Firebox builder Mozilla has confirmed to UK Culture Secretary Nicky Morgan that Britons won't be getting DNS-over-HTTPS (DoH) by default once the feature is included in the next run of browser updates.
In a letter to the Secretary of State for Digital, Culture, Media and Sport, Mozilla's global policy veep Alan Davidson said his Silicon Valley org "has no plans to turn on our DoH feature by default in the United Kingdom and will not do so without further engagement with public and private stakeholders."
The letter, which was conveniently shown to The Guardian today, also confirmed that DoH would be the default for folks in the US.
This repeats and cements Mozilla's position expressed earlier this year, when a spokesman said "we are currently exploring potential DoH partners in Europe to bring this important security feature to other Europeans more broadly."
As we previously reported, DoH is all about shifting domain-name queries – which try to match domain names with server IP addresses – over a secure, encrypted HTTPS connection to a DNS server, rather than via an unprotected, unencrypted bog-standard DNS connection. That should protect DNS lookups from tampering or snooping by your ISP, though whoever is providing the DNS server can obviously see your queries.
Mozilla's DoH-by-default plans stirred up the ire of the British establishment because it was thought that widespread adoption would largely break ISPs' government-mandated content blocking systems.
Nonetheless, DoH is billed as helping stop third parties (ISPs, government agencies, police forces, any of the random handful of British state organs allowed by law to help themselves to your browsing history, etc) from viewing what you’re viewing – or, in the case of criminals looking to defraud you, hijacking your DNS requests.
Mozilla Firefox to begin slow rollout of DNS-over-HTTPS by default at the end of the monthREAD MORE
An unholy alliance between a UK ISPs' lobbying association, social conservatives across Parliament and the civil service, the Internet Watch Foundation and selected small-c conservative national newspapers combined to screech blue murder earlier this year at Mozilla.
The browser-maker played the game and merely pronounced itself "surprised and disappointed" at ISPA's antics. Nonetheless, the company has since backed down from what it says is a privacy and security-enhancing tech rollout.
Google, of course, is also about to roll an imminent deployment of DoH into its Chrome browser, although for its part, Google has promised it won't override your choice of DNS provider.
We have asked Mozilla if it wishes to comment and will update this article if it responds.
Not enabling DoH by default seems like a compromise option intended to soothe state-backed data sniffers and social conservatives alike. Exploiting the well-known tendency of end users not to do or enable anything to help themselves, Mozilla presumably hopes that'll be enough to put Britain's creeps back in their boxes.
Instructions on enabling or disabling DoH in Firefox can be found here.
While the public messaging on DoH is mostly focused on security, child abuse content or terrorists, it's wise to take a wider view. As we reported a few days ago, Paul Vixie of Farsight Security opined (at the end of this article) that the ultimate victor if the Google and Mozilla position prevails may be the tech companies resolving encrypted DNS queries, who will then have a much broader sight of what people are browsing than anyone else. Or so they hope. ®