DNS-over-https is long overdue -- but people still need Internet privacy toolsMay 26, 2020
In privacy circles, the term DNS-over-https has been seeing increased attention lately. Earlier this year, Mozilla began the rollout of DNS-over-https as the default for its Firefox browser, and Google recently announced that it will follow suit with its next software update. As a result, by the end of the year more than three quarters of U.S. web traffic will be encrypted in this way.
DNS-over-https refers to the routing of online traffic between computers and their destination websites -- which takes place through the Domain Name System, or DNS -- through the encrypted Hypertext Transfer Protocol Secure (https). The difference between this and the traditional http is simply that the DNS request is sent over a secure connection. As straightforward as that sounds, it makes a major difference for people's online security. With DNS-over-https, the nature of web traffic is obfuscated while in transit, making it impossible for third parties to interfere.
DNS-over-https offers strong protection against eavesdropping and tampering, since third parties are unable to decipher the encrypted traffic as it travels over the DNS servers. Crucially, it also prevents man-in-the-middle attacks, in which a malicious third party is able to gain control of traffic and steal or tamper with information. The effects of this type of attack can be severe and include the loss of critical private information, large sums of money, or both. Any attacker with sufficient technical expertise can launch such an attack if they are in proximity to two targets connected to an unsecured Wi-Fi network.
The implementation of DNS-over-https as the default in web browsers is an important milestone for Internet privacy and the security of individual web users. But while it may seem like a universally positive step, not everyone is happy about the change. Internet service providers (ISPs) such as Verizon and AT&T generate revenues by logging and selling web traffic data to third-party advertisers. In fact, large U.S. ISPs have aggressively lobbied Congress in opposition to DNS-over-https. And lawmakers have protested that it will hamper legitimate information gathering in the interest of criminal justice or national security.
DNS-over-https is a good thing, but other safeguards are still necessary
Orchid has grown out of a steadfast belief in the importance of privacy and transparency on the Internet. This belief holds that neither corporate revenue models nor prosecutorial rationales outweigh the right of individuals not to be watched or manipulated without their consent. Lack of proper security measures has made people vulnerable online for too long, so it is welcome news that some major providers are now moving to encrypt web traffic. However, it is still important for individuals concerned about privacy to incorporate best practices to protect themselves, and these include Internet tools such as VPNs.
While DNS-over-https protects people from falling victim to surveillance or man-in-the-middle attacks, it does not make their Internet browsing fully private. The destination website still sees the information and can store it or share it out to third-party aggregators for advertising purposes. This data is still vulnerable to exploitation if the databases they end up in are compromised.
Therefore, people concerned about online privacy should continue to follow best practices to minimize the likelihood of surveillance. Orchid, designed around Internet privacy with a mission to restore the web as a free and open place, brings together the services of leading VPN providers in a single incentivized marketplace. Orchid lets users combine the services of different VPNs, "hopping" between them for even stronger anonymity. DNS-over-https is an important step, and combining it with the right privacy tools can offer people the strongest Internet privacy currently available.
Orchid is available for download.