12-21-2019, 08:08 AM
This topic stems from the 'Heads-Up: Firefox rolling DNS-over-HTTPS (DoH)' thread and will try to present in a non-technical overview, the big picture of the current state of our privacy on the Web and the emerging technologies that promise, when adopted, a new wave of the famous 'Going Dark' meme.
Till fairly recently (june 2013 -the Snowden revelation moment) the Web was still largely transmitted in plain text. You would connect to a forum like this one and login without any encryption at all, not even for the login forum to secure your password!... But that was then. By 2015, the Web (or a large section of it) adopted the HTTPS as its new medium of transmission in a move to reassure its users that its actors are doing something against the industrial scale of spying that Snowden revealed... That was the first 'Going Dark' moment.
Thus, the push towards TLS (and the fact that Windows XP was becoming EOL by 2014) made even the ubiquitous shared hosting services to start offering it to their users by making use of the TLS SNI extension (Windows XP didn't support SNI.) At first people were starting to use self-signed keys for their personal websites, but by December 2015, Let's Encrypt, the non-profit certificate authority, entered the Web scene and made TLS certificate affordable for everyone... No more excuses!..
With an HTTPS-powered Web, a bit of intimacy and privacy started to exist on the Web, especially when TLS v1.2 was adopted; this version was the first to support Perfect Forward Secrecy (PFS), which is a TLS feature that make use of 'volatile' session keys assuring the safety of the encryption even if the private key of the server is compromised somehow. [As an aside -and will probably comeback later on this in another post -PFS is now mandatory in TLS v1.3.]
Alas, with all the progress outlined above, we're still too short to claim any privacy on the Web, and here is why: we are leaking the site's own identity even if that communication is done via HTTPS (be it TLS v1.2 or even v1.3.) On that simple information, anyone sitting between you and that server will be able to get a pretty good idea about YOU!.. and that's a gold mine for a lot of reasons, starting from the trivial (business related stuff-i.e. selling that info to the highest bider) to the sensitive (legal related matters.)
So, to protect the identity of the sites we visit we have to deal with 4 different leaks:
Now, I'll be posting about the specifics of all the 4 technologies in a bit more details later on.
Stay tuned.
Till fairly recently (june 2013 -the Snowden revelation moment) the Web was still largely transmitted in plain text. You would connect to a forum like this one and login without any encryption at all, not even for the login forum to secure your password!... But that was then. By 2015, the Web (or a large section of it) adopted the HTTPS as its new medium of transmission in a move to reassure its users that its actors are doing something against the industrial scale of spying that Snowden revealed... That was the first 'Going Dark' moment.
Thus, the push towards TLS (and the fact that Windows XP was becoming EOL by 2014) made even the ubiquitous shared hosting services to start offering it to their users by making use of the TLS SNI extension (Windows XP didn't support SNI.) At first people were starting to use self-signed keys for their personal websites, but by December 2015, Let's Encrypt, the non-profit certificate authority, entered the Web scene and made TLS certificate affordable for everyone... No more excuses!..
With an HTTPS-powered Web, a bit of intimacy and privacy started to exist on the Web, especially when TLS v1.2 was adopted; this version was the first to support Perfect Forward Secrecy (PFS), which is a TLS feature that make use of 'volatile' session keys assuring the safety of the encryption even if the private key of the server is compromised somehow. [As an aside -and will probably comeback later on this in another post -PFS is now mandatory in TLS v1.3.]
Alas, with all the progress outlined above, we're still too short to claim any privacy on the Web, and here is why: we are leaking the site's own identity even if that communication is done via HTTPS (be it TLS v1.2 or even v1.3.) On that simple information, anyone sitting between you and that server will be able to get a pretty good idea about YOU!.. and that's a gold mine for a lot of reasons, starting from the trivial (business related stuff-i.e. selling that info to the highest bider) to the sensitive (legal related matters.)
So, to protect the identity of the sites we visit we have to deal with 4 different leaks:
- DNS name resolution: this leak is dealt with when using DoH (DNS over HTTPS on port 443) or DoT (DNS over TLS on port 853.)
- the TLS certificate message: this leak is suppressed when we use TLS v1.3, which encrypts the server certificate by default.
- the TLS Server Name Indication extension (SNI): the fix for this leak (i.e. the encryption of the the SNI field, hence “encrypted SNI” or ESNI) was dropped from the TLS v1.3 standard but still Mozilla & Cloudflare engineers are currently testing a use-case for it.
- the IP address of the server: this is a hard one to crack; no wonder, it's at the heart of the Internet mechanics. But on shared hosting and/or behind a CDN (like Cloudflare) and/or behind a VPN ..etc.. things get indeed a lot fuzzier.
Now, I'll be posting about the specifics of all the 4 technologies in a bit more details later on.
Stay tuned.