Google to begin with, but at least there's a degree of control there even if it's imperfect. Plus, there are privacy-focused forks of Chrome (Iridium, for example) that would simply not send that information to Google to begin with.

So I think DoH is imperfect, but it's a better solution than the current one in that respect. The fact that Comcast is fighting it so hard makes me believe they are currently able to derive some form of monetary gain from having access to that data, which probably means they're selling it to someone. If that's the case: good, fuck 'em. I doubt anyone signed up to Comcast to have them sell their DNS records, they signed up because (like me) the two choices in the area are shit and shittier and Comcast just happens to be shit. I hope Congress tells them to go to hell.

Re:

[ctilsie242]

It changes one master for another. No, the ISP may not know where you are going... but Google and CloudFlare do. Is it a step in a better direction? I'd probably say yes, especially after things like Phorm, ISPs adding headers to in-flight HTTP transactions, and other hanky panky.

The ideal would be anonymous DNS providers, like provided by a VPN service, and browsers use DoH to access those.

Re:

[WaffleMonster]

That's completely true, but it's still an improvement over the existing situation.

This assertion rests on assumption all ISPs everywhere are evil and spying on users D.N.S traffic. All of them most certainly do no such thing. What Mozilla is doing is making a prejudicial choice on behalf of the end user without asking them first and without any consideration or judgment based on real world evidence of any ISP wrongdoing.

It would be one thing to implement a system like smartscreen people could OPT IN to that would bypass D.N.S if known hostile servers were being used. This is not that.

Re:

[suutar]

how does encrypting the DNS traffic not prevent Comcast from knowing the domain name entered into the browser? They can certainly identify the IP address that you subsequently contact, but the domain name should be opaque to them.

Doublespeak narratives

[WaffleMonster]

I love the way this is being sold ISPs are bad and untrustworthy while large centralized systems run by publically traded corporations with a fiduciary responsibility to maximize shareholder value are trustworthy and deserving of a pass on scrutiny despite the massive systematic violations of privacy conducted daily against much of the worlds population.

The notion of doing something about ISP D.N.S privacy by handing it over to big centralized content is an amusing feat of logic.

As much as I dislike Google

While good in theory..

[Xnet Project]

Browser-based DNS opens up potential security holes and targeting by state-backed hackers. Applying this principle from local machine to browser would simplify the process. While its good for privacy from ISP's this promotes new security issues with DNS holistically.

VPN services are still the better choice for masking traffic without compromising DNS security.

Here is something to keep in mind as DNS is becoming a bigger target:

https://www.zdnet.com/article/... [zdnet.com]

I've seen worse.

[SuricouRaven]

In the UK, ISPs lobbied for the government to ban DoH on the grounds it would be used to view child pornography.
https://www.zdnet.com/article/... [zdnet.com]

Isn't it simple?

[slashdotit]

Isn't it jut a simple matter of changing your ocal system DNS address to use 1.1.1.1 with secondary 1.0.0.1?

Screw Comcast/Xfinity

[Rick Schumann]

Let's have 100% encryption of all web traffic in both directions. Then nosy companies like Comcast/Xfinity can go pound sand instead of sticking their noses into what we're all doing.

Re:

[Obfuscant]

Let's have 100% encryption of all web traffic in both directions.

That's what HTTPS already does.

This is about DNS, not "web traffic".

Re:

[Rick Schumann]

When I say 'web traffic' I really mean 'the Internet as a whole', and DNS lookups are part of all web traffic unless all your bookmarks are dotted-decimal IP addresses. Don't be so literal.

Re:

[Obfuscant]

When I say 'web traffic' I really mean 'the Internet as a whole',

If you're not going to speak English, and don't understand what you are saying in whatever language you are speaking, please refrain from suggesting technical ideas.

and DNS lookups are part of all web traffic

No, they actually aren't, unless you have something doing DNS via HTTPS, and then you've got HTTPS encrypting it all already. 'DNS' is not "the web". "The internet" and "the web" are not synonyms.

Don't be so literal.

Don't be so ignorant.

Re:

[Rick Schumann]

Go obfuscate yourself, preferably elsewhere.

Wanna see my Cochlear?

[aSplash0fDerp]

No

ISP's can just tack on another fee and buy the data back. Where's the problem?

Maybe Starlink will herald in the era of the Internet Courier vs ISP model. The always-on model of connectivity seems to be getting long in the tooth.

DNS logging.

[grep -v '.*' *]

Sorry, huh? The ISPs are upset because you're not using their default DHCP/DNS suggestion? Or is it because they're sniffing packets going elsewhere to obtain that same info, and soon they can't.

So the ISPs know who you are (your account linked to an IP, even if it is DHCP changing) and via DNS know what you're looking for? And that's it?

So are they're worried about ENCRYPTION -- it's going somewhere we can't see -- or about using someone else's DNS per above, where it's in the clear and they can sti

DoH is a bad idea.

[Muneface]

Ultimately this is about trust. Do I trust my ISP or do I trust Google and Mozilla more. I can usually move to another ISP if I'm unhappy with them. My ISP probably has less commercial incentive to use my browsing habits to track me or sent me ads.

DoH does not tangibly affect the ability of my ISP to affect tracking. The route my traffic, so they know the IP's I visit, and with pretty high confidence can map them to where I've been going anyway.
Just because you can send traffic encrypted through https

Re:

[amxcoder]

This. While competition is barely there, If my I don't trust my ISP, there are 1 or 2 real alternatives that I can go to at least. With Google/Cloudflare, not so much, avoiding them is a whole lot harder.

Add on the fact that at least my ISP is a legitimate ISP, that I pay, and they make revenue/profit from my monthly service plan. But Google, not so much. They are actually a advertising company masquerading as a service provider. They don't make any money from me or most of it's "customers" by selli