Mozilla Nominated for 'Internet Villain' by Angry ISPsShaming of Mozilla Over Secure DNS Raises Security Community Eyebrows
A British internet service provider trade group has cheekily nominated Mozilla for an "internet villain of the year" award over its decision to advance domain name system technology designed to facilitate more secure and private web browsing.
The U.K.'s Internet Services Providers' Association, whose members include large companies such as BT, AT&T and Verizon, issued a statement nominating Mozilla "for [its] proposed approach to introduce DNS-over-HTTPS in such a way as to bypass U.K. filtering obligations and parental controls, undermining internet safety standards in the U.K."
In a statement, Mozilla says “we’re surprised and disappointed that an industry association for ISPs decided to misrepresent an improvement to decades old internet infrastructure.”
“Despite claims to the contrary, a more private DNS would not prevent the use of content filtering or parental controls in the UK,” Mozilla says. “DNS-over-HTTPS (DoH) would offer real security benefits to U.K. citizens. Our goal is to build a more secure internet, and we continue to have a serious, constructive conversation with credible stakeholders in the UK about how to do that.”
Functioning like a phone directory for websites, DNS allows a domain name, such as example.com, to be resolved into an IP address that can be reached by a browser. Today, most of those requests are done in clear text. Such text can reveal a plethora of web browsing data, as well as the domains of email contacts and chat services.
As the DNS Privacy Project writes: "The DNS is one of the most significant leaks of data about an individuals activity on the Internet."
DNS-over-HTTPS, which is abbreviated as DoH, is an IETF specification that allows for such requests to be encrypted. That prevents the requests from being readable by third parties or ISPs. It also works as an anti-censorship deterrent.
Security experts have widely endorsed DoH. Mozilla, as well as Google, have been working on plans to allow their browsers send DoH requests. Google notably already supports two DoH APIs as part of its Google Public DNS.
Many security experts have expressed surprise and dismay at the tone of the ISPA's "internet villain" suggestion.
@mozilla is nominated for the #ISPAs #InternetVillain for their proposed approach to introduce DNS-over-HTTPS in such a way as to bypass UK filtering obligations and parental controls, undermining #internet safety standards in the UK. https://t.co/d9NaiaJYnk pic.twitter.com/WeZhLq2uvi— Internet Services Providers Association (ISPAUK) (@ISPAUK) July 4, 2019
In response, Scott Helme, a U.K.-based security expert, tweets:
Even the wording of the nomination is shocking. How do you introduce DoH "in such a way" as to do anything?! You deploy DoH in such a way as to be spec compliant. The insinuation in that statement is a disgrace. pic.twitter.com/yf5Qjkzn5u— Scott Helme (@Scott_Helme) July 5, 2019
DNS: Data-Rich Choke Point
Most DNS requests are handled by network providers for consumers, and privacy concerns persist over how that data gets handled. In the U.S., for example, Congress decline to impose rules that forbid network providers from potentially sell browsing histories, The Washington Post reported in April 2017.
But bulk collection of DNS requests is also very useful for security analysts, as it helps with investigating malware and hacking groups. Encrypting DNS traffic also means firewalls can't do traffic analysis on those requests, thus taking away a tool used by security pros to monitor and filter network traffic.
There are already worries that individuals using DoH might bring greater security risks to an organization. For example, Cisco published guidance in December 2018 for its Umbrella gateway for how to try to stop DoH connections.
DNS is also a choke point that can be used by ISPs to block access to certain websites, raising censorship concerns. In the U.K., network providers must comply with laws that require the filtering of certain types of content, ranging from copyright-infringing sites to child pornography to obscene content. But implementing DoH cuts off a channel ISPs use to gain visibility into such content.
As far as the U.K. and its internet-filtering scheme, Mozilla says “we have no current plans to enable DoH by default in the U.K. However, we are currently exploring potential DoH partners in Europe to bring this important security feature to other Europeans more broadly.”
DoH Via Mozilla and Cloudflare
Mozilla began testing DoH last year to see how it would perform with content delivery networks such as Akamai and Cloudflare, writes Selena Deckelmann, Mozilla's senior director of engineering, in an April blog post. Mozilla has continued to test using Cloudflare as its DNS resolver.
For Mozilla product users, that means their DNS requests travel via HTTPS to Cloudflare. As part of its agreement with Mozilla, Cloudflare says it collects a small amount of technical information but discards it after 24 hours.
Cloudflare says it will not transfer that DNS data - or any other personal information, IP addresses or other identifiers that come from a Firefox browser using DoH - to third parties.
If Cloudflare were to receive a government request to block access to domains, it says it "would, in consultation with Mozilla, exhaust our legal remedies before complying with such a request."
Cloudflare adds: "We also commit to documenting any government request to block access in our semi-annual transparency report, unless legally prohibited from doing so."
The U.K.'s ISPA will hold its annual awards ceremony in London on July 11. One of the other two nominees for internet villain is U.S. President Donald Trump "for causing a huge amount of uncertainty across the complex, global telecommunications supply chain in the course of trying to protect national security" (see Huawei Ban: White House Budget Chief Seeks Delay).
The third nominee is the Article 13 Copyright Directive, which is an EU regulation that holds service providers to stringent requirements when handling copyright-protected content. ISPA U.K. alleges that Article 13 threatens "freedom of expression online by requiring 'content recognition technologies' across platforms."