Chapter 5: Staying Safe Online
“All human beings have three lives: public, private, and secret.”
Gabriel García Márquez
5.3 Browser Technologies
This is the original version of this book. This work is made available under the terms of a Creative Commons Attribution-NonCommercial-ShareAlike license.
A comic from XKCD, a popular techy-nerdy comic strip. CC-BY-NC
https://xkcd.com/1998/
After studying this section you should be able to do the following:
When you type www.daveghidiu.com into your browser, your computer will translate that to an IP address. Unless you know that the IP address of www.daveghidiu.com is 192.232.223.120, you’ll need to rely on some form of DNS resolution.[a] There are multiple ways your computer can translate a website request into an IP address, however there is no canonical way. Different computers, different operating systems, and different configurations will each provide different pathways. Lawrence Abrams has a great explanation of this (and resources for follow-up) at BleepingComputer[1].
The generic method (again, this is variance depending on your computer) is that a request will look at your hosts file first, then your DNS cache, then your ISP’s cache, then a formal request.
While the actual route that DNS resolution takes is out of the scope of this book, it is necessary to understand that some technical magic happens that translates what you type in the address bar of your browser to the numeric IP addresses that computers understand. For the purpose of this conversation, it is sufficient to know that when you try to go to a website, there are a few different places your browser goes to lookup the IP address. First, the browser will go with local answers such as the hosts file and the DNS cache, but if it can’t translate the address, the browser will then embark on a journey that very well could go around the world.
The bad news is that this mostly happens in plaintext through UDP (though there are endeavors to change this, see DoH later in this section). The even worse news is that there have been attacks like “Pakistani Girls Mobile Data” or “Shopperz” that have been known to alter (or obscure) the hosts file[2].
By the way, you can (and should!) change the DNS server that your home router uses, and if possible, your devices too. In 2016, a service called Quad9 (a partnership with 18 threat intelligence providers) emerged that helped with speed, privacy, but more importantly, threats. Any query that comes to the 9.9.9.9 server will be checked against known malicious sites (including ads) before serving you content. This mitigates exposure to threat actors[3]. CloudFlare[b] runs a similar service, 1.1.1.1, and offers DNS over HTTPS (DoH) as well as other goodies (like speed and apps for your mobile device)[4].
To understand how DNS cache poisoning (or DNS spoofing) works, you have to understand how a DNS lookup happens. The search starts in your hosts file.[c] If the answer is not there (and usually it isn’t), then it may go to your DNS cache [d](on Windows, an ipconfig /displaydns call will show you the cached DNS results):
If your computer still does not know how to convert your request into an IP address, it will ask a small-potatoes DNS server. If that server doesn’t know, it will refer your computer to a bigger-deal DNS server. Sooner or later, some authoritative DNS server will know where to send your computer, and you’ll get an answer. Of course, all this happens within milliseconds, and one of the ways it is so speedy is because of the replication of DNS lookups. If one server knows what the IP address is for a particular website, it can (and will!) share it with other DNS servers. However, that also means that if some bad actor were to taint the lookup on one DNS server, that change could propagate across multiple servers. This is all possible because there is no way to verify that DNS information is accurate. [f]DNSSEC[g] should help by using public-key encryption to verify and authenticate data[5], but it is not widely used yet so DNS still has vulnerabilities. Sadly, DNSSEC is only used by a single digit percentage of websites[6].
DNS cache poisoning attacks are fairly hard to perpetrate as there are a few pieces of the puzzle that have to be known and assembled over the course of a few milliseconds.[h]
Attackers also have to know, or be able to guess, a number of factors in order to carry out DNS spoofing attacks:
Given enough resources, an attacker can succeed with a DNS cache poisoning attack. Many companies have their own DNS servers, and IT teams can mitigate DNS spoofing attacks on their DNS servers by limiting the number of recursive DNS queries (a DNS lookup that, if failed, will ask another server to return an answer) and limiting entries that are specific to the domain[8].
China limits exposure to websites through a number of methods such as packet forging, Man-in-the-Middle attacks, Quality of Service filtering, and others[9]. Intentional DNS cache poisoning is also a method employed. For example, if someone in China tried going to daveghidiu.com and authorities in China didn’t want people visiting that particular website, the DNS servers in China would resolve it to a state run website or a permitted, random website.
In 2010, the intentional DNS cache poisoning spread out of China. It is thought that an ISP outside of China directed DNS lookup requests to a root DNS server in China. From there, the intentionally misconfigured results were then spread across multiple other DNS servers[10].
