Sep 19, 2019

Axios Codebook

Axios

Welcome to Codebook, the cybersecurity newsletter with the largest collection of Archie comic books.

Today's Smart Brevity: 1,074 words, 4 minute read

1 big thing: New browser security debate heats up

Illustration: Aïda Amer/Axios

A new feature in Mozilla and, soon, Chrome web browsers will stop snoops — from your boss to criminals — from tracking which sites you visit. But the same technology also has opponents, as many groups fighting child exploitation say it will hamper their work, and a few internet experts argue it will undermine security.

The big picture: The feature, known as DNS over HTTPS (DoH), has a lot of support in the internet engineering and privacy communities, including the Internet Engineering Task Force, a key internet standards body. But as in the larger debate over encryption, privacy benefits can have downsides for some parties.

How it works: Until very recently, when you typed “axios.com” into a web browser, the first stage of that request was sent out over the internet unencrypted. That data could be:

  • Compiled and sold by Internet service providers and used for ads.
  • Subpoenaed by the government.
  • Available for your boss to see, if you worked on a corporate network.

DoH changes that by encrypting the name you visit, so no one but you and a DoH provider like Google, Cloudflare or Quad9 see them. And those groups pledge to quickly delete all logs.

Driving the news: Last week, Google announced it would switch Chrome and Android users to DoH whenever the provider they used for unencrypted browsing also offered DoH. Mozilla announced plans this weekend to begin testing out DoH by default for all users in the U.S.

  • That created an uproar at child endangerment organizations, who worry that enabling DoH by default will circumvent parental filtering software in the U.S.
  • Groups have had similar concerns in the U.K., where internet service providers filter illicit websites as users try to access them — something that's impossible to do with DoH.

Google thinks it is being misunderstood. The company's proposal would only change a user's settings from the old, unencrypted system if doing so wouldn't affect existing filters and security, meaning the child endangerment argument really wouldn't apply.

  • "All existing filters and controls remain intact," the company said in a statement.

But there are security reasons why some people oppose DoH, too.

  • Paul Vixie, who laid a lot of the groundwork for the old DNS system, warns that DoH prevents corporations from filtering connections to malicious domains.
  • Vixie believes that a nearly identical service that provides better visibility, DNS-over-TLS (DoT), is a superior choice. Both options use the same encryption algorithm.

DoH advocates argue that their preferred protocol has a key advantage over DoT. DoH uses the same pathways as web browsing, making it impossible to block without blocking all web browsing. DoT doesn't disguise itself that way.

  • But Vixie believes that puts the security of the few over that of the many. "With DoH, they are solving a problem that most of the world doesn't have by creating a problem that everyone in the world will have," he said.

Mozilla says that many concerns are already being addressed on its end.

  • "Our deployment plan will disable DoH if parental controls are in place," said Selena Deckelmann, senior director of engineering, adding the same will be true when Firefox detects certain security products.
  • And Cloudflare notes that parental filters that operate before starting to connect to a website will still work. "Someone looking to use DoH to keep their web browsing data private can apply parental filters or security products on their DoH endpoint," said Alissa Starzak, Cloudflare head of policy.

The bottom line: The risks to parental controls might not be as grim as the child endangerment argument suggests.

2. Conservative activists lobby for election security

Photo: Bill Clark/CQ Roll Call

A team of old-guard conservatives called on Senate Majority Leader Mitch McConnell to pass election security measures Wednesday.

Why it matters: The Kentucky Republican hasn't allowed several election security measures come up to vote, both bipartisan and democrat led.

Details: Low tax advocate Grover Norquist and FreedomWorks president Adam Brandon argued at a press conference that states need federal funding to upgrade unsecure equipment and for a federal mandate that states use auditable paper ballots.

There are two stumbling blocks perennially in the way of federal action:

  • States are consistently concerned about federal oversight of elections. Constitutionally, it's up to states to run elections, and they have been reluctant to allow any federal election law seen as impeding their absolute control — even resisting optional, unrequired services.
  • Election security is viewed as a Democratic issue, in the wake of Russia's intervention on behalf of Republicans in the 2016 election. Yet there's a bevy of domestic and global actors capable of tampering with unsecure equipment, and they have a wide variety of motivations.
3. In case you missed last week

Russia watched the FBI watch them in 2012 (Yahoo): Russia was able to breach FBI communications networks in 2012, including cracking the U.S.' second-tier quality encryption, causing the CIA and FBI to cut off contact with Russian assets, according to a Yahoo report.

  • When the U.S. seized two Russian-owned estates in 2016, it was in part because the two locations, ostensibly used as recreational compounds for Russian diplomats, were also being used in this operation.

Israel arrests unlicensed spyware vendor (ZDNet): Ability, which makes spyware used by law enforcement agencies worldwide, allegedly had been operating without an export license since March.

Government-funded app to screen emails for fraud: As we reported Tuesday, the Los Angeles Cyber Lab, a nonprofit primarily funded by the city of Los Angeles and the Department of Homeland Security, will now offer a free app to screen questionable emails for hackers and fraud.

  • Announced Tuesday and designed in conjunction with IBM, the app allows users to forward questionable-looking emails to the lab, which will send a threat analysis of the email to the app.

Tortoiseshell! (Symantec): In a move that may delight my mom, Symantec gave a newly discovered group infecting 11 IT companies in Saudi Arabia the name "Tortoiseshell."

  • My mom likes Symantec's convention of naming hacker groups after bugs, particularly gardening bugs.
  • Tortoiseshell, which appears to be targeting IT firms as a gateway to those firm's clients, is named for the brush-footed butterflies of genus aglais.
  • They aren't gardening bugs, so my mom may be less excited by the hacking group that Symantec has not yet been able to attribute to any national or criminal actor.
  • My mom says aphids are the worst.
4. Odds and ends
Axios

We will return next week.

Just one week after banning the wrong fan for life, Codebook reader pick the Cleveland Browns won a football game against an abysmal New York Jets team forced to use their third-string quarterback.