Welcome to Codebook, the cybersecurity newsletter with the largest collection of Archie comic books.
Today's Smart Brevity: 1,074 words, 4 minute read
Illustration: Aïda Amer/Axios
A new feature in Mozilla and, soon, Chrome web browsers will stop snoops — from your boss to criminals — from tracking which sites you visit. But the same technology also has opponents, as many groups fighting child exploitation say it will hamper their work, and a few internet experts argue it will undermine security.
The big picture: The feature, known as DNS over HTTPS (DoH), has a lot of support in the internet engineering and privacy communities, including the Internet Engineering Task Force, a key internet standards body. But as in the larger debate over encryption, privacy benefits can have downsides for some parties.
How it works: Until very recently, when you typed “axios.com” into a web browser, the first stage of that request was sent out over the internet unencrypted. That data could be:
DoH changes that by encrypting the name you visit, so no one but you and a DoH provider like Google, Cloudflare or Quad9 see them. And those groups pledge to quickly delete all logs.
Driving the news: Last week, Google announced it would switch Chrome and Android users to DoH whenever the provider they used for unencrypted browsing also offered DoH. Mozilla announced plans this weekend to begin testing out DoH by default for all users in the U.S.
Google thinks it is being misunderstood. The company's proposal would only change a user's settings from the old, unencrypted system if doing so wouldn't affect existing filters and security, meaning the child endangerment argument really wouldn't apply.
But there are security reasons why some people oppose DoH, too.
DoH advocates argue that their preferred protocol has a key advantage over DoT. DoH uses the same pathways as web browsing, making it impossible to block without blocking all web browsing. DoT doesn't disguise itself that way.
Mozilla says that many concerns are already being addressed on its end.
The bottom line: The risks to parental controls might not be as grim as the child endangerment argument suggests.
Photo: Bill Clark/CQ Roll Call
A team of old-guard conservatives called on Senate Majority Leader Mitch McConnell to pass election security measures Wednesday.
Why it matters: The Kentucky Republican hasn't allowed several election security measures come up to vote, both bipartisan and democrat led.
Details: Low tax advocate Grover Norquist and FreedomWorks president Adam Brandon argued at a press conference that states need federal funding to upgrade unsecure equipment and for a federal mandate that states use auditable paper ballots.
There are two stumbling blocks perennially in the way of federal action:
Russia watched the FBI watch them in 2012 (Yahoo): Russia was able to breach FBI communications networks in 2012, including cracking the U.S.' second-tier quality encryption, causing the CIA and FBI to cut off contact with Russian assets, according to a Yahoo report.
Israel arrests unlicensed spyware vendor (ZDNet): Ability, which makes spyware used by law enforcement agencies worldwide, allegedly had been operating without an export license since March.
Government-funded app to screen emails for fraud: As we reported Tuesday, the Los Angeles Cyber Lab, a nonprofit primarily funded by the city of Los Angeles and the Department of Homeland Security, will now offer a free app to screen questionable emails for hackers and fraud.
Tortoiseshell! (Symantec): In a move that may delight my mom, Symantec gave a newly discovered group infecting 11 IT companies in Saudi Arabia the name "Tortoiseshell."