UK ISPs Vilify Mozilla For Trying To Secure The Internet

from the ill-communication dept

Over the years, UK ISPs have been forced by the government to censor an increasing array of "controversial" content, including copyrighted material and "terrorist content." In fits and spurts, the UK has also increasingly tried to censor pornography, despite that being a decidedly impossible affair. Like most global censorship efforts, these information blockades often rely on Domain Name Server (DNS) level blacklists by UK ISPs.

Historically, like much of the internet, DNS hasn't been all that secure. That's why Mozilla recently announced it would begin testing something called "DNS over HTTPS," a significant security upgrade to DNS that encrypts and obscures your domain requests, making it difficult to see which websites a user is visiting. Obviously, this puts a bit of a wrinkle in the government, ISP, or other organizational efforts to use DNS records to block and filter content or track user activity.

Apparently thinking they were helping(?), the UK Internet Services Providers’ Association (ISPA), the policy and trade group for UK ISPs, last week thought they'd try and shame Mozilla for... trying to secure the internet. The organization "nominated" Mozilla for the organization's meaningless "internet villain" awards for, at least according to ISPA, "undermining internet safety standards in the UK":

Of course Mozilla is doing nothing of the sort. DNS over HTTPS (which again Mozilla hasn't even enabled yet) not only creates a more secure internet that's harder to filter and spy on, it actually improves overall DNS performance, making everything a bit faster. Just because this doesn't coalesce with the UK's routinely idiotic and clumsy efforts to censor the internet, that doesn't somehow magically make it a bad idea.

Of course, many were quick to note that ISPA's silly little PR stunt had the opposite effect than intended. It not only advertised that Mozilla was doing a good thing, it advertised DNS over HTTPS to folks who hadn't heard of it previously:

The silly PR stunt also reminded everybody how the bigger players in telecom sector (be it in the US, UK, or elsewhere) are usually all too happy to buckle to requests to censor the internet or spy on internet users. That said, one smaller UK ISP, Andrews and Arnold, decided to donate some money to Mozilla:

UK spy agency GCHQ and the Internet Watch Foundation (which manages the UK's internet watchlist) have also complained that the DNS security upgrade makes it harder to censor content and spy on users. But again, Mozilla says the effort is simply under discussion, won't be enabled by default, wouldn't break things like parental controls, and there's not even a hard date for deployment yet. For those interested, Cloudflare operates a DNS-over-HTTPS-compatible public DNS server at 1.1.1.1.

Update: It looks like ISPA is now in full retreat and have pulled the Mozilla nomination entirely, but not before issuing a "sorry not sorry" press release:

Filed Under: censorship, dns, dns over https, privacy, security, streisand effect, uk
Companies: andrews and arnold, cloudflare, ispa, mozilla, uk ispa


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    Nathan F (profile), 9 Jul 2019 @ 6:44am

    Can we nominate the ISPAUK for an internet villain award for their use of DC Comic villains, Marvel Comic Villans, AND Disney villains? I'm willing to bet they didn't get a license to use them and I doubt it falls under their so called Fair Dealing either.

    reply to this | link to this | view in thread ]

  2. identicon
    Anonymous Coward, 9 Jul 2019 @ 6:53am

    Attempting to censor the internet via DNS blocking is a very silly idea to begin with.

    reply to this | link to this | view in thread ]

  3. identicon
    Anon, 9 Jul 2019 @ 6:58am

    Thanks

    Thank you, Ms. Streisand. I'd never heard of DNS over HTTPS before and did not know of 1.1.1.1; now I do.

    Of course, this is only as secure as how the DNS server gets its data; but by getting data from any server, not your local ISP's, we remove another layer of control from the ISP or local country.

    reply to this | link to this | view in thread ]

  4. identicon
    Anonymous Coward, 9 Jul 2019 @ 7:28am

    Re: Thanks

    Pi_hole also supports use of DNS over HTTP. It also acts as an add and tracking blockers for tablets and phones etc connecting over your WiFi.

    reply to this | link to this | view in thread ]

  5. icon
    PaulT (profile), 9 Jul 2019 @ 7:47am

    Re:

    Like many such things, it sounds neat and tidy until you talk to people who knows how things actually work. If only government types would talk to such people who aren't paid to sell them on something...

    reply to this | link to this | view in thread ]

  6. identicon
    TryItYouWillLikeIt, 9 Jul 2019 @ 8:02am

    And also faster response

    Considering how many sites have Cloudflare integrated into their operations, using Firefox with the DNS over HTTPS also has the benefit of being much faster for those sites.

    reply to this | link to this | view in thread ]

  7. identicon
    Anonymous Coward, 9 Jul 2019 @ 8:08am

    Re:

    Attempting to censor the internet via DNS blocking is a very silly idea to begin with.