In 2015, the Great Firewall caused other global issues, and it appeared as though the DNS servers in China were directing prohibited requests to random websites. The sheer volume of these requests led to DDoS attacks on the unsuspecting servers (especially since some of the requests came from mobile games which have a large base)[11].
It is distressing to realize that there is not much a typical user can do when these large scale attacks take place, and it is equally as distressing to realize the ease with which they can occur.
In 2018, the legislature allowed ISPs to collect and sell your browsing data without your permission![12] This caused some organizations to begin to rethink how to protect users. Lately, there has been a big push to make DNS requests over HTTPS (that is, DNS over HTTPS or DoH) which would be a big boon for privacy-minded users and a huge blow to ISPs.
One of the first players on the stage was CloudFlare who released the 1.1.1.1 app in late 2018. Initially the app acted only as a DNS resolver and delivered DNS securely by using TCP instead of UDP. Officially, it looks as if 1.1.1.1 uses DNS over TLS[13], which is not the same as DNS over HTTPS (though the results are the same--DNS queries that are encrypted).
While no privacy-minded people dispute the benefits of encrypted DNS queries, there is a small battle raging regarding DNS over TLS or DoT versus DoH.[i] The distinction is small and it boils down to port numbers. While all HTTPS traffic lives in port 443, DoT uses port 853. For some folks, this is a deal-breaker.[j] Using port 853--while encrypted--indicates that the user is attempting to shield their traffic, which in of itself could be problematic in some countries as it shows users may have something to hide.[14]
DNS over HTTPS, however, is a bit more hidden. There won’t be DNS traffic on port 53 as all the DNS queries will appear as encrypted data over port 443. This means that network administrators will have issues filtering DNS requests such as phishing and malware sites.
So the debate is between people in charge of internal networks (system administrators) who want better security (DoT) and people advocating for human rights (DoH).
Either way, encrypted DNS queries look to be in our future.
In the fall of 2019, Mozilla announced that DoH would be part of Firefox.[15] The conversations around this announcement upset ISPs in the UK, and The United Kingdom’s Internet Service Providers Association dubbed Mozilla “2019’s Internet Villain,” claiming that encrypted DoH would undermine parental controls. and cause problems for legal requirements of storing browser visits for a calendar year for subscribers.[k][l] And while this is true, proponents of privacy have made it abundantly clear that private browsing should be an immutable right.[16] The tentative agreement seems to be that Mozilla will not (at least in the UK) make DoH the default configuration.[17]
Google’s Chrome browser also announced that it would be using DoH in certain circumstances. This went live in Chrome v78 (pushed out in the fall of 2019)[18]. Their implementation factors in provisions for parental controls and DNS filtering.[m]
The pushback from ISPs was palpable and in September of 2019, ISP’s In the United States wrote a letter to Congress warning of the disastrous things that could happen if Chrome followed through with the DoH plans.[19] However, the letter was plagued with factual inaccuracies, most notably being the claim that Google planned to enable DoH by default. Enabling DoH by default was never a plan,[20] and Mozilla fired back by saying:
DoH is poised to make it a lot tougher for ISPs to conduct web surveillance; to hoover up web browsing activity and, say, sell it to third parties without people’s consent; or to modify DNS queries so they can do things like inject self-promoting ads into browsers when people connect to public Wi-Fi hotspots.[21]
Independently, the EFF, Consumer Reports, and the National Consumers League drafted a rebuttal letter to Congress where they said [22]:
Unfortunately, the ISP Letter misstated some aspects of DoH, especially the deployment plans of major browsers and the relative risks and benefits of those plans.
While it is unclear what the legislative future holds for DoH, some form of DNS encryption is likely to prevail. Despite their public outcry, ISP’s will still have ways to track users' traffic, such as SNI and OCSP which are not sent over HTTPS.[23] A study from the University of Illinois suggested that approximately 96% of websites have a unique page load fingerprint (PLF), so adversaries would be able to confidently identify the page a user visits based solely on IP addresses.[24]
In February 2020, Mozilla turned on DNS over HTTPS. The service was rolled out to all users over the course of a few weeks. By default, Cloudflare is the DNS provider but users can switch to NextDNS.[25]
After studying this section you should be able to do the following:
Virtual Private Networks (VPNs) were originally created in the nineties in order to allow an off-site user to establish a somewhat secure connection to a network. This connection would give the user access to on-site resources such as printers, servers, and the intranet. But in the early 21st century, the benefits that VPNs offered became attractive to the general public.
