DNSCrypt Ephemeral Keys

Normally DNSCrypt uses the same public key for each request when contacting the DNS resolver. Technically the resolver could use this to link the public key to multiple IP addresses (particularly a problem with a mobile device like a laptop or smartphone).

To help fix this, dnscrypt-proxy recently added support for ephemeral keys, which means it creates a new key pair for each request. This does add some extra CPU time to each request, but for devices that may change IP addresses a lot, it might be worth enabling. If you have a static IP, or a dynamic IP that changes infrequently, it’s probably not as useful. That being said, if there are multiple users of dnscrypt-proxy behind the same IP address, then I would think it could help mask which requests are being sent by separate users (e.g. without ephemeral keys, the DNS provider could determine that key A visits Gmail and ArsTechnica while key B visits Yahoo and the BBC).

To enable ephemeral keys, add the -E tag when installing, like so:

dnscrypt-proxy.exe -E -R cloudns-can -L "dnscrypt-resolvers.csv" --install

Stewardship of Security & Privacy

The use of security, privacy, and anonymity tools are most often compromised by users who don’t understand operational security (“opsec”), the methods and discipline of using the tools. You can give the best hardware and software in the world to someone without teaching them about the risks, and you may as well not given them anything at all. The fact is, security and privacy are caretaking activities — not scary things, but stewardship.

In our post-Snowden world with increased awareness among the general public — though one might argue there has not been enough awareness even still — it’s more important than ever to spread the basic philosophy and practices behind keeping oneself safe when using our increasingly connected devices, particularly our mobile phones. You are only as secure as others in your circle, so what we should be cultivating is a community of awareness. Like driving or swimming, security is something we need to practice, responsibly, within the shared community space of the Internet. However, we shouldn’t think of it as the sole purpose or focus when using our mobiles any more than avoiding an accident is the purpose of driving, or avoiding drowning is the purpose of swimming.

Our mobile devices are progressively becoming integral extensions of our personal, financial, educational, and work lives. Even the US Supreme Court said so in a recent ruling , stating that, “Modern cell phones, as a category, implicate privacy concerns far beyond those implicated by the search of a cigarette pack, a wallet, or a purse.” So we need to learn a little mobile safety just as much as water or driver safety.

Another important point is that while people might freak out about the [GCHQ/NSA/BND], but you should be more worried about some 13-year old kid from eastern Europe hacking your phone and making off with your account data, financial info, address book, and anything else that will enable them to wreak havoc on your life from afar. That’s your typical daily threat, and if your phone is hacked, everyone you know becomes a potential target too. So it’s hygiene; take care of your own leaks and help the people around you take care of theirs.

But don’t go preaching the small, techie details. Keep it simple and easy to grasp. It won’t be perfect to start with, because it will involve putting people well outside their comfort zone for something they may not even care that much about. It will be a start though, and sometimes that’s the best we can ask for — getting our friends and family to take control of their own privacy and security. That’s our job, painting the metaphors. Less boring, more fun and bravery. More taking care of yourself and others. Retrofitting internet communications for anonymity and privacy-by-design is a brave and vain task, after all. It wasn’t designed for it at the protocol level, but it’s demanded by the times.