    It depends on what you're trying to accomplish. If the goal is to completely block certain content from everyone (e.g. China) then you will do it (because it's easy and can get some people), but you won't rely on it.

    If your goal is to score political points by convincing Luddite voters that you've "stopped the evil internets from corrupting their precious, innocent children," it's fairly effective.

    If your goal is reduce (but not necessarily eliminate) broad public recognition of some topic, both by reducing the number of people who know about it to begin with (as more people than you might expect are incapable,in a practical sense, of getting around DNS blocking) and by reducing the perceived severity or importance as the knock-on effects of DNS blocking incentivize more popular services to remove that content to avoid DNS issues potentially effecting their more important products, then it's also somewhat effective and has the benefit of much weaker public opposition than most alternatives due to opinions like yours.

    I suspect the UK is a lot of option 2, with some smatterings of option 3.

    reply to this | link to this | view in thread ]

  8. identicon
    Anonymous Coward, 9 Jul 2019 @ 8:25am

    Re: Thanks

    Of course, this is only as secure as how the DNS server gets its data

    DNSSEC helps with that. The server could get the records via carrier pigeon and they'd still be usable if the signature checked out.

    reply to this | link to this | view in thread ]

  9. identicon
    Anonymous Coward, 9 Jul 2019 @ 8:46am

    Re: Re: Thanks

    Note also that DNSSEC can be transported by DNS-over-HTTPS, and that in principle one only needs to know the trust anchor i.e. E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D. For example, one could publish the www.mozilla.org DNS records verifiably in a newspaper as long as the signatures from . to org., and .org. to mozilla.org., were included.

    reply to this | link to this | view in thread ]

  10. identicon
    Anonymous Coward, 9 Jul 2019 @ 9:58am

    this 'organization's meaningless "internet villain" awards"' is as useless as the Special 301 Report put out by the USTR! it doesn't stop freakin' idiots taking notice of it or constantly quoting it when trying to get Congressional Brownie Points!!

    reply to this | link to this | view in thread ]

  11. icon
    JoeCool (profile), 9 Jul 2019 @ 11:03am

    Re: And also faster response

    Yep. DNS is faster than ever since switching to DNS over HTTPS. I never get those frequent pauses when going to a different site that used to plague my connection. Connections are damn near instant now.

    reply to this | link to this | view in thread ]

  12. icon
    ECA (profile), 9 Jul 2019 @ 11:14am

    ISPA's desire for constructive Dialogue..

    Then Why in HELL did you place it into the public???

    We learned this in School...HOW TO WHISPER, so the teacher dont hear you..

    And really..alittle tech Can probably do better to figure out WHO is on the other side..
    Consider the idea that 1000 people on a site or in a game, ALL have to have the DATA sent in the proper direction...

    Can you see the internet with 1 billion Chats/connection all WIDE broadcasting in every direction across the net?? Every server int he world would be able to see what you typed..

    reply to this | link to this | view in thread ]

  13. identicon
    David, 9 Jul 2019 @ 11:44am

    Internet villains

    War is peace; freedom is slavery; ignorance is strength.

    reply to this | link to this | view in thread ]

  14. identicon
    Anonymous Coward, 9 Jul 2019 @ 12:08pm

    Re:

    exactly. but they probably won't get pinged like most anyone else would for the use of those trademarked and copyrighted characters, since "block all the things" aligns well with the agendas of the owners of those rights.

    reply to this | link to this | view in thread ]

  15. identicon
    TruthBeTold, 9 Jul 2019 @ 12:26pm

    Poor ISPAUK - wait til you see the lawsuits headed your way...

    I'm waiting for the Marvel/Disney and DC/WarnerBrothers lawsuits, against ISPAUK, due to their unlicensed use of their works.

    I'm sure the fines/law-suits will probably bankrupt the ISPAUK.

    reply to this | link to this | view in thread ]

  16. icon
    That One Guy (profile), 9 Jul 2019 @ 1:28pm

    Did not think that one through...

    'Mozilla is making it harder for people to spy on what you do online, that makes them the bad guys!'

