UK ISPs Vilify Mozilla For Trying To Secure The Internet

from the ill-communication dept

Over the years, UK ISPs have been forced by the government to censor an increasing array of “controversial” content, including copyrighted material and “terrorist content.” In fits and spurts, the UK has also increasingly tried to censor pornography, despite that being a decidedly impossible affair. Like most global censorship efforts, these information blockades often rely on Domain Name Server (DNS) level blacklists by UK ISPs.

Historically, like much of the internet, DNS hasn’t been all that secure. That’s why Mozilla recently announced it would begin testing something called “DNS over HTTPS,” a significant security upgrade to DNS that encrypts and obscures your domain requests, making it difficult to see which websites a user is visiting. Obviously, this puts a bit of a wrinkle in the government, ISP, or other organizational efforts to use DNS records to block and filter content or track user activity.

Apparently thinking they were helping(?), the UK Internet Services Providers? Association (ISPA), the policy and trade group for UK ISPs, last week thought they’d try and shame Mozilla for… trying to secure the internet. The organization “nominated” Mozilla for the organization’s meaningless “internet villain” awards for, at least according to ISPA, “undermining internet safety standards in the UK”:

Of course Mozilla is doing nothing of the sort. DNS over HTTPS (which again Mozilla hasn’t even enabled yet) not only creates a more secure internet that’s harder to filter and spy on, it actually improves overall DNS performance, making everything a bit faster. Just because this doesn’t coalesce with the UK’s routinely idiotic and clumsy efforts to censor the internet, that doesn’t somehow magically make it a bad idea.

Of course, many were quick to note that ISPA’s silly little PR stunt had the opposite effect than intended. It not only advertised that Mozilla was doing a good thing, it advertised DNS over HTTPS to folks who hadn’t heard of it previously:

The silly PR stunt also reminded everybody how the bigger players in telecom sector (be it in the US, UK, or elsewhere) are usually all too happy to buckle to requests to censor the internet or spy on internet users. That said, one smaller UK ISP, Andrews and Arnold, decided to donate some money to Mozilla:

UK spy agency GCHQ and the Internet Watch Foundation (which manages the UK’s internet watchlist) have also complained that the DNS security upgrade makes it harder to censor content and spy on users. But again, Mozilla says the effort is simply under discussion, won’t be enabled by default, wouldn’t break things like parental controls, and there’s not even a hard date for deployment yet. For those interested, Cloudflare operates a DNS-over-HTTPS-compatible public DNS server at 1.1.1.1.

Update: It looks like ISPA is now in full retreat and have pulled the Mozilla nomination entirely, but not before issuing a “sorry not sorry” press release:

Filed Under: , , , , , ,
Companies: andrews and arnold, cloudflare, ispa, mozilla, uk ispa

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “UK ISPs Vilify Mozilla For Trying To Secure The Internet”

Subscribe: RSS Leave a comment
26 Comments
Anonymous Coward says:

Re: Re:

Attempting to censor the internet via DNS blocking is a very silly idea to begin with.

It depends on what you’re trying to accomplish. If the goal is to completely block certain content from everyone (e.g. China) then you will do it (because it’s easy and can get some people), but you won’t rely on it.

If your goal is to score political points by convincing Luddite voters that you’ve "stopped the evil internets from corrupting their precious, innocent children," it’s fairly effective.

If your goal is reduce (but not necessarily eliminate) broad public recognition of some topic, both by reducing the number of people who know about it to begin with (as more people than you might expect are incapable,in a practical sense, of getting around DNS blocking) and by reducing the perceived severity or importance as the knock-on effects of DNS blocking incentivize more popular services to remove that content to avoid DNS issues potentially effecting their more important products, then it’s also somewhat effective and has the benefit of much weaker public opposition than most alternatives due to opinions like yours.

I suspect the UK is a lot of option 2, with some smatterings of option 3.

Anon says:

Thanks

Thank you, Ms. Streisand. I’d never heard of DNS over HTTPS before and did not know of 1.1.1.1; now I do.

Of course, this is only as secure as how the DNS server gets its data; but by getting data from any server, not your local ISP’s, we remove another layer of control from the ISP or local country.

Anonymous Coward says:

Re: Re: Thanks

Note also that DNSSEC can be transported by DNS-over-HTTPS, and that in principle one only needs to know the trust anchor i.e. E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D. For example, one could publish the http://www.mozilla.org DNS records verifiably in a newspaper as long as the signatures from . to org., and .org. to mozilla.org., were included.

Anonymous Coward says:

Re: Thanks

1.1.1.1 is CloudFlare’s DNS server, and it peers directly with the second level DNS servers IIRC. Since CloudFlare’s business depends on dependable and uncensored DNS service, this is a pretty good DNS to use. The downside is that it’s also a single target for any government agencies wanting to harvest or modify data.

The alternatives, which I don’ t think support DNS over HTTPS yet (but likely will eventually) are 8.8.8.8 (Google) and 9.9.9.9 (Quad9)

ECA (profile) says:

ISPA's desire for constructive Dialogue..

Then Why in HELL did you place it into the public???

We learned this in School…HOW TO WHISPER, so the teacher dont hear you..

And really..alittle tech Can probably do better to figure out WHO is on the other side..
Consider the idea that 1000 people on a site or in a game, ALL have to have the DATA sent in the proper direction…

Can you see the internet with 1 billion Chats/connection all WIDE broadcasting in every direction across the net?? Every server int he world would be able to see what you typed..

Anonymous Coward says:

If you missed this,…

https://1.1.1.1/

Download the free app for both iOS and Android. Speed up the Internet and use 1.1.1.1.

You can also go into your Home Router, and find the DNS settings, and change it from Automatic, which it’ll then get the DNS from your ISP, and change to manual and enter 1.1.1.1 instead. Since you generally have a second choice, use 1.0.0.1 for that space!!!

Google has had its own of 8.8.8.8 and 8.8.4.4, I wouldn’t use them, I don’t want Google spying on my even more so than my ISP.

Anonymous Coward says:

There be trade offs to make

DNS-over-HTTPS provides the ability for a browser to take over the DNS service, and to tunnel that out of a network. This is great for user control.

However, it creates problems for people who manage networks, who wish to control DNS for security. RPZ is a security technology based on DNS, and it is totally defeated by DNS-over-HTTPS, assuming that the network allows outbound HTTPS.

The bigger issue, is that instead of your DNS search history being spead over various resolvers in the various networks that you use, your ENTIRE history will be at Cloudflare (or whichever DNS-over-HTTPS provider you choose).

That is the risk. Your DNS search (query) history tells an aweful lot about you.

For this reason, various people in the IETF DPRIVE community (I am a member) have been developing recommendations for DNS-as-as-service providers to publish a privacy policy.

DPRIVE’s work can be found at: https://datatracker.ietf.org/wg/dprive/about/

Anonymous Coward says:

It’s funny how the non-profit who are trying to improve internet security are being vilified, while those who for-profit organizations who are providing material assistance to pedophiles (ICANN, Nominet, et al.) in the form of domain names are completely omitted from this… And lets not forget all those ISP’s who have derived profit from DNS tracking. I wonder who the real villian of the internet here is

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...