A VPN works by connecting the user's computer to a remote server; that remote server will replace the user's ISP. This is a double-edged sword however because although the users ISP doesn’t get to see anything they are doing, aside from connecting to the VPN, the user must trust the server on the other side of the VPN.
VPNs use tunneling protocols to accomplish this. Here’s the process:
By design, VPNs protect your internet connections (really any communication to your computer browser, email, and any other traffic). Now that the web is trending towards HTTPS as a default,[26] there is a lessened fervor about using public wifi, although this is misguided.[27] As a rule, anyone using public wifi should use a VPN, even if all websites use HTTPS. There are two reasons; VPNs help prevent Man-in-the-Middle attacks and shield DNS requests that are sent over unencrypted channels, namely UDP (though DNS over HTTPS, or DoH is gaining traction). Most VPNs will allow you to pick the server you want to route your traffic so you could be in one part of the world but any site you visit would think you were in the country where your selected server is. Additionally, VPNs claim to boost connection speeds.
In April of 2018, President Trump signed into law a measure permitting ISPs to sell user data--without user consent.[28] If this is not convincing enough regarding the importance, and necessity of a VPN, stop reading because you won’t be interested in the rest of this book. However if you are interested in using a VPN, there are many options out there that can effectively meet your needs. Although many VPNs cost money, they all offer excellent services, and some, such as Cloudflare, provide free VPN services to anyone. In September of 2019, CloudFlare updated their 1.1.1.1 app, which originally only provided DNS over HTTPS, to provide these free VPN services.[29] As embarrassing as it might be, PornHub launched their own free VPN as well.[30] This move was perhaps even more surprising than their 2017 promise to deliver all content over HTTPS to protect users from the prying eyes of their ISP.[31]
As with everything in the security domain, even VPNs are not completely secure. In October of 2019, NordVPN announced it had been hacked in 2018.[32] Also in October[n], the National Cyber Awareness System published an alert on advanced persistent threat (APT) actors who had compromised multiple VPN applications.[33] Oh yeah, don’t forget how Facebook pulled it’s free Onavo VPN because it was, you know, hoovering all your data and people got mad.[34]
An in-browser VPN provides similar services compared with a VPN, but only at the browser level, which means functions such as email and other network traffic remain unencrypted. For some users, that might be perfect. Opera has had this service baked in[35] for years. It has the convenience of never having to be intentionally enabled (it’s always on). They are typically free, too (though Firefox’s Private Network, FPN, may charge in the future)[36].
One drawback to this paradigm is the inability to protect traffic from applications outside of the browser. But again, for some people, that might not be a deal-breaker. The balance between security, convenience and cost are part of the calculus that users need to consider when making decisions about information security.
Most browsers have incognito mode; Also referred to as “in-private browsing”, “private browsing”, or something similar.
Incognito mode will open a new browser window which has no knowledge of the activities in the regular browser windows. The incognito pages won’t be cached, the IP addresses won’t be included in the browsing history, cookies won’t be stored, and information that was entered into online forms won’t be saved.
Incognito mode is wonderful for many reasons. As a developer, I use it to test my webapps since incognito mode will show me what the site looks like to visitors! As a teacher, I use incognito mode to log into the Learning Management System (LMS) as a student, while my regular browser is logged into the LMS as a teacher; I get to see both sides of the experience. I test links in incognito mode before sending them in email, that way I can see if the link is shared correctly. I use incognito mode to log into an account on a public computer, or a friend’s computer. The only requirement is that I close the incognito browsing session to ensure no one can access my logged in sites.
It is important to mention that incognito browsing does not shield your IP address from sites you visit. It’s also worth noting that incognito mode does not shield anything that was bookmarked, or any files that were downloaded to the main system. It really is just a convenient and lightweight way to browse the web.
Looking through a security lens, there is little security in incognito mode. Even basic functions of incognito browsing sessions have been shown to have vulnerabilities. In 2014, at the International Conference on Information Security and Cyber Forensics, Rodrigo Ruiz[o] published a paper entitled “Opening the ‘Private Browsing’ Data – Acquiring Evidence of Browsing Activities” that showed how incognito data was still accessible after the session ended. Since this paper was published, there have been advances in the security of incognito browsing, but it is a cautionary tale for information security minded people.
