Mozilla Firefox to begin slow rollout of DNS-over-HTTPS by default at the end of the month

To protect query privacy, browser maker will run everything through Cloudflare


On Friday, Mozilla said it plans to implement the DNS-over-HTTPS (DoH) protocol by default in its Firefox browser, with a slow rollout starting in late September.

Under development since 2017, DoH transfers domain-name queries – which try to match domain names with server IP addresses – over a secure, encrypted HTTPS connection to a DNS server, rather than via an unprotected, unencrypted bog-standard DNS connection.

This extra layer of security ideally prevents third-parties, such as network service providers, from easily seeing the websites internet users visit, and prevents miscreants from tampering with domain-name look-ups. Though DoH provides more privacy than the status quo, it's controversial where lack of privacy is assumed or required, such as monitored environments that insist on content filtering, among other reasons.

Back in July, the UK Internet Services Providers’ Association nominated Mozilla for its "internet villain of the year" award because DoH breaks DNS-based content filters put in place to deny access to explicit, obscene or otherwise objectionable websites. A few days later, the trade group reversed itself after online blowback.

The UK ISPA didn't immediately respond to a request for comment. The UK's Digital Economy Act 2017 has an explicit content filtering requirement for websites but that's been delayed until later this year. It's been claimed that DoH will make it easier for people to avoid network-based content filtering; Mozilla maintains that DoH improves overall internet security.

Selena Deckelmann, senior director of engineering for Mozilla, said in a blog post that more than 70,000 Firefox users have already enabled DoH in Firefox and that the browser maker is getting ready to release DoH for general usage.

Firefox's DoH service will be provided through Cloudflare's 1.1.1.1 DNS service, although the list of supported service providers may grow over time. The system will deny third parties access to DNS queries, but in so doing it will give that data to Cloudflare, a decision some people dislike because it amplifies the power of large service providers.

Chrome vs. Firefox

Mozilla says Firefox won't defang ad blockers – unlike a certain ad-giant browser

READ MORE

Cloudflare, for its part, has made a privacy commitment (separate from its regular privacy policy) to only use Firefox DNS resolution data "solely to improve the performance of Cloudflare Resolver for Firefox and to assist us in debugging efforts if an issue arises."

DoH won't be everywhere immediately however. The secure query system will be made the default for "a small percentage of users" in the US later this month and will become more widespread over time if all goes well. And when it's activated, Firefox users (if they haven't already set the preference manually) will be notified of the change and asked if they want to opt out.

For users who accept DoH as the default, network service providers and network admins will be allowed to signal that certain capabilities like content filtering would be adversely affected by DoH.

When Firefox receives such signals, it will disable DoH for the rest of the network session, unless the user has manually set the "DoH always" preference.

According to Deckelmann, Mozilla's plan is to respect the choices of users who have opted-in to parental controls and of enterprise administrators and to fallback to operating system DNS defaults when unusual network configurations cause lookup failures.

Mozilla, she said, intends to work with organizations that offer network-based parental controls to add a "canary domain" to their blocklists. "If Firefox determines that our canary domain is blocked, this will indicate that opt-in parental controls are in effect on the network, and Firefox will disable DoH automatically," said Deckelmann. ®


Other stories you might like

  • Employers in denial over success of digital skills training, say exasperated staffers

    Large disparities in views from bosses vs workers on 'talent transformation initiatives,' says survey

    Digital transformation projects are being held back by a lack of skills, according to a new survey, which finds that while many employers believe they are doing well at training up existing staff to meet the requirements, their employees beg to differ.

    Skills shortages are nothing new, but the Talent Transformation Global Impact report from research firm Ipsos on behalf of online learning provider Udacity indicates that although digital transformation initiatives are stalling due to a lack of digital talent, enterprises are becoming increasingly out of touch with what their employees need to fill the skills gap.

    The report is the result of two surveys taking in over 2,000 managers and more than 4,000 employees across the US, UK, France, and Germany. It found that 59 per cent of employers state that not having enough skilled employees is having a major or moderate impact on their business.

    Continue reading
  • Saved by the Bill: What if... Microsoft had killed Windows 95?

    Now this looks like a job for me, 'cos we need a little, controversy... 'Cos it feels so NT, without me

    Former Microsoft veep Brad Silverberg has paid tribute to Bill Gates for saving Windows 95.

    Silverberg posted his comment in a Twitter exchange started by Fast co-founder Allison Barr Allen regarding somebody who'd changed your life. Silverberg responded "Bill Gates" and, in response to a question from Microsoft cybersecurity pro Ashanka Iddya, explained Gates's role in Windows 95's survival.

    Continue reading
  • UK government opens consultation on medic-style register for Brit infosec pros

    Are you competent? Ethical? Welcome to UKCSC's new list

    Frustrated at lack of activity from the "standard setting" UK Cyber Security Council, the government wants to pass new laws making it into the statutory regulator of the UK infosec trade.

    Government plans, quietly announced in a consultation document issued last week, include a formal register of infosec practitioners – meaning security specialists could be struck off or barred from working if they don't meet "competence and ethical requirements."

    The proposed setup sounds very similar to the General Medical Council and its register of doctors allowed to practice medicine in the UK.

    Continue reading
  • Microsoft's do-it-all IDE Visual Studio 2022 came out late last year. How good is it really?

    Top request from devs? A Linux version

    Review Visual Studio goes back a long way. Microsoft always had its own programming languages and tools, beginning with Microsoft Basic in 1975 and Microsoft C 1.0 in 1983.

    The Visual Studio idea came from two main sources. In the early days, Windows applications were coded and compiled using MS-DOS, and there was a MS-DOS IDE called Programmer's Workbench (PWB, first released 1989). The company also came up Visual Basic (VB, first released 1991), which unlike Microsoft C++ had a Windows IDE. Perhaps inspired by VB, Microsoft delivered Visual C++ 1.0 in 1993, replacing the little-used PWB. Visual Studio itself was introduced in 1997, though it was more of a bundle of different Windows development tools initially. The first Visual Studio to integrate C++ and Visual Basic (in .NET guise) development into the same IDE was Visual Studio .NET in 2002, 20 years ago, and this perhaps is the true ancestor of today's IDE.

    A big change in VS 2022, released November, is that it is the first version where the IDE itself runs as a 64-bit process. The advantage is that it has access to more than 4GB memory in the devenv process, this being the shell of the IDE, though of course it is still possible to compile 32-bit applications. The main benefit is for large solutions comprising hundreds of projects. Although a substantial change, it is transparent to developers and from what we can tell, has been a beneficial change.

    Continue reading
  • James Webb Space Telescope has arrived at its new home – an orbit almost a million miles from Earth

    Funnily enough, that's where we want to be right now, too

    The James Webb Space Telescope, the largest and most complex space observatory built by NASA, has reached its final destination: L2, the second Sun-Earth Lagrange point, an orbit located about a million miles away.

    Mission control sent instructions to fire the telescope's thrusters at 1400 EST (1900 UTC) on Monday. The small boost increased its speed by about 3.6 miles per hour to send it to L2, where it will orbit the Sun in line with Earth for the foreseeable future. It takes about 180 days to complete an L2 orbit, Amber Straughn, deputy project scientist for Webb Science Communications at NASA's Goddard Space Flight Center, said during a live briefing.

    "Webb, welcome home!" blurted NASA's Administrator Bill Nelson. "Congratulations to the team for all of their hard work ensuring Webb's safe arrival at L2 today. We're one step closer to uncovering the mysteries of the universe. And I can't wait to see Webb's first new views of the universe this summer."

    Continue reading

Biting the hand that feeds IT © 1998–2022