The nation’s most vocal privacy advocate in the U.S. Senate is pressing the Department of Homeland Security (DHS) this week to implement new technologies that would stop foreign hackers from identifying which U.S. government website Americans are visiting, including U.S. government employees.
In a letter Wednesday to Under Secretary Christopher Krebs, head of DHS’s risk-reduction efforts in cyberspace, Senator Ron Wyden called for new measures to be taken to conceal unencrypted metadata that exposes the domain names of websites visited by users. Further, Wyden is asking DHS and the General Service Administration, which handles the procurement and supply of government communication technology, to require companies given federal contracts to encrypt this metadata using an emerging technology called Encrypted Server Name Identification (ESNI), among other encrypiton technologies.
While technologies such as HTTPS are effective at preventing third parties, whether they be hackers or internet service providers (ISPs), from monitoring content exchanged between a browser and a web page (a username and password, or a bank account balance, for example), the names of the websites visited are not encrypted by default. There are, however, several other technologies capable of offering this type of protection.
“Data sent over the web is now increasingly encrypted by default,” Wyden writes, citing Google’s latest transparency report, which notes that Chrome users now access 85 percent of websites via an encrypted connection. “However, some metadata is still transmitted in the open, revealing the domain name of the website the user is visiting. Hackers can intercept or hijack the unprotected metadata, tricking users into visiting a malicious site or spying on their activities.”
Wyden has suggested two technologies to address the problem: The first is a security protocol that sheathes Domain Name System (DNS) queries and answers using either Transport Layer Security (TLS) or the HTTPS protocol—“DNS over TLS” (DoT) or “DNS over HTTPS” (DoH), respectively. Either would serve to protect users from eavesdropping and, more importantly, man-in-the-middle attacks against visitors of unsecured sites. (Roughly 34 percent of civilian government sites are not protected by advanced encryption protocols, according to NextGov.)
“In order to protect DNS information revealing which websites federal workers are accessing from interception, DHS should require, where possible, that federal agencies encrypt employees’ DNS queries,” writes Wyden, adding: “Federal agencies could protect DNS data by operating their own encrypted DNS servers, or using private encrypted DNS services, provided that they meet rigorous cybersecurity and privacy standards.”
Wyden also suggested the use of ESNI, a new technology addressing a fundamental privacy flaw in the Server Name Identification (SNI) system, which exposes the names of websites being visited to internet providers, hackers, and anyone else capable of intercepting web traffic, wirelessly or otherwise. For average users, concealing this information has never been more crucial, as Congress chose to overturn privacy protections last year that had required ISPs to obtain consumer consent before using or sharing their browsing history for commercial purposes.
“This technology is particularly useful when it is used by major content distribution networks (CDN), which provides internet connectivity to tens or hundreds of thousands of different websites,” Wyden continues. “When ISNI is used by a CDN, any hacker intercepting a user’s internet browsing data will only learn that the user is visiting a website delivered by a particular CDN and not which particular site the user is visiting.”
Why is this so important for government websites? Wyden’s office offers two examples:
- The Department of Defense (DoD) operates an online sexual assault hotline at www.safehelpline.org. Amazon Web Service hosts the website and while the website already uses protection to protect content delivery to visitors, metadata about the visit itself is not currently protected because Amazon does not currently support ESNI. This means that third parties could potentially identify specific Americans accessing the DoD Safe Helpline even if those third parties can’t see the encrypted content.
- The Federal Bureau of Investigation operates an online tip line at tips.fbi.gov. The FBI’s website is hosted by a company that supports ESNI. As such, when this FBI website is visited by Americans that are using a web browser that supports ESNI, the name of the particular website being visited will not be revealed to a hacker or foreign government that is intercepting the website data.
Wyden’s letter to DHS was also sent to senior officials at the National Institute of Standards and Technology (NIST), the U.S. General Services Administration, and the Defense Department. It requests a response from DHS within the next 60 days.
A month ago, Cloudflare became the first content delivery network to deploy ESNI across its entire network. Mozilla is also currently testing ESNI in a pre-release build of its browser, Firefox Nightly. Wyden is also hoping that the DHS will take an active roll in promoting the use of the technology by creating a financial incentive for companies that seek to do business with the government:
“In order to promote broad industry adoption of this important cybersecurity technology and therefore protect sensitive metadata about Americans’ visits to all U.S. government websites,” Wyden writes, “I urge DHS to work with the General Services Administration to require companies to enable ESNI as a condition of selling CDN service to the U.S. government.”