Fingerprinting aside, sites can track you with the use of trackers [p], often called third-party cookies. Third-party cookies are code that get injected into many websites and can track user’s as they browse from site to site. Most of the time, these trackers are not visible to users, but they are extremely potent when creating profiles about users. In 2017, during a study of website tracking which included 850,000 participants and tracked 440 million page loads, it was discovered that 64% of all websites were tracked by Google, and approximately 29% were tracked by Facebook. And of the top ten services, you probably haven’t heard of the majority of them (comScore, Yandex, Criteo, New Relic, Quantserve, and LiveInternet).[q] It also revealed that 15% of websites send information to 10 or more companies. [37]
So what, exactly, are these trackers tracking? Well, everything. Trackers can trace a user's mouse movements, their computer settings, screen resolution, device type, and more. All this can be done without the user's knowledge or consent, and aids with fingerprinting[r], but tracking is more invasive. Cookies are pieces of data that help sites recognize a user. If, for example, a user enters information on a particular website, like their zip code for local weather reports, or puts items in their “shopping cart” for future purchase, cookies are what allow them to return days later and the information is still there.[38]
Third party cookies are more of a globally accessible cookie. For instance, when we see a Facebook “Like” button on a news site, Facebook knows we were at that site, regardless of if we click the “like” button.[39] These third party cookies are the reason why you might see Wayfair ads for a week after searching for an item from there, and trying to understand the span of these trackers is no easy feat. In November of 2019, the New York Times published an OpEd by Farhad Manjoo, in which the seriousness of the problem was explained.[40] Manjoo said:
The big story is as you’d expect: that everything you do online is logged in obscene detail, that you have no privacy. And yet, even expecting this, I was bowled over by the scale and detail of the tracking; even for short stints on the web, when I logged into Invasive Firefox just to check facts and catch up on the news, the amount of information collected about my endeavors was staggering.
If you would like to understand how insidious these trackers are, install OpenWPM, Mozilla software created for privacy researchers.[41] A lighter weight solution is the TrackingObserver extension for Chrome (by the University of Washington Computer Science and Engineering).[42] It will even create a nice visual graph to show which trackers exist across sites.
There are a few simple ways tracking can be mitigated. One way is to select “Do not Track” in your browser settings. This will send a request to the site asking it not to track you. There are however, no legal requirements that force sites to honor the “Do not Track” request, and their interpretation may not be aligned with your interpretation of “Do not Track”).[43]
There are services offered through sites like Google, which allow users to opt out of some tracking and ad services in their Data & Personalization settings.[44] Google even allows users to go to the Ad Personalization page in their settings and dig deep into how Google sees their information, such as preferences, interests, and demographics. With this information that is viewable to the user, Google allows the user to correct Google’s interpretation. User’s can also opt out of ad personalization in the settings.[45] The Digital Advertising Alliance will also help user’s control the use of web viewing data for advertising.[46]
But wait! There’s more! Until 2018, the Acxiom Corporation was probably the largest data broker. The company was divided in 2018 to become LiveRamp (“Identity Resolution”) and Acxiom (database marketing). Before the split, Acxiom collected roughly 10,000 attributes (per person!) over 2.5 billion people[47]. Pursuant to pressures from GDPR and the California Consumer Privacy Act, Acxiom offers people a way to look at the data that they have on individuals and a way to opt out of the marketing data that Acxiom has[48].
If none of this scares you, then maybe this will--in 2017, Princeton published a study that exposed “exfiltration of personal data by session-replay scripts”. Sites would track and “record” user interaction (like typing and cursor movements) that “far exceeds user expectations; text typed into forms is collected before the user submits the form, and precise mouse movements are saved, all without any visual indication to the user”[49].
But even with counter measures to deter trackers, websites can still get a lot of information about you. Even if you are very careful to hide your personal data with extensions (see §5.4), sites can track you based exclusively on details they can glean on the device you are one (almost to the point of uniqueness).
A comic from XKCD, a popular techy-nerdy comic strip. CC-BY-NC
https://www.xkcd.com/1303/
A browser fingerprint is a unique identifier for your device. There is a lot of data that can be derived (or inferred) about your device merely by visiting a website without your knowledge or consent. There are enough attributes that can be collected to provide a unique identifier with high confidence. The Electronic Frontier Foundation (EFF) has created a tool, Panopticlick[50], to help educate people about fingerprinting. Not only will the tool help you understand what data is accessible to sites you visit, but you’ll also get a report about your fingerprint.
