Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
United Kingdom Firefox Mozilla

Firefox Promises UK Government DNS-Over-HTTPS Won't Be Default in UK (gizmodo.co.uk) 118

"Despite looking to make DNS-over-HTTPS the default for its American users, Mozilla has assured culture secretary Nicky Morgan that this won't be the case in the UK," reports Gizmodo: DNS-over-HTTPS has been fairly controversial, with the Internet Services Providers Association nominating Mozilla for an 'Internet Villain' over the whole thing, saying it will "bypass UK filtering obligations and parental controls, undermining internet safety standards in the UK."

In his letter to Morgan, Mozilla vice president of global policy, trust and security, Alan Davidson, stressed that the company "has no plans to turn on our DNS-over-HTTPS feature by default in the United Kingdom and will not do so without further engagement with public and private stakeholders". He did add that Mozilla does "strongly believe that DNS-over-HTTPS would offer real security benefits to UK citizens. The DNS is one of the oldest parts of the internet's architecture, and remains largely untouched by efforts to make the web more secure.

"Because current DNS requests are unencrypted, the road that connects your citizens to their online destination is still open and used by bad actors looking to violate user privacy, attack communications, and spy on browsing activity. People's most personal information, such as their health-related data, can be tracked, collected, leaked and used against people's best interest. Your citizens deserve to be protected from that threat."

This discussion has been archived. No new comments can be posted.

Firefox Promises UK Government DNS-Over-HTTPS Won't Be Default in UK

Comments Filter:
  • by mendred ( 634647 ) on Sunday September 29, 2019 @03:39AM (#59248824) Homepage

    So, don't make it a default, but provide an option in about:config where it's simple and easy to turn on.

    Some of us prefer to control our own browsing experience, thank you very much.....

    • by serviscope_minor ( 664417 ) on Sunday September 29, 2019 @04:12AM (#59248858) Journal

      Hopefully, this can be toggled on via config

      Yes, of course it can!

      https://support.mozilla.org/en... [mozilla.org]

      You don't even have to use Cloudflare's DoH servers if you don't like, you can point firefox at your own server. should you choose.

      Some of us prefer to control our own browsing experience, thank you very much.....

      then firefox is an excellent choice for that.

      • by Tanon ( 5384387 )

        You don't even have to use Cloudflare's DoH servers if you don't like, you can point firefox at your own server. should you choose.

        What would be the point of this, as if the sever can be identified as your own, someone can just snoop on the unecrytped upstream requests from that server and tie them to you?

        • It doesn't have to be "your" DNSoH server, it would be like much of the way the internet works today. So the server would be your ISP's or (got help you) Google's DNSoH server.

          That this system is brand new and there's limited number of them out there, using Cloudflare's as a default seems sensible way to move things forward without the catch-22 of nobody providing the server because nobody uses the system because nobody has a server to use.

        • What would be the point of this, as if the sever can be identified as your own, someone can just snoop on the unecrytped upstream requests from that server and tie them to you?

          I'm glad you asked!

          There are many potential reasons and not all snooping is equal. And security through obscurity is contrary to popular myth actually a worthwhile form of security. So, reasons in no particular order:

          * You might run a server in a different jurisdiction so even if outgoing requests are logged it's much harder for local

          • by novakyu ( 636495 )

            It does't provide hard protection like, say, using ToR does.

            What do you have against "Onion" and why are you de-capitalizing it in acronym, all the while capitalizing "The"?

    • by rtb61 ( 674572 ) on Sunday September 29, 2019 @04:13AM (#59248860) Homepage

      Nah, I prefer the option that pops up on your home page, the first time you run it. You know, LOOK HERE IF YOU WANT TO PROTECT YOUR PRIVACY, click this button to turn on DNS over HTTPS and tell the autocrats to go fuck themselves, and even include the automatic email template, to send that message to your local MP, you know, "I use DNS over HTTPS go fuck yourself".

      I prefer that option, thank you very much, to each his own I suppose.

      • That's cute.

        I got news for you. Autocrats - real ones - will happily enforce root keys that allow them to decrypt your personal stuff and block traffic when they can't. Why do you think Hong-Kong is all about mesh networks?

        So really, you're not sticking it up to anyone. You're just relying on a government not really caring where on the internet you go.

        I'll tell you what else you're allowing, though:
        - that hosts file you had preventing traffic to facebook? Gone.
        - that security filter you paid for, or maybe g

    • by vbdasc ( 146051 )

      Yes, it can... for now. Until the next promise Mozilla makes to the UK government. Hopefully, Firefox will remain open source, so we will still be able to hack and recompile it.

      • Yeah, why is an open source project making guarantees to a govt that they'll leave it weakened by default?

        • by roca ( 43122 )

          The exact quote is "has no plans to turn on our DoH feature by default in the United Kingdom and will not do so without further engagement with public and private stakeholders".

          That is not a "guarantee they'll leave it disabled by default". It just means they won't do it "yet".

        • Because the UK government mandates a certain level of internet filtering. Right now ISPs are able to comply with this using crude, easily-bypassed DNS filtering - but if that ceases to be effective, they'll have to resort to more intrusive and expensive means of filtering instead.

      • why hack it? Seriously, just look first, be stupid on your own time :-)

        https://support.mozilla.org/en... [mozilla.org]

  • Someone will make an easy to use plugin to make the changes for you.

    LOL!!! :-)

    Problem solved.

