Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud Security //

Google

2/13/2019
08:00 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Google Moves to Control More of the Internet

The company has said that its goal is only to create a faster Internet, which allows for more use and hence more searches and thus more revenue for them.

Domain name systems (DNS) are one of the Internet's core technologies, but they are invisible to most users. They are a system that takes a URL like "www.foo.com" and turns it into the identifying numerical IP address that is needed to actually allow data transfer.

Most DNS activity is currently done by whomever the user has engaged as an Internet service provider (ISP). They maintain the servers and the lookup tables that do the translating between alphabetic and numeric.

However, there have been recent moves by Google and Cloudflare to bypass these ISP lookups by offering their own DNS resolver services.

To help in this effort, a transport protocol called DNS over HTTPS (DoH) has been developed so that one may securely ask DNS queries over HTTPS.

The DoH protocol uses HTTP and top level security (TLS) infrastructure to deliver encrypted and authenticated DNS answers that are very hard to block by network operators who are lower down on the hierarchical transmission ladder.

DOH is not perfect.

DoH shares the benefits as well as the downsides of HTTPS. It can send out more trackable and identifiable data than a regular DNS session, because HTTP supports things like headers and cookies. The session resumption characteristic of TLS can be a tracking mechanism too.

On the plus side, DOH makes it possible to push DNS answers out even before they have been asked. This could help the loading performance of a page. And the returned answers are encrypted and authenticated, as previously mentioned. That would stop anyone from hijacking a DNS name server.

DOH is what allows migration of DNS resolution to cloud entities, bypassing local system providers. If you are stuck in a location that censors what you may connect with, that may be seen as a positive aspect. If you do not trust your current DNS resolver, the protocol gives you a choice in whom you do trust to do your DNS resolution.

But -- and this is a big point -- even though the TLS connection that is set up by DOH is encrypted and private, the Server Name Indication (SNI) that is used in this connection is sent in plain text. That even happens in the latest TLS version, which is 1.3.

And this gives some users pause when thinking about how DOH may be used.

A plain text SNI can enable someone like Google to create a profile over time of websites visited. Google, when asked about this, has said that its goal is only to create a faster Internet, which allows for more use and hence more searches and thus more revenue for them. One must then trust that Google's viewpoint will not change over time, and they will not monetize this list of user behavior or perhaps block local ISP features such as ad blocking, which would interfere with their core business.

In the end, changing the way DNS is resolved will end up giving companies like Google even more control over a user's Internet experience. Whether a user is willing to trade avoidance of political censorship for commercial censorship is a tricky call.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.