In addition to Panopticlick, you can easily see what type of information is collected through your browser by using Webkay[51] or AmIUnique[52]. And if you are up for a more interactive experience that alarmingly shows you how much can be collected, check out clickclickclick.com (there are achievements that can be unlocked--can you get to 100%?)[53].
Fingerprinting is not new. In fact, the EFF released a paper in 2010[54] warning of the dangers of footprints. And it seems as if the General Data Protection Regulation implemented by the EU in 2018 may force companies to show fingerprint data to users[55].
The EFF also offers a Chrome extension called Privacy Badger[56] which helps mitigate data that footprints need. There are other browser extensions that are targeted towards privacy, too. Ghostery will be explored in a lab. And cNet published a list in November of 2019 that lists some highly rated extensions to help protect privacy[57].
For more information about fingerprinting, check out the Mozilla Blog: This is Your Digital Fingerprint[58].
After studying this section you should be able to do the following:
As privacy concerns become part of the cultural zeitgeist, companies like Mozilla and Google will respond by increasing privacy and security options. As discussed earlier, incognito mode is baked into browsers and DoH is most likely going to become a standard feature. VPNs are getting more popular (and free!).
Firefox and Chrome both have password managers that can offer cross-device storage and recollection. In October 2019, Mozilla announced Lockwise, a sophisticated password manager. In addition to managing passwords, it can suggest secure passwords. Mozilla also has Firefox Monitor which will alert you if your information surfaces in a data breach[59].
Chrome has feature parity with Firefox (real-time protection for password compromises is part of the late 2019 Chrome updates[60]). Chrome also has a Password Checkup[61] that will shed light onto your password hygiene:
Chrome and Firefox both allow developers to add extensions to their browsers. These extensions can enhance productivity, increase convenience, add to entertainment, and extend browser capabilities a number of different ways. Some of the most popular extensions block advertisements. I use a number of productivity extensions that empower me to work better.
But with great power comes great responsibility.
Just as with phone apps, this is a buyer beware marketplace. Users must know enough to look for suspicious behavior--and there are many clues. Permissions, reputation, and reviews are metrics that help inform decisions.
Below, look at the permissions that are required for an extension that changes my cursor while in Chrome:
I’m not so sure that this functionality is required to change the cursor. Does the ability to change a cursor really need to see the browsing history? And if it is, I’m not so sure it is worth the risk. I’ve never heard of the developer. And I’m dubious of the efficacy of the extension, especially since there are fewer than a dozen reviews (and most of the reviews are not stellar). In my opinion, this extension is likely to do exactly what it says--change the cursor. But I suspect it is also sending browsing history back to the mothership for monetization.
Some extensions are just plain bad.
In January of 2018, Google removed four extensions that were found to be malicious. They posed as innocuous extensions. For instance, two of the extensions performed a relatively simple task as well as secret, nefarious jobs. Stickies was sticky note software, and LiteBookmarks was a bookmark manager. Both were believed to be part of a click-fraud scam[62]. Fortunately it seems as if no personal data was collected. Since extensions can access other components of the browser, this could have been tragic. The problem is permissions--upon installation of an extension, users are prompted with permissions that the extension needs. Without making informed decisions, users put themselves at risk. Again, we see that the most prevalent vulnerabilities are human.
In September of 2019, some ad blockers (AdBlock and uBlock) that purported to be legitimate ad blockers were caught cookie stuffing (they would add extra information to a user’s cookie that would inflate affiliate sales)[63].
Some extensions are born good, but then turn bad.
In late 2017, a Chrome extension called Steam Inventory Helper injected code into webpages that essentially allowed the owners of the extension to see your browsing history[64]! But the extension wasn’t always bad. Eyebrows were raised when an update to the extension asked for more permissions. Upon investigation, it became clear that the codebase changed, which triggered users to accept more permissions (which were not necessary) for the purported core functionality.
In mid-2017, an abandoned extension (originally called YouTube+ and, later, Particle) was sold by the original developer. The new company pushed an update that turned it into adware[65]. The problem was that a lot of people had the extension installed and trusted it. So when adware was pushed through, users may not have associated the adware with the extension.
