DoH! Secure DNS doesn't make us a villain, Mozilla tells UK broadband providers

Retort follows nomination for internet villain for helping people bypass UK web filters

A villainous fox

Mozilla says it is baffled by the UK Internet Services Providers’ Association's decision to nominate the browser maker as the internet's 2019 villain of the year.

The UK ISPA earlier this week proposed Mozilla, self-styled defender of internet freedom, as a black hat for its "proposed approach to introduce DNS-over-HTTPS in such a way as to bypass UK filtering obligations and parental controls, undermining internet safety standards in the UK."

The filtering obligation comes from the UK's Digital Economy Act 2017, which includes a requirement that websites serving adult content in the UK verify the ages of website visitors. The previously delayed policy was to have taken effect on July 15 but was delayed again last month in a bureaucratic snafu. The rules are currently expected to take effect in maybe six months, maybe.

DNS-over-HTTPS (DoH) is a specification designed to close one of several remaining privacy holes that expose web users to scrutiny. It protects online queries submitted through the domain name system so an intermediary on the network cannot intercept them and determine which sites requesters intend to visit.

ISPs that do not provide DNS service cannot see DNS queries passing through their networks but DNS providers, like Cloudflare or Google among others, still have access to unencrypted queries – and thus could filter certain sites.

Cloudflare, Google and Mozilla, among others, have all been testing the technology, which is supported in Firefox 60 and later. But some organizations worry improved privacy will protect lawbreakers. Last month, the Internet Watch Foundation (IWF), a UK-based advocacy group fighting child sexual abuse images online, expressed concern the technology would hobble its filtering list.

The UK ISPA's objection is similar: The privacy afforded by DoH will make it easier for people to flout the law by avoiding filtering.

That's by design: As Google notes on its DoH developer page, "Traditional DNS queries and replies are sent over UDP or TCP without encryption, making them subject to surveillance, spoofing, and DNS-based Internet filtering."

Mozilla finds the ISPA's dig perplexing.

"We’re surprised and disappointed that an industry association for ISPs decided to misrepresent an improvement to decades old internet infrastructure," a Mozilla spokesperson said in a statement provided to The Register via email. "Despite claims to the contrary, a more private DNS would not prevent the use of content filtering or parental controls in the UK. DNS-over-HTTPS would offer real security benefits to UK citizens."

Mozilla insists that its goal is to build a more secure internet and that it continues to have a constructive conversation about security with "credible stakeholders in the UK." The company didn't say whether it considers the ISPA to be a credible stakeholder.

The browser maker isn't planning to enable DoH by default in the UK. "However, we are currently exploring potential DoH partners in Europe to bring this important security feature to other Europeans more broadly," the company's spokesperson said.

The ISP group's other contenders for the title of "internet villain" include the Article 13 Copyright Directive, for threatening free speech online, and US President Donald Trump, for causing confusion on the global telecom supply chain through his blacklisting of Huawei and others.

The service provider association intends to pick a winner – a designation of no real consequence – at the ISPA Awards Ceremony on 11th July in London. ®

Sponsored: Beyond the Data Frontier

More from The Register

Firefox Preview, a new browser for Android from Mozilla

Firefox Preview for Android: Mozilla has another go at a mobile browser

Firefox Focus frozen as Mozilla redirects Android effort ... despite small market share

Mozilla shaves down Beard to a luxuriant mustache, looks for new CEO by end of year

The clock is ticking to find replacement, he's off by Xmas

Today in tortured tech analogies: Mozilla lets Firefox loose in the hen house, and by hen house, we mean the tracking cookie jar, er...

Remember when people didn't use browsers from the one of world's biggest adtech giants?
Fox licks his chops. Photo by Shutterstock

Mozilla boots alleged snoop troupe from its root cert coop: UAE-based DarkMatter thrown onto CA blocklist

Maker of Firefox fires fox from hen house guard duty

Mozilla Firefox to begin slow rollout of DNS-over-HTTPS by default at the end of the month

To protect query privacy, browser maker will run everything through Cloudflare
Well done, everyone

Finally. Thanks so much, nerds. Google, Apple, Mozilla end government* internet spying for good

* Terms and conditions apply. Offer not valid outside Kazakhstan. Your home may be repossessed if you do not keep up payments
red fox. pic by Shutterstock

This Free software ain't free to make, pal, it's expensive: Mozilla to bankroll Firefox with paid-for premium extras

Browser will remain gratis, optional $$-per-month services to be offered later this year
Google, photo by lightpoet via Shutterstock

Mozilla returns crypto-signed website packaging spec to sender – yes, it's Google

Ad giant's site slurping tech complicates web security model, could give more power to search engines and social networks, Firefox maker warns

Biting the hand that feeds IT © 1998–2019