With the exception–perhaps–of your therapist or significant other, no one has more power to learn your secrets than your internet service provider. An ISP can see every website that you choose to access. And with the scrapping of Obama-era privacy regulations last year, the U.S. federal government has no rules against ISPs collecting and selling your information to marketers. But new tech fixes are plugging the privacy holes that the government won’t.
The effort began in April, when Firefox browser maker Mozilla and content delivery network Cloudflare rolled out measures to block one of the easiest ways for ISPs to snoop. They started encrypting the browser’s “DNS lookup” of a website’s numerical IP address–converting Google.com to 18.104.22.168, for instance. (See our instructions for setting this up.)
Now Mozilla and Cloudflare, and possibly other tech companies like Apple, will start to close another loophole–one that reveals the identity of a multitude of smaller websites.
Big sites–think Facebook, Google, Netflix–have their own IP addresses on the internet, currently making their identities impossible to hide. But a lot of smaller sites live together on server farms at shared IP addresses. To reach the right site among many at a particular address, your browser has to specify the site’s server name identification (SNI). Anyone sitting between you and the server–be it an ISP, a nosy government, or a hacker on a public Wi-Fi network–can easily read these SNIs to track your browsing. An emerging technology called Encrypted SNI, or ESNI, hides that information.
On the browser side, Mozilla confirms that it will begin adding ESNI to Firefox this week. Given that Mozilla’s CTO Eric Rescorla is one of the creators of the draft ESNI technical specification, adoption by Firefox isn’t a shocker. Like many of the browser’s other security and privacy features, ESNI will debut in the beta version, called Firefox Nightly. ESNI is just another step in an ongoing process, says Selena Deckelmann, a senior director of engineering for Firefox.
“The idea is to find all of these places where this type of information about where users are browsing is leaking and to shut those leaks down,” she says.
On the server side, content delivery network Cloudflare just announced support for ESNI. (Its head of Cryptography Nick Sullivan is another ESNI co-creator.) Services like Cloudflare sit at a critical point between websites and users–storing copies of sites in datacenters around the world to provide faster access. When you “visit” a German site from the U.S., for instance, chances are you’re actually seeing a copy of it in a server farm dozens or hundreds, rather than thousands, of miles away.
“The vast majority of our customers will share IP [addresses] with other Cloudflare customers,” says the company’s CEO, Matthew Prince. He reckons that’s the case for over 90% of the more than 10 million sites the company serves–often with 20 to 30 sites on a single address.
ESNI also serves another purpose: It makes it harder for ISPs to block or throttle access to those smaller sites. That’s handy, since the U.S. government has also scrapped its net neutrality protections (although states like California are writing their own laws).
“While [ESNI] might not solve the net neutrality problem for Netflix, it might make [conditions] more even for those that are insurgents,” says Dane Jasper, CEO of Sonic, an ISP that markets its support of net neutrality and a policy against collecting user browsing data.
The stakes are even higher under repressive regimes, he says. Dissidents might use tools like a virtual private network to hide their communications, but that in itself shows they have something to hide. Automatically encrypting the names of websites, for everyone, “eliminates the indicators of a desire for privacy that might bring scrutiny,” says Jasper.
The long road to privacy
Unlike encrypted IP address lookups, which Mozilla and Cloudflare simply switched on in April, ESNI will take a while to roll out. The technology is essentially in a beta version. It may not become a technical standard for another year, reckons Mark Nottingham, a principal engineer at Cloudflare rival Fastly. His colleague Kazuho Oku is yet another author of the ESNI specification. Fastly, however, is proceeding more cautiously.
“We’re figuring out how it can fit into our product offering,” says Nottingham. But Mozilla’s and Cloudflare’s “very aggressive” rollout of the tech helps the development process, he says.
Apple software engineer Christopher Wood is the fourth and final main author of the specification. I contacted a few people at Apple to ask about plans to roll ESNI into the Safari browser or other products, but no one replied. Google declined to comment about plans for either the Chrome browser or its cloud hosting. Nor did hosting giant Amazon Web Services comment. Microsoft sent an email pointing to its work on the larger internet tech that ESNI is a part of. “We continue to look at all opportunities like (and including) ESNI, to help keep our customers safer.”
Content delivery network giant Akamai is on board, although it didn’t give a timeframe.
“We will support [ESNI] as it is an important incremental improvement, yet remain aware of its limitations,” wrote Chief Security Architect Brian Sniffen in an email to Fast Company. Wary of “a false sense of security,” Sniffen listed other bits of information that ESNI and HTTPS do not hide. A clever snoop—including an ISP or a government—could still use that data to deduce when someone visits certain “pages of interest.”
“Is this as simple and conclusive as with plaintext SNI? No,” writes Sniffen. “However, is it enough that this technology is dangerously misleading? Yes.”
A remaining hole—and a possible plug
One of the biggest remaining privacy holes is the IP address itself–especially for larger sites that don’t share IP addresses in a way that allows them to hide behind encrypted SNIs.
Prince may have a fix for that, too. “There’s no reason that a particular Cloudflare customer has to be on an [unchanging] IP address,” he says, suggesting that Cloudflare could randomly assign them. Two people going to the same website at the same time might enter it from different IP addresses. That could work for either a content delivery network or the cloud provider itself.
“[An ISP] would be able to . . . know that traffic was going to Cloudflare, but they wouldn’t be able to know what particular site it was going to,” says Prince. He adds that he “would not be surprised” if Cloudflare introduces such a service next year.