It’s not just governments (and criminals) who want to monitor your internet usage. Your company has good reasons to check what you’re connecting to, but it’s going to get a lot harder…:
[…] Today, more than half of Internet traffic to an endpoint is unwanted, Vixie notes. Later this month at the RSA Conference in San Francisco, Vixie will outline the security implications of the Internet’s privacy evolution in a presentation entitled “Consent, Alignment and Cooperation in the Internet Era.”
Running Domain Name System (DNS) over encrypted Web sessions with DoH, for instance, complicates enterprise security. The DoH protocol handles DNS resolution over HTTPS, the encrypted Web protocol, to prevent man-in-the-middle attacks that listen in on or manipulate DNS, but it also blocks the ability for security tools to spot malware or other nefarious activity.
“Privacy and encryption are two entirely different things,” notes encryption expert Andrew Campling, director of UK-based 419 Consulting Ltd. Campling says DoH was largely an effort led by browser makers and didn’t take into consideration the network implications of that level of application-layer encryption.
For a financial services firm, for example, DoH could allow a rogue trader to bypass the firms internal systems. “If I’m a financial services firm I may have an absolute requirement to archive all incoming and outgoing communication between my traders and their customers for compliance purposes,” Campling explains. And the rogue trader’s communications couldn’t be detected and archived, thus putting the firm into dangerous compliance exposure, he says.
Service providers that offer Parental Controls also face issues with DoH since those controls couldn’t necessarily be enforced.
“It will raise the complexity for enterprise users and IT teams, but it’s not all unsurmountable,” he says. In Chrome, for example, IT can disable or “grey out” the DoH feature option, but of course that means IT has to actually be aware that this feature is out there, he says.
An industry initiative led by Comcast called the Encrypted DNS Deployment Initiative (EDDI) aims to identify the challenges with these emerging encryption technologies and how to overcome them, he notes. Other major players in EDDI include Akamai, AT&T, Cox, Microsoft, Sprint, Verizon, and Vixie’s company.
Meantime, Vixie worries that once corporate users start running DoH in their browsers, it will be difficult to flag botnet activity, for instance. “The inability to know what the agents, or employees, or intruders are doing is a big problem for your average CISO,” he says. “So DNS over HTTPS [DoH] is another prime example of that. Using DNS lookups as an early indicator of trouble has become pretty common.”