TY - GEN
T1 - Assessing the Privacy Benefits of Domain Name Encryption
AU - Hoang, Nguyen Phong
AU - Akhavan Niaki, Arian
AU - Borisov, Nikita
AU - Gill, Phillipa
AU - Polychronakis, Michalis
N1 - Publisher Copyright:
© 2020 ACM.
PY - 2020/10/5
Y1 - 2020/10/5
N2 - As Internet users have become more savvy about the potential for their Internet communication to be observed, the use of network traffic encryption technologies (e.g., HTTPS/TLS) is on the rise. However, even when encryption is enabled, users leak information about the domains they visit via DNS queries and via the Server Name Indication (SNI) extension of TLS. Two recent proposals to ameliorate this issue are DNS over HTTPS/TLS (DoH/DoT) and Encrypted SNI (ESNI). In this paper we aim to assess the privacy benefits of these proposals by considering the relationship between hostnames and IP addresses, the latter of which are still exposed. We perform DNS queries from nine vantage points around the globe to characterize this relationship. We quantify the privacy gain offered by ESNI for different hosting and CDN providers using two different metrics, the k -anonymity degree due to co-hosting and the dynamics of IP address changes. We find that 20% of the domains studied will not gain any privacy benefit since they have a one-to-one mapping between their hostname and IP address. On the other hand, 30% will gain a significant privacy benefit with a k value greater than 100, since these domains are co-hosted with more than 100 other domains. Domains whose visitors' privacy will meaningfully improve are far less popular, while for popular domains the benefit is not significant. Analyzing the dynamics of IP addresses of long-lived domains, we find that only 7.7% of them change their hosting IP addresses on a daily basis. We conclude by discussing potential approaches for website owners and hosting/CDN providers for maximizing the privacy benefits of ESNI.
AB - As Internet users have become more savvy about the potential for their Internet communication to be observed, the use of network traffic encryption technologies (e.g., HTTPS/TLS) is on the rise. However, even when encryption is enabled, users leak information about the domains they visit via DNS queries and via the Server Name Indication (SNI) extension of TLS. Two recent proposals to ameliorate this issue are DNS over HTTPS/TLS (DoH/DoT) and Encrypted SNI (ESNI). In this paper we aim to assess the privacy benefits of these proposals by considering the relationship between hostnames and IP addresses, the latter of which are still exposed. We perform DNS queries from nine vantage points around the globe to characterize this relationship. We quantify the privacy gain offered by ESNI for different hosting and CDN providers using two different metrics, the k -anonymity degree due to co-hosting and the dynamics of IP address changes. We find that 20% of the domains studied will not gain any privacy benefit since they have a one-to-one mapping between their hostname and IP address. On the other hand, 30% will gain a significant privacy benefit with a k value greater than 100, since these domains are co-hosted with more than 100 other domains. Domains whose visitors' privacy will meaningfully improve are far less popular, while for popular domains the benefit is not significant. Analyzing the dynamics of IP addresses of long-lived domains, we find that only 7.7% of them change their hosting IP addresses on a daily basis. We conclude by discussing potential approaches for website owners and hosting/CDN providers for maximizing the privacy benefits of ESNI.
KW - DNS over HTTPS (DoH)
KW - DNS over TLS (DoT)
KW - active DNS measurement
KW - domain name privacy
KW - encrypted SNI (ESNI)
UR - http://www.scopus.com/inward/record.url?scp=85086378949&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85086378949&partnerID=8YFLogxK
U2 - 10.1145/3320269.3384728
DO - 10.1145/3320269.3384728
M3 - Conference contribution
AN - SCOPUS:85086378949
T3 - Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020
SP - 290
EP - 304
BT - Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020
PB - Association for Computing Machinery
T2 - 15th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2020
Y2 - 5 October 2020 through 9 October 2020
ER -