September of 2018 saw another compromised extension. MEGA, a cloud storage company based in New Zealand, released a statement:
On 4 September 2018 at 14:30 UTC, an unknown attacker uploaded a trojaned version of MEGA’s Chrome extension, version 3.39.4, to the Google Chrome webstore. Upon installation or autoupdate, it would ask for elevated permissions (Read and change all your data on the websites you visit) that MEGA’s real extension does not require and would (if permissions were granted) exfiltrate credentials for sites including amazon.com, live.com, github.com, google.com (for webstore login), myetherwallet.com, mymonero.com, idex.market and HTTP POST requests to other sites, to a server located in Ukraine. Note that mega.nz credentials were not being exfiltrated[66].
All this activity is a sobering reminder that any marketplace can have bad actors (Apple’s App Store[67] and Google’s Play Store[68] included). Again, the best defense is a solid education.
Not all extensions are bad! In fact, I list a few helpful ones (that have a proven track record--though you should still vet them to see if they meet your security criteria) below. But you can rest assured that the extension marketplace is becoming more privacy and security minded. In early 2018, Google banned any extension that was mining cryptocurrency[69]. Then, in May of 2019, Google made substantial progress in increasing the security and privacy of extensions[70].
But again, use caution when installing extensions. Just because Google has stronger controls for extensions does not mean you should install the extension. Mashable ran a piece in 2018 cautioning users of this very thing; extensions can read your email if you let them. It all comes down to being smart about understanding the permissions.
There are many extensions that are wonderful. How are we supposed to be able to tell the difference between good extensions and bad ones? Again, it comes down to your security matrix. Do you need the extension? Does it ask for unnecessary permissions? What do you sacrifice if you don’t have the extension? How does the extension affect your threat surface?
I use an extension called SimpleExtManager[71]. With the click of a button, I can turn individual extensions on or off. Very handy for limiting when extensions are active.
And yes, I know that there are some extensions visible in the screenshot above that shouldn’t pass muster for a security check. But don’t worry--I’ve authored some of them and I know the developers of the others, so I’m confident that they are not nefarious.
AdBlock is the original ad blocker. It has millions of downloads, great reviews, and a solid reputation[72].
Ghostery is a privacy protector. It will expose all the trackers that websites have (as well as block ads)[73].
And MalwareBytes[74] has entered the arena, too. In September of 2019, they released their first stable version (after one year of beta)[75].
The best way to stay protected is to be informed. Think about the permissions that extensions need. Ask yourself if they jive with the functionality. Is the developer trustworthy?
And conduct an “Extension Audit” regularly. Keep your extensions in check. Don’t use too many (that increases your threat surface and probably slows down your computer), and don’t be afraid to remove extensions you don’t use. ZDNet wrote a nice piece entitled “Must-have security extensions for Google Chrome[76]”; it was updated in October 2019.
A comic from XKCD, a popular techy-nerdy comic strip. CC-BY-NC
https://www.xkcd.com/1698/
For further investigation, you should check out Episode 52: Magecart of the Darknet Diaries podcast. Host Jack Rhysider talks to some people behind the curtain in the shadowy ransomware world. https://darknetdiaries.com/episode/52/ 26 November 2019 | 48:05 |
Page 0.9 Chapter 5 - Staying Safe Online
[a]Add definition to glossary! =)
[b]Add definition to glossary =)
[c]in your "machines," hosts file?
[d]"it" what will go to your DNS cache? =/
[e]Is this image an example of cached DNS results? If so, maybe note at the semicolon something like :The following picture is an example."
[f]This is kind of sketchy, maybe something like, "Although there is no way to verify if DNS information is accurate, DNSSEC could help by...."
[g]Add definition to glossary! =)
[h]Does having only a few pieces of the puzzle make the attack hard? How its worded almost makes it sound like a DNS cache poisoning attack would be easy since it only requires a few pieces of the puzzle =/
[i]should this also be underlined to go with the DNS over TLS or DoT?"
[j]Using port 853 is a deal breaker to some? Maybe something like, "For some, using port 853 is a deal breaker because although encrypted, it indicates that the user is attempting to shield their traffic."
[k]This is a little unclear =/
[l]The period after "controls" appears to be a typo.
[m]Something like, "Google went live with this during the fall of 2019 in Chrome v78, where DoH would be implemented in parental controls and DNS filtering."
[n]October of what year? 2018?
[o]Maybe add something about who Rodrigo Ruiz is...like "Rodrigo Ruiz, who is the CEO of awesomeness, published a paper..." in order to state his credibility! =)
[p]There is no definition of "trackers" in the glossary, so when I click on it, it takes me to the words beginning with the letter "A" in the glossary!
[q]It says "of the top 10 services," but only 6 services are listed =/
[r]Add definition to glossary! =)
