Risks from the killer disease known as COVID-19 are keeping most of us at home, away from friends, family, work or school, increasingly tied to our computers and mobile devices as the main or only source of connectivity.
But that only makes our connected gadgets more vulnerable to their own infectious viruses. The more time we spend online as a result of stay-at-home protocols, the more we can be a target for malware, spyware, ransomware, and other malicious tools and attacks.
We can and should take steps to defend ourselves, but most of us do not have access to the broader protections that large companies and organizations can deploy for their networks, data, and devices.
Until now.
The Canadian Internet Registration Authority (CIRA) is offering what’s called enterprise-grade privacy and cybersecurity protection to Canadians with its official launch of CIRA Canadian Shield—a free DNS firewall and online privacy and security service, available to individuals and families across Canada.
“The Internet is proving to be a critical lifeline for Canada during this unprecedented situation,” said Dave Chiswell, CIRA’s vice president, product. “With CIRA Canadian Shield, we are helping to protect Canadians from bad actors who are using this crisis to exploit unprotected personal devices and home networks.”
DNS stands for Domain Name System; it’s a way to match the name of a website (the descriptor we humans use) with the numeric IP address (the computer analog for that name) to make sure you get to the real website you’re looking for and that you are not being tracked or attacked on your way: CIRA’s domain name is CIRA.ca, for example, but its IP address is 192.228.29.1. The DNS resolves that linguistic difference by “looking up” and cross-referencing the addresses.
Most of us never have to deal directly with DNS: most routers (the device that connects us to the outside Internet) come with a preset DNS option; that’s seen as a convenience, but many such set-ups are not all that secure: there is no encryption, for example, so other devices along the way could block, change or collect your data. DNS “lookups” are sent to servers that could spy on your browsing history without publishing a privacy policy about what they do with that information.
The Canadian Shield, CIRA describes, acts as an extra filter between you and those servers.
When you want to visit a certain website (also known as a detailed DNS query), the Shield does its own lookup of domain names and addresses, checking them against its own list of potentially malicious websites, the latest threat reports and malware assessments.
CIRA partnered with the Canadian Centre for Cyber Security (Cyber Centre) to integrate that organization’s threat feed into Canadian Shield, so users can have that added protection through Cyber Centre-derived threat intelligence activities.
Canadian Shield, as do many entities on the Internet, uses HTTPS, a secured encryption standard for computer communication protocols, and TLS, the secure layer for data transfers on a network.
Operating on the IPv4 and IPv6 Internet protocols, and using the newest DNS encryption standards—DNS over HTTPS (DoH) and DNS over TLS (DoT)—CIRA’s deployment is seen as the first national, public DNS over HTTPS (DoH) service in the world.
CIRA Shield is built on its own national infrastructure, with localized servers in Canada; a global partnership with Akamai Technologies and mobile capabilities (there’s an app for smartphones and tablets in both the Apple App Store and Google Play store) thanks to a partnership with California-based mobile technology company Mobolize help expand its capabilities.
As mentioned, the new Shield service does offer options for DNS encryption, but it does not encrypt all traffic and it is not a replacement for a fully-featured VPN (virtual private network). In fact, if you are already using a VPN, the Shield will not provide its protected DNS service while you are on the VPN. The mobile app does have a paid upgrade path to an encrypted feature for use on public Wi-Fi networks.
With all its talk about bringing added online privacy and security to Canadians, and as part of its own Privacy Policy, CIRA has committed to an annual privacy audit for itself, to be conducted by a third-party auditor (not named at launch). CIRA says it has no interest in monetizing the browsing data of Canadians, will never sell, rent or licence access to personal data (it is a non-profit organization), nor use that data to target advertising.
Many browsers have joined in announcing their plans to support DoH, and even major for-profit endeavours like Facebook are making some moves to support a more secure DNS.
Google launched DNS over HTTPS (DoH) in 2016 and it subsequently announced general availability for a standard DoH service through its own network infrastructure. For its part, Mozilla’s Firefox browser integrates DoH by default for its U.S. users (enabling DNS over HTTPS is a Settings option for the rest of us).
Even so, there is pushback against DNS-over-HTTPS and some critics say it doesn’t really perform as advertised: without proper configuration and some kind of hybridization that adds full encryption, DoH doesn’t completely protect users from having their web traffic spied upon. Users who truly want or need to hide their web traffic should still look at VPNs, with DoH as an added extra layer of protection.
The virus is today’s top-of-mind threat to human society and to computer networks; as such, taking all available precautions makes a lot of sense.
# # #
-30-