    No really, how did you think that would work out for you?

    reply to this | link to this | view in thread ]

  17. identicon
    Anonymous Coward, 9 Jul 2019 @ 1:52pm

    Re: Did not think that one through...

    This.

    It takes some special levels obliviousness/ignorance to think what they did was somehow going to be met with roses and applause.

    reply to this | link to this | view in thread ]

  18. identicon
    Anonymous Coward, 9 Jul 2019 @ 2:29pm

    If you missed this,...

    https://1.1.1.1/

    Download the free app for both iOS and Android. Speed up the Internet and use 1.1.1.1.

    You can also go into your Home Router, and find the DNS settings, and change it from Automatic, which it'll then get the DNS from your ISP, and change to manual and enter 1.1.1.1 instead. Since you generally have a second choice, use 1.0.0.1 for that space!!!

    Google has had its own of 8.8.8.8 and 8.8.4.4, I wouldn't use them, I don't want Google spying on my even more so than my ISP.

    reply to this | link to this | view in thread ]

  19. identicon
    Anonymous Coward, 9 Jul 2019 @ 4:04pm

    Re:

    I personally really appreciated their attempts to control the Internet via ISP DNS. I haven't used an ISP DNS since the 90's, and it means they haven't been messing with my DNS results.

    reply to this | link to this | view in thread ]

  20. identicon
    Anonymous Coward, 9 Jul 2019 @ 4:06pm

    Re: Re:

    ...or actually filtering my content via other means.

    reply to this | link to this | view in thread ]

  21. identicon
    Anonymous Coward, 9 Jul 2019 @ 4:10pm

    Re: Thanks

    1.1.1.1 is CloudFlare's DNS server, and it peers directly with the second level DNS servers IIRC. Since CloudFlare's business depends on dependable and uncensored DNS service, this is a pretty good DNS to use. The downside is that it's also a single target for any government agencies wanting to harvest or modify data.

    The alternatives, which I don' t think support DNS over HTTPS yet (but likely will eventually) are 8.8.8.8 (Google) and 9.9.9.9 (Quad9)

    reply to this | link to this | view in thread ]

  22. identicon
    Anonymous Coward, 9 Jul 2019 @ 5:22pm

    Re: Re: Thanks

    from wikipedia

    Quad9 offers DNS over TLS over port 853,[5] DNS over HTTPS over port 443,[6] and DNSCrypt service over port 443.[7]

    reply to this | link to this | view in thread ]

  23. identicon
    Anonymous Coward, 10 Jul 2019 @ 2:18am

    There be trade offs to make

    DNS-over-HTTPS provides the ability for a browser to take over the DNS service, and to tunnel that out of a network. This is great for user control.

    However, it creates problems for people who manage networks, who wish to control DNS for security. RPZ is a security technology based on DNS, and it is totally defeated by DNS-over-HTTPS, assuming that the network allows outbound HTTPS.

    The bigger issue, is that instead of your DNS search history being spead over various resolvers in the various networks that you use, your ENTIRE history will be at Cloudflare (or whichever DNS-over-HTTPS provider you choose).

    That is the risk. Your DNS search (query) history tells an aweful lot about you.

    For this reason, various people in the IETF DPRIVE community (I am a member) have been developing recommendations for DNS-as-as-service providers to publish a privacy policy.

    DPRIVE's work can be found at: https://datatracker.ietf.org/wg/dprive/about/

    reply to this | link to this | view in thread ]

  24. identicon
    Anonymous Coward, 10 Jul 2019 @ 6:54am

    Just can't help themselves

    If you go to www.ispa.org.uk to read their statement you may find that they complain if you have cookies disabled. They just can't help themselves, it seems.

    reply to this | link to this | view in thread ]

  25. identicon
    Anonymous Coward, 10 Jul 2019 @ 8:08am

    It's funny how the non-profit who are trying to improve internet security are being vilified, while those who for-profit organizations who are providing material assistance to pedophiles (ICANN, Nominet, et al.) in the form of domain names are completely omitted from this... And lets not forget all those ISP's who have derived profit from DNS tracking. I wonder who the real villian of the internet here is

    reply to this | link to this | view in thread ]

  26. identicon
    anonymouse, 10 Jul 2019 @ 9:25am

    Re: Re:

    So Disney and Warner Brothers.

    How much longer before WB is consumed by the House of Mouse?

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.