26 September 2019
Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Maintained by Hanno Böck.
Both Mozilla and Chrome have announced their first plans to enable DNS over HTTPS (DoH) in some situations. But they will start with a very slow rollout and will disable DoH in many situations.
Mozilla will enable DoH for its US customers in an upcoming version of Firefox, but there will be several exceptions. DoH won’t be enabled when Firefox detects DNS configurations in which the local DNS resolver gives different answers than a remote one, which Mozilla calls split horizon networks. With a canary domain, network operators also can signal the browser that DoH should be disabled. By default, DoH will be disabled in Firefox with enterprise policies. The detection of split horizon will likely mean that DoH also can be force-disabled by a network attacker.
Google will take an even softer route with DoH: Chrome will only enable it when the locally configured DNS server is in a list of servers that are upgradable to DoH.
DNS over HTTPS tunnels DNS queries over an encrypted channel. It’s been criticized for two separate reasons. First, tunneling DNS queries to a centralized DNS server creates a single point where all these queries can be observed. Mozilla right now uses a DoH server provided by Cloudflare. The second reason is that network operators are concerned that DoH takes away control. Some systems use local DNS filtering as parental control or security measures.
This subscription is just for the newsletter; we won't send you anything else.
Designed by Ivan Ristić, the author of SSL Labs, Bulletproof SSL and TLS, and Hardenize, our course covers everything you need to know to deploy secure servers and encrypted web applications.
Remote and trainer-led, with small classes and a choice of timezones.
Join over 1,500 students who have benefited from more than a decade of deep TLS and PKI expertise.