Engineers from Cloudflare and Apple say they’ve developed a new way to prevent your internet service provider (ISP) from knowing which websites you visit.
As reported by TechCrunch, the engineers developed a protocol called ‘Oblivious DNS-over-HTTPS (ODoH) that uses a combination of encryption and proxies to prevent snooping on web history. To fully understand ODoH, however, you need to understand a few things about how the internet works.
In short, when you visit a website in your browser, it uses a Domain Name System (DNS) to turn the web address into a machine-readable IP address. Unfortunately, this process isn’t encrypted, which means when you load a page, the DNS query can be intercepted and read. Worse, it means the DNS your computer queries will know which sites you visit. Since many people don’t change their DNS, they’re likely using their ISP’s DNS, thus sharing their internet history with that ISP.
A while back, U.S. ISPs kicked up a bit of a stink over Google’s plan to add a technology called DNS-over-HTTPS (DoH) to Chrome. DoH encrypts DNS queries, which can prevent attackers from intercepting them and redirecting unaware users to malicious websites instead. While DoH is a benefit to internet users and privacy, it doesn’t prevent DNS resolvers from seeing which sites you visit.
ODoH uses proxies servers to separate the user from the query
ODoH hopes to solve that last issue by encrypting DNS queries and then passing them through a proxy server. Thanks to the encryption, the proxy can’t see what’s in the query, plus the proxy prevents the DNS resolver from seeing who sent the query in the first place.
Cloudflare’s head of research, Nick Sullivan, told TechCrunch that ODoH page loading times are “practically indistinguishable” from DoH and shouldn’t significantly impact browsing speed.
While ODoH is a step in the right direction for improving online privacy, it isn’t perfect. One issue is that ODoH needs separate proxy and DNS resolvers — in other words, controlled by separate entities. If a company controls both the DNS resolver and proxy, it isn’t difficult for it to piece together the decrypted DNS query with who sent the query in the first place.
Sullivan told TechCrunch that a few partner organizations already run proxies and that early adopters can try out ODoH through Cloudflare’s 18.104.22.168 DNS resolver. However, it could take some time before ODoH is baked into browsers and operating systems, which depends on when the Internet Engineering Task Force certifies ODoH as a standard.