DoH! Secure DNS doesn't make us a villain, Mozilla tells UK broadband providers
Retort follows nomination for internet villain for helping people bypass UK web filters
Mozilla says it is baffled by the UK Internet Services Providers’ Association's decision to nominate the browser maker as the internet's 2019 villain of the year.
The UK ISPA earlier this week proposed Mozilla, self-styled defender of internet freedom, as a black hat for its "proposed approach to introduce DNS-over-HTTPS in such a way as to bypass UK filtering obligations and parental controls, undermining internet safety standards in the UK."
The filtering obligation comes from the UK's Digital Economy Act 2017, which includes a requirement that websites serving adult content in the UK verify the ages of website visitors. The previously delayed policy was to have taken effect on July 15 but was delayed again last month in a bureaucratic snafu. The rules are currently expected to take effect in maybe six months, maybe.
DNS-over-HTTPS (DoH) is a specification designed to close one of several remaining privacy holes that expose web users to scrutiny. It protects online queries submitted through the domain name system so an intermediary on the network cannot intercept them and determine which sites requesters intend to visit.
ISPs that do not provide DNS service cannot see DNS queries passing through their networks but DNS providers, like Cloudflare or Google among others, still have access to unencrypted queries – and thus could filter certain sites.
Cloudflare, Google and Mozilla, among others, have all been testing the technology, which is supported in Firefox 60 and later. But some organizations worry improved privacy will protect lawbreakers. Last month, the Internet Watch Foundation (IWF), a UK-based advocacy group fighting child sexual abuse images online, expressed concern the technology would hobble its filtering list.
The UK ISPA's objection is similar: The privacy afforded by DoH will make it easier for people to flout the law by avoiding filtering.
That's by design: As Google notes on its DoH developer page, "Traditional DNS queries and replies are sent over UDP or TCP without encryption, making them subject to surveillance, spoofing, and DNS-based Internet filtering."
Mozilla finds the ISPA's dig perplexing.
"We’re surprised and disappointed that an industry association for ISPs decided to misrepresent an improvement to decades old internet infrastructure," a Mozilla spokesperson said in a statement provided to The Register via email. "Despite claims to the contrary, a more private DNS would not prevent the use of content filtering or parental controls in the UK. DNS-over-HTTPS would offer real security benefits to UK citizens."
Mozilla insists that its goal is to build a more secure internet and that it continues to have a constructive conversation about security with "credible stakeholders in the UK." The company didn't say whether it considers the ISPA to be a credible stakeholder.
The browser maker isn't planning to enable DoH by default in the UK. "However, we are currently exploring potential DoH partners in Europe to bring this important security feature to other Europeans more broadly," the company's spokesperson said.
The ISP group's other contenders for the title of "internet villain" include the Article 13 Copyright Directive, for threatening free speech online, and US President Donald Trump, for causing confusion on the global telecom supply chain through his blacklisting of Huawei and others.
The service provider association intends to pick a winner – a designation of no real consequence – at the ISPA Awards Ceremony on 11th July in London. ®
- AdBlock Plus
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Microsoft 365
- Microsoft Office
- Microsoft Teams
- Palo Alto Networks
- Software License
- Trusted Platform Module
- Visual Studio
- Visual Studio Code
- Web Browser
- Zero trust