https://www.zdnet.com/article/uk-isp-group-names-mozilla-internet-villain-for-supporting-dns-over-https/
> UK ISP group names Mozilla 'Internet Villain' for supporting 'DNS-over-HTTPS' > > UK government and local ISPs are putting the pressure on browsers to drop > plans to support DoH protocol. > > > By Catalin Cimpanu for Zero Day | July 4, 2019 -- 22:55 GMT (08:55 AEST) | > Topic: Security > > > The trade association for internet service providers in the UK has nominated > Mozilla for this year's award of "Internet Villain" because of the browser > maker's plans to support the DNS-over-HTTPS (DoH) protocol in its Firefox > browser. > > In a statement published this week, the Internet Services Providers > Association (ISPAUK) claimed that Mozilla plans to support DNS-over-HTTPS "in > such a way as to bypass UK filtering obligations and parental controls, > undermining internet safety standards in the UK." > > The trade association's comments come after two months of constant criticism > aimed at both Mozilla and Google, from both the UK government and various > advocacy groups, and all are centered around the new DoH protocol. > > What is DoH and why do ISPs hate it? > > The DNS-over-HTTPS protocol (IETF RFC8484) works by sending DNS requests via > an encrypted HTTPS connection, rather than using a classic plaintext UDP > request, as classic DNS works. > > The other difference is that besides being encrypted, the DoH protocol also > works at the app level, rather than the OS level. > > All DNS-over-HTTPS connections take place between an app (like a browser or > mobile app) and a secure DoH-compatible DNS server (resolver). > > All DoH traffic is basically just HTTPS. DoH domain name queries are > encrypted and then hidden in regular web traffic sent to the DoH DNS > resolver, which then replies with a domain name's IP address, also in > encrypted HTTPS. > > As a side-effect of this design, this also means that each app controls the > privacy of its DNS queries, and can hardwire a list of DNS-over-HTTPS servers > (resolvers) in its settings, and not depend on the operating system's default > (and most likely DoH-not-compatible) DNS servers. > > This protocol design means that a user's DNS requests are invisible to > third-party observers, such as ISPs; and all DoH DNS queries and responses > hidden inside a cloud of encrypted connections, indistinguishable from the > other HTTPS traffic. > > In theory, the protocol is a dream from privacy advocates, but a nightmare > for ISPs and makers of network security appliances. > > UK fears DoH will cripple its national web blocking scheme > > In the UK, ISPs are legally forced to block certain types of websites, such > as those hosting copyright-infringing or trademarked content. Some ISPs also > block other sites at their discretion, such as those that show extremist > content, adult images, and child pornography. These latter blocks are > voluntary and are not the same across the UK, but most ISPs usually tend to > block child abuse content. > > By planning to support DNS-over-HTTPS, Mozilla is throwing a monkey wrench in > many ISPs' ability to sniff on customers' traffic and filter traffic for > government-mandated "bad sites." > > While some UK-based ISPs, such as British Telecom, have shown public support > for the DoH protocol, the vast majority have not. > > The jab from the ISPAUK trade association follows a two-month period during > which both Google and Mozilla have been criticized in the UK for their plans > to support DNS-over-HTTPS in their respective browsers, Chrome and Firefox. > > In mid-May, Baroness Thornton, MP for the Labour Party, brought up the DoH > protocol and its impending support from browser makers in a session of the > House of Commons, calling it a threat to the UK's online safety. > > Similarly, the GCHQ, Britain's intelligence service, has also criticized both > Google and Mozilla, claiming the new protocol would impede police > investigations and that it could undermine its existing government > protections against malicious websites. > > The Internet Watch Foundation (IWF), a British watchdog group with a declared > mission to minimize the availability of online child sexual abuse content, > also criticized both Google and Mozilla, claiming the browser makers were > ruining years of work in protecting the British public from abusive content > by providing a new method for accessing illegal content. > > The Tor conundrum > > Basically, Google and Mozilla's support for DoH effectively narrows down to > the same moral dilemma that surrounds the Tor Project and the Tor network. > > Browser makers must now decide if it's worth supporting a tool that brings > privacy improvements to millions, at the expense of a few that may have to > suffer. > > Currently, DoH is not supported in the stable versions of Chrome and Firefox. > Google is still testing DoH support in Chrome, while Mozilla has completed a > successful DoH test in Firefox, and officially said it plans to support the > feature in the stable branch, but did not give out a timeline. > > Mozilla is nominated for ISPAUK's "Internet Villain" prize together with US > President Donald Trump (for causing a huge amount of uncertainty across the > complex, global telecommunications supply chain in the course of trying to > protect national security) and the EU's Article 13 Copyright Directive (for > threatening freedom of expression online by requiring 'content recognition > technologies' across platforms). > > Asked for comment on its nomination, Mozilla sent back the following reply. > > "We're surprised and disappointed that an industry association for ISPs > decided to misrepresent an improvement to decades old internet > infrastructure," a Mozilla spokesperson told ZDNet. "Despite claims to the > contrary, a more private DNS would not prevent the use of content filtering > or parental controls in the UK. > > "DNS-over-HTTPS (DoH) would offer real security benefits to UK citizens. Our > goal is to build a more secure internet, and we continue to have a serious, > constructive conversation with credible stakeholders in the UK about how to > do that," the organization said. > > "We have no current plans to enable DoH by default in the UK. However, we are > currently exploring potential DoH partners in Europe to bring this important > security feature to other Europeans more broadly." > > On the other hand, for "Internet Hero," ISPAUK has nominated Sir Tim > Berners-Lee (for spearheading the 'Contract for the Web' campaign to rebuild > trust and protect the open and free nature of the Internet in the 30th > anniversary of the World Wide Web), Andrew Ferguson OBE, Editor, > Thinkbroadband (for providing independent analysis and valuable data on the > UK broadband market since the year 2000), and Oscar Tapp-Scotting & Paul > Blaker, Global Internet Governance Team, DCMS (for leading the UK > Government's efforts to ensure a balanced and proportionate agenda at the > International Telecommunications Union Conference). > > Article updated on July 5 at 3pm ET with Mozilla statement. -- Kim Holburn IT Network & Security Consultant T: +61 2 61402408 M: +61 404072753 mailto:k...@holburn.net aim://kimholburn skype://kholburn - PGP Public Key on request _______________________________________________ Link mailing list Link@mailman.anu.edu.au http://mailman.anu.edu.au/mailman/listinfo/link