From Russia With Love
In the world of cybersecurity and imposed concept of security, 2 mundane vulnerabilities have been looming around for years. Nobody seemed to care much about them, partly because many parties actually did benefit from them. In the sense of social cohesion, it was good for the economy that some part of the users remains vulnerable. E.g. it is required that large mass of the users are vulnerable for advertising since we all need that cash. Yet there is barely any humane, ethical or social grounds to justify holding onto vulnerability. Why then do we still have DNS hijacking and coffee shop attacks in the wild?
One of the most recent browser newcomer, Yandex browser, did a bold move. They targeted both of these inherent and essential vulnerabilities and made the move to practically eliminate them in their recent browser release. What!? How can someone eliminate our Wi-Fi router Advertisement, Paywall and Spoofing page, and controlled namespace?
Yandex browser includes 2 crucial and essential security features: custom DNS resolver and encrypted DNS protocol, as well as innovative, yet spooky, transparent encrypting of non-encrypted plaintext HTTP requests. Both of these are bold moves, yet they both bear a good load of weight in the footprint of the invasion to the users’ actions, but hopefully for the good and not in order to break in.
Having a proprietary DNS resolver implemented in the client application, using a specific DNS resolver cluster will inevitably bring about a good load of security. As all the resolvers are known and in control of the same entity, surely yes, but when things go bad, this can also become a reverse in the terms of the effect to users privacy. However the same applies to malware scanners, OS-imposed critical silent updates, etc. The core question is to whom one grants such an omnipotent power and force? Surely in the world of cybersecurity, that question is more relevant today as ever.
Furthermore, the most classic and perhaps the oldest one of the vulnerabilities, the plaintext HTTP traffic, remains an open issue for most of the implementations. Because nobody cares about anything important and you have a certificate installed in any way — many lamely think. However, in real-life things are not so. Many and many unencrypted, yet highly important content is transferred daily over coffee shop Wi-Fi or campus networks. Let alone hotels, hostels and who knows what kind of establishments. Since now, nobody really took the step to even try to protect vulnerable users from these, instead of just proclaiming and shouting aloud, “set up your certificates!” Well, not all people do, for a reason or another. This new Yandex browser will make a strange move in here — a custom encrypted proxy for unencrypted traffic on unprotected wireless networks. Whoa! What?
Yes, you heard right. The browser will re-route your plain-text HTTP traffic trough its own proprietary encrypted tunnel to a distant exit node from where it’s sent to the destination. This effectively blocks any and all local coffee shop attacks, as plain text HTTP is suddenly not any more plaintext HTTP. All this done transparently for the user and for the application. Well mostly. users will see a slight indication of what their unprotected Wi-Fi connection has been “enhanced” in order for it to be more secure than before. Oh my goodness!
The end result of the custom Wi-Fi protection is an awesome, yet terrifying and horrible breach of users privacy. It depends on which side of the coin one looks at, and again, to whom one grants the master key. Personally I would at the moment trust more for Yandex proxy than Google or Apple, for example. Even a crowded Tor exit node can be dirtier than this. But, that’s a matter of personal choice, of course.
Whatever one thinks about these bold moves, they are sure to change the functionalities in the coming generation of browsers and in the way users' security is taken care of. As noted earlier, the question in cybersecurity is becoming more and more relevant in the sense of “who governs”, and as people are eager to change their leaders rather swiftly, more and more innovative solutions can be expected to be introduced in the future, for the benefit of people rather than to secure the status quo of an eroding state.
Kristo Helasvuo, Guest Author.