DoH! Secure DNS doesn't make us a villain, Mozilla tells UK broadband providers

Retort follows nomination for internet villain for helping people bypass UK web filters


Mozilla says it is baffled by the UK Internet Services Providers’ Association's decision to nominate the browser maker as the internet's 2019 villain of the year.

The UK ISPA earlier this week proposed Mozilla, self-styled defender of internet freedom, as a black hat for its "proposed approach to introduce DNS-over-HTTPS in such a way as to bypass UK filtering obligations and parental controls, undermining internet safety standards in the UK."

The filtering obligation comes from the UK's Digital Economy Act 2017, which includes a requirement that websites serving adult content in the UK verify the ages of website visitors. The previously delayed policy was to have taken effect on July 15 but was delayed again last month in a bureaucratic snafu. The rules are currently expected to take effect in maybe six months, maybe.

DNS-over-HTTPS (DoH) is a specification designed to close one of several remaining privacy holes that expose web users to scrutiny. It protects online queries submitted through the domain name system so an intermediary on the network cannot intercept them and determine which sites requesters intend to visit.

ISPs that do not provide DNS service cannot see DNS queries passing through their networks but DNS providers, like Cloudflare or Google among others, still have access to unencrypted queries – and thus could filter certain sites.

Cloudflare, Google and Mozilla, among others, have all been testing the technology, which is supported in Firefox 60 and later. But some organizations worry improved privacy will protect lawbreakers. Last month, the Internet Watch Foundation (IWF), a UK-based advocacy group fighting child sexual abuse images online, expressed concern the technology would hobble its filtering list.

The UK ISPA's objection is similar: The privacy afforded by DoH will make it easier for people to flout the law by avoiding filtering.

That's by design: As Google notes on its DoH developer page, "Traditional DNS queries and replies are sent over UDP or TCP without encryption, making them subject to surveillance, spoofing, and DNS-based Internet filtering."

Mozilla finds the ISPA's dig perplexing.

"We’re surprised and disappointed that an industry association for ISPs decided to misrepresent an improvement to decades old internet infrastructure," a Mozilla spokesperson said in a statement provided to The Register via email. "Despite claims to the contrary, a more private DNS would not prevent the use of content filtering or parental controls in the UK. DNS-over-HTTPS would offer real security benefits to UK citizens."

Mozilla insists that its goal is to build a more secure internet and that it continues to have a constructive conversation about security with "credible stakeholders in the UK." The company didn't say whether it considers the ISPA to be a credible stakeholder.

The browser maker isn't planning to enable DoH by default in the UK. "However, we are currently exploring potential DoH partners in Europe to bring this important security feature to other Europeans more broadly," the company's spokesperson said.

The ISP group's other contenders for the title of "internet villain" include the Article 13 Copyright Directive, for threatening free speech online, and US President Donald Trump, for causing confusion on the global telecom supply chain through his blacklisting of Huawei and others.

The service provider association intends to pick a winner – a designation of no real consequence – at the ISPA Awards Ceremony on 11th July in London. ®

Similar topics


Other stories you might like

  • Travis CI exposes free-tier users' secrets – new claim
    API can be manipulated to reveal tokens in clear text log data

    Travis CI stands for "Continuous Integration" but might just as well represent "Consciously Insecure" if, as security researchers claim, the company's automation software exposes secrets by design.

    Aqua Security Software on Monday said its researchers had reported a data disclosure vulnerability with the Travis CI API. The response they said they received is that everything is working as intended.

    In a blog post security researchers Yakir Kadkoda, Ilay Goldman, Assaf Morag, and Ofek Itach said they had found tens of thousands of user tokens were accessible through the Travis CI API, which provides a way to fetch clear-text log files.

    Continue reading
  • Inverse Finance stung for $1.2 million via flash loan attack
    Just cryptocurrency things

    A decentralized autonomous organization (DAO) called Inverse Finance has been robbed of cryptocurrency somehow exchangeable for $1.2 million, just two months after being taken for $15.6 million.

    "Inverse Finance’s Frontier money market was subject to an oracle price manipulation incident that resulted in a net loss of $5.83 million in DOLA with the attacker earning a total of $1.2 million," the organization said on Thursday in a post attributed to its Head of Growth "Patb."

    And Inverse Finance would like its funds back. Enumerating the steps the DAO intends to take in response to the incident, Patb said, "First, we encourage the person(s) behind this incident to return the funds to the Inverse Finance DAO in return for a generous bounty."

    Continue reading
  • Apple gets lawsuit over Meltdown and Spectre dismissed
    Judge finds security is not a central feature of iDevices

    A California District Court judge has dismissed a proposed class action complaint against Apple for allegedly selling iPhones and iPads containing Arm-based chips with known flaws.

    The lawsuit was initially filed on January 8, 2018, six days after The Register revealed the Intel CPU architecture vulnerabilities that would later come to be known as Meltdown and Spectre and would affect Arm and AMD chips, among others, to varying degrees.

    Amended in June, 2018 the complaint [PDF] charges that the Arm-based Apple processors in Cupertino's devices at the time suffered from a design defect that exposed sensitive data and that customers "paid more for their iDevices than they were worth because Apple knowingly omitted the defect."

    Continue reading
  • Apple M1 chip contains hardware vulnerability that bypasses memory defense
    MIT CSAIL boffins devise PACMAN attack to let existing exploits avoid pointer authentication

    Apple's M1 chip has been found to contain a hardware vulnerability that can be abused to disable one of its defense mechanisms against memory corruption exploits, giving such attacks a greater chance of success.

    MIT CSAIL computer scientists on Friday said they have identified a way to bypass the M1 chip's pointer authentication, a security mechanism that tries to prevent an attacker from modifying memory references without being detected.

    In a paper titled "PACMAN: Attacking Arm Pointer Authentication with Speculative Execution," Joseph Ravichandran, ​​Weon Taek Na, Jay Lang, and Mengjia Yan describe how they were able to use speculative execution – the way in which modern processors perform calculations before they may or may not be needed, to accelerate execution – to discern the pointer authentication code that allows pointer modification on a protected system.

    Continue reading

Biting the hand that feeds IT © 1998–2022