Mozillia an Internet Villain for supporting DNS over HTTPS

Anonymous Mask

An odd sto­ry popped up on my social media feed over the weekend.
The Inter­net Ser­vices Providers’ Asso­ci­a­tion has nom­i­nat­ed Mozil­la to be an ‘inter­net vil­lain.’ This seemed rather odd giv­en that the Fire­fox web brows­er is the only main­stream brows­er cur­rent­ly being devel­oped independently
of any com­pa­ny*. Look­ing clos­er at their rea­son­ing, ISPA writes:

Mozil­la – for their pro­posed approach to intro­duce DNS-over-HTTPS in such a way as to bypass UK fil­ter­ing oblig­a­tions and parental con­trols, under­min­ing inter­net safe­ty stan­dards in the UK

Theres a whole oth­er post planned around the new web fil­ter­ing that is being intro­duced in the UK (Which is already fil­tered more than many might expect). Its been sit­ting in planned posts for a while, the sum­ma­ry how­ev­er is that a much delayed web fil­ter for adult con­tent, block­ing non-com­pli­ant sites to catch those that are out­side the UK. The UK ISPs also have to fil­ter out web­site that has been offi­cial­ly blocked, either by court order (most­ly sites enabling copy­right infringe­ment) or web­sites that have been report­ed to them for ille­gal con­tent, from places such as The Inter­net Watch Foun­da­tion.

The var­i­ous rights and wrongs of this, the basics of it how­ev­er are that if you block ‘bad stuff’ you can also block any­thing else, par­tic­u­lar­ly places like Chi­na and the Great Fire­wall. When writ­ing soft­ware to help peo­ple in oppressed coun­tries bypass fil­ters. This is where DNS over HTTPS comes in. This is a new pro­to­col that was test­ed ear­li­er this year in Fire­fox and Mozil­la and Google are bring­ing to their browsers. 

A DNS query is how a web brows­er and oth­er inter­net appli­ca­tions trans­late the web address­es such as or or into the loca­tion of the serv­er (remote com­put­er) where the web­site is locat­ed. At present, these use a very anti­quat­ed sys­tem from the 1980’s. Of great con­cern is that all data for these look ups is sent unen­crypt­ed, which means any­one could lis­ten into these queries and note which web­sites you where vis­it­ing. A new pro­to­col, DNS over HTTPS solves this by encrypt­ing these quires and secur­ing them from inter­fer­ence. This stops hack­ers from chang­ing the results and redi­rect­ing to a bad site, and it also stops web fil­ters, includ­ing the pro­posed (and cur­rent­ly oper­a­tional) fil­ters UK ISPs use, by block­ing DNS quires.

ZDNet report­ed the sto­ry:

In the UK, ISPs are legal­ly forced to block cer­tain types of web­sites, such as those host­ing copy­right-infring­ing or trade­marked con­tent. Some ISPs also block oth­er sites at their dis­cre­tion, such as those that show extrem­ist con­tent, adult images, and child pornog­ra­phy. These lat­ter blocks are vol­un­tary and are not the same across the UK, but most ISPs usu­al­ly tend to block child abuse content.

By plan­ning to sup­port DNS-over-HTTPS, Mozil­la is throw­ing a mon­key wrench in many ISPs’ abil­i­ty to sniff on cus­tomers’ traf­fic and fil­ter traf­fic for gov­ern­ment-man­dat­ed “bad sites.”

Con­cern­ing the dilem­ma brows­er mak­ers face in sup­port­ing the new tech­nol­o­gy, they also referred to the issue with Tor, which through a dif­fer­ent method, also gets around these fil­ters to sup­port peo­ple in coun­tries where they have to deal with gov­ern­ment sanc­tioned fil­ters to reach west­ern sites such as Twit­ter, Face­book and Wikipedia in some cas­es. Tor also hides who they are by re-rout­ing their inter­net traffic. 

Basi­cal­ly, Google and Mozil­la’s sup­port for DoH effec­tive­ly nar­rows down to the same moral dilem­ma that sur­rounds the Tor Project and the Tor network.

Brows­er mak­ers must now decide if it’s worth sup­port­ing a tool that brings pri­va­cy improve­ments to mil­lions, at the expense of a few that may have to suffer.

A lot of this also cross­es paths with what I wrote about build­ing an inde­pen­dent inter­net. Writ­ten at the time the Egypt­ian gov­ern­ment was shut­ting down inter­net access, Thoughts of a Pirate Inter­net asks what it would take to build an inde­pen­dent infra­struc­ture, the how it might be done and why it might be important.

Mozil­las response, as report­ed by ZDNet:

DNS-over-HTTPS (DoH) would offer real secu­ri­ty ben­e­fits to UK cit­i­zens. Our goal is to build a more secure inter­net, and we con­tin­ue to have a seri­ous, con­struc­tive con­ver­sa­tion with cred­i­ble stake­hold­ers in the UK about how to do that,” the orga­ni­za­tion said.

We have no cur­rent plans to enable DoH by default in the UK. How­ev­er, we are cur­rent­ly explor­ing poten­tial DoH part­ners in Europe to bring this impor­tant secu­ri­ty fea­ture to oth­er Euro­peans more broadly.”

Whilst I do have some feel­ings about where the ISPs are com­ing from, I do won­der why they them­selves are not back­ing increas­ing inter­net secu­ri­ty for every­one first. As the inter­net matures, it’s no longer the hap­py go lucky place it was, and how we flag unde­sir­able con­tent (and how that is decid­ed needs to be more trans­par­ent) and apply parental con­trols are impor­tant. Doing this at the expense of improv­ing inter­net secu­ri­ty for every­one, when we are more depen­dant on it than ever could be very dan­ger­ous. I hope Mozil­la con­tin­ue this implementation.

Update : ISPA with­draws the nom­i­na­tion.

* Mozil­la does receive sub­stan­tial income from Google for being the default search provider, which is a source of con­tro­ver­sy over its independance.

Fea­tured image by janjf93

Leave a Reply