"Comcast has moved quickly to adopt DNS encryption technology and we’re excited to have them join the TRR program," Firefox CTO Eric Rescorla said on Thursday.
“Bringing ISPs into the TRR program helps us protect user privacy online without disrupting existing user experiences. We hope this sets a precedent for further cooperation between browsers and ISPs.”Incredibly, DNS-over-HTTPS was heralded as a way to prevent, among others, ISPs from snooping on and analyzing their subscribers' web activities to target them with adverts tailored to their interests, or sell the information as a package to advertisers and industry analysts. And yet, here's Comcast providing a DNS-over-HTTPS service for Firefox fans, allowing it to inspect and exploit their incoming queries if it so wishes. Talk about a fox guarding the hen house.
ISPs "have access to a stream of a user’s browsing history," Marshall Erwin, senior director of trust and security at, er, Mozilla, warned in November. "This is particularly concerning in light of the rollback of the broadband privacy rules, which removed guardrails for how ISPs can use your data. The same ISPs are now fighting to prevent the deployment of DNS-over-HTTPS."
Alongside technologies like TLS 1.3 and encrypted SNI, DoH has the potential to provide tremendous privacy protections.But to avoid having this technology deployment produce such a powerful centralizing effect, EFF is calling for widespread deployment of DNS over HTTPS support by Internet service providers themselves.
DoHn't believe the hype! You are being lied to by data-hungry ISPs, Mozilla warns lawmakers
Mozilla today insisted its new best buddy Comcast is going to play nice and follow the DNS privacy program's rules.That means, according to Moz, Comcast "must not retain, sell, or transfer to any third party (except as may be required by law) any personal information, IP addresses or other user identifiers, or user query patterns from the DNS queries sent from the Firefox browser." Nor can it "combine the data that it collects from queries with any other data in any way that can be used to identify individual end users" nor "sell, license, sublicense, or grant any rights to user data to any other person or entity."
Well, at least a broadband provider is now signed up for DNS-over-HTTPS with Firefox rather than fighting to outlaw the tech. And subscribers aren't forced to use Comcast's secure DNS service, though it will be the default. And it's better than using plain old DNS that isn't encrypted. If you trust Comcast to handle your normal plain-text DNS, logically you should trust it for DNS-over-HTTPS."We’re proud to be the first ISP to join with Mozilla to support this important evolution of DNS privacy,” said Jason Livingood, Comcast Cable veep of technology policy and standards. "Engaging with the global technology community gives us better tools to protect our customers, and partnerships like this advance our mission to make our customers’ internet experience more private and secure."
Mozilla launched the TRR program in March, and so far Cloudflare and NextDNS have jumped in to provide DNS-over-HTTPS resolvers. Google rolled out its own flavor of the tech for Chrome users in May. "Adding ISPs in the TRR Program paves the way for providing customers with the security of trusted DNS resolution, while also offering the benefits of a resolver provided by their ISP such as parental control services and better optimized, localized results," Team Mozilla concluded this week. "Mozilla and Comcast will be jointly running tests to inform how Firefox can assign the best available TRR to each user." ®