You wouldn’t think it, but when it comes to IT, security and safety aren’t always synonymous. Sometimes, the measures that increase technical security also remove the ability to provide safeguards for users.
Firefox started rolling out DNS-over-HTTPS to users in the US recently. This is largely seen as an improvement in security, preventing alteration or observation of a user’s DNS queries by their ISP, which in the US no longer have limitations on selling this data. Governments can also use it to spy on their citizens, and ISPs (including in Australia and the UK) are often forced by law to alter DNS responses to block websites.
However, observing and altering DNS queries and responses is used by many security monitoring and internet safety products, like Cisco Umbrella (aka OpenDNS) and Quad 9, for blocking access to porn sites and botnet command and control.
Observing the SNI header in a TLS connection can also be used for access control to HTTPS websites without decrypting and re-encrypting the entire connection, which does provide more control but when done poorly can reduce security. But browsers that use DoH will also use encrypted SNI and TLS 1.3 (which remove any identifying details from the connection) to prevent this as well.
At my workplace, a school, we do perform TLS interception, and part of the content we look at is Google searches and Facebook comments. These are matched against various patterns such as drug use, self-harm and bullying, and alerts sent to the school psychologists. While we haven’t had any serious incidents, at other schools these alerts have had clear positive impacts.
Some other workplaces, particularly financial ones, have a requirement to store decryptable copies of data to prevent insider trading. Others use data loss-prevention software that decrypts traffic and scans it for private information leaving the organisation, either by accident or hackers.
But TLS interception is also a favourite of repressive governments, and as a result many apps, particularly on phones, now perform certificate pinning and refuse any certificate, even if the interception certificate authority is legitimately installed on the device.
And so despite their usefulness, these safety tools are being taken away in the name of security against repressive governments and unethical ISPs. Paul Vixie, one of the architects of DNS, is against DoH, but really there is no one-size-fits-all solution, with the desires of the owner of a device and the administrator of a network coming into conflict.
Is this a school-owned device where there is a legitimate purpose for the interception, or a company protecting against a botnet infection? Or is it a phone in Kazakhstan where the government wants to decrypt all web traffic, or at a coffee shop which might have had a DNS redirector installed on the router? There’s no way for computer code to determine the context, and so to protect against the latter cases, the former will be prevented as well.
So what can we do? Fortunately Firefox has provided ways for network and device administrators to disable DoH (which also might be needed to support split-DNS environments). But they warn that if this ability is abused (eg, to enforce parental controls without opt-in), then they will revisit their approach. Ultimately, devices will stop letting the network set their policy, which will lead to the death of BYOD for secure organisations, since the only way to configure devices for safety requires them to be fully managed by the organisation.