Engineers at Cloudflare and Apple have created a new internet protocol, ODoH, to fill one of the biggest internet security gaps many people don’t even know existed.
The protocol named Oblivious DNS-over-HTTPS (ODoH), will make it much more difficult for ISPs to track user activity on the Web.
Each time a user visits a site on the Internet, the browser uses a DNS resolver to convert the web address into an IP address, which it uses to find the requested page on the Internet.
However, this process is not encrypted, which means that every time the site is loaded, the DNS request is sent in clear text, and the DNS resolver (the Internet service provider, if the user has not selected another DNS resolver) can see which resource is being visited.
New protocols like DNS-over-HTTPS (DoH) encrypt DNS requests, making it more difficult for attackers to intercept them and redirect users to malicious sites instead of legitimate ones. However, DNS queries are still visible to ISPs who may sell browser history to advertisers and other interested parties.
The ODoH protocol presented by Cloudflare and Apple engineers is based on previous developments by specialists from Princeton University. In short, ODoH decouples the DNS request from the user, and the DNS resolver does not see which site is visited.
How does it work? ODoH wraps the DNS request in an encryption layer and sends it through a proxy server that acts as an intermediary between the user and the site that is requested. Since the DNS request is encrypted, its contents are not visible to the proxy server.
At the same time, the proxy server acts as a kind of shield that prevents the DNS resolver from seeing who originally sent the DNS request. In other words, only the proxy server knows the user who sent the request, and only the requested site is known to the DNS resolver.
Several partner organizations are already using proxy servers, allowing some users to already use the new technology through the existing Cloudflare 1.1.1.1 DNS resolver. But most will have to wait until ODoH is built into browsers and operating systems. This can take months or years, depending on how long it takes for ODoH to be certified as a standard by the Internet Engineering Board.
Let me remind you about the fact that Vulnerability in OAuth Protocol Allows Hacking Any Facebook Account.