  • by beepsky ( 6008348 ) on Sunday September 29, 2019 @04:08AM (#59248850)
    For creating technology which can bypass mass surveillance and censorship?
    Wtf is this world coming to
    • Irrelevant (Score:3, Informative)

      by Viol8 ( 599362 )

      DNS over HTTP is a stupid idea for a whole host of reasons , not least that it completely bypasses personal black and white lists and the /etc/hosts file.

      • Yes, you should be using a Hosts File Engine... (tongue firmly in cheek)

      • by mccalli ( 323026 )
        That just sounds like client implementation though - there's no reason it couldn't be coded to still look at those lists before making its query.
        • by guruevi ( 827432 )

          In most cases, modified hosts files just indicates some sort of infection (current or past) or some low-grade 'security' filter. If you can disable it in about:config, then us geeks can still use hosts files, for most other reasons, hosts files shouldn't be trusted.

        • Not really though - the browser makes the request, the hosts file is part of the OS network stack, so when the network sees the request, its already encrypted.

          but using a hosts file as a filter is a pretty basic and poor way to do security, especially when you can build hosts-specific filters into your browser using plugins such as ublock origin.

          eg right now "pro-market.net" is blocked and I never even knew it was there.

          • by Viol8 ( 599362 )

            "but using a hosts file as a filter is a pretty basic and poor way to do security"

            It is however an extremely good way hard wire certain mappings.

            "especially when you can build hosts-specific filters into your browser using plugins such as ublock origin."

            Right, because who wants to spend 10 seconds editing a host file when you can download Some Random Plugin with who knows what weaknesses or exploits or author backdoors for 1 particular browser then spend half the day configuring it. And once you've done tha

            • Why consider "other networked programs" when its only the browser that is implementing DNSoH?

              And as for the plugins with god knows what wekanesses - that's exactly the same argument you can use for every network program.

              • by Viol8 ( 599362 )

                "Why consider "other networked programs" when its only the browser that is implementing DNSoH?"

                Umm, because you want the browser to be consistent with the rest of your suite?

      • "Cloudflare is providing a recursive resolution service with a pro-user privacy policy. They have committed to throwing away all personally identifiable data after 24 hours, and to never pass that data along to third-parties. And there will be regular audits to ensure that data is being cleared as expected."

        What do they do with the personal data before it's thrown away? What if Cloudflare decides to change their privacy policy? What's in it for Cloudflare to provide this free service?

        "But this doesn

        • You can select a custom DNSoH server if you dislike Cloudflare's - there will be ones out there soon enough, then you can switch to using Google's, or whic ever DNS server you currently trust, which is probably Google's... the encrpytion only applies to get from you to the DNS server without snooping in between. If you don't like it you can still use the old way and let everyone with access to your comms see which sites you're resolving.

          right now your IoT thing could be happening anyway, they just have to m

        • Re:Irrelevant (Score:4, Insightful)

          by Kernel Kurtz ( 182424 ) on Sunday September 29, 2019 @12:26PM (#59249702)

          It makes me nervous when someone decides to step in an go "I'm trustworthy, everyone come through me now".

          It's good to question, but also consider the status quo, which for most people in the UK is to use their ISPs DNS, is already completely insecure. Government forces them to keep logs of all your requests, and those requests are censored by government edict as well.

          You are probably not going to find anything less trustworthy than what they already have.

          • Government forces them to keep logs of all your requests,

            Just to amplify, the UK government requires UK-based ISP to keep their entire logs, of requests, sources, destinations, times, at the ISP's cost, for a period of seven years. I'm not sure about how fast a response to a data request is required - probably 24 hours.

            Which means, of course, that after you leave one ISP for another one (say, you don't like the first having been brought by a Brazilian company) then the first will keep the details of your a

      • by Kjella ( 173770 )

        DNS over HTTP is a stupid idea for a whole host of reasons , not least that it completely bypasses personal black and white lists and the /etc/hosts file.

        Well duh, encryption can't tell the difference between your local snooping, the external firewall, your ISP or evil third parties on the Internet. Once you've encrypted it the contents stay secure until they reach the recipient, if you want to process the data you have to do that before it's encrypted. If DoH is stupid then so is HTTPS, it's exactly the same for the web - those HTTP requests everyone could read and modify can no longer be read or modified. I think that's a feature, maybe you consider it a b

        • by Viol8 ( 599362 )

          Since you apparently had no clue what simple point I was making even though it was right on front of you face,. perhaps these sort of discussions are not for you. It has nothing to do with encryption you bell end.

          • by Kjella ( 173770 )

            Since you apparently had no clue what simple point I was making even though it was right on front of you face,. perhaps these sort of discussions are not for you. It has nothing to do with encryption you bell end.

            Then what IS your point? Firefox is open source, modify it to check your whitelist/blacklist/hosts file if they don't provide support for one. I would think it would be roughly a 10 line patch.

            returnIPfromDoH();

            =>

            if ( hostname in /etc/hosts ) {
            returnIPfromHosts();
            }
            if ( hostname in blacklist ) {
            return HostNotFound;
            }
            if ( use_whitelist && hostname not in whitelist ) {
            return HostNotFound;
            }
            returnIPfromDoH();

            Though I

            • by Viol8 ( 599362 )

              " Firefox is open source, modify it "

              Oh go away you stupid tit. I have better things to do with my time that fuck about hacking browser code to fix a problem that should never have been created in the first place by people who don't understand networks outside their narrow browser sphere.

      • DNS over HTTP is a stupid idea for a whole host of reasons , not least that it completely bypasses personal black and white lists and the /etc/hosts file.

        That's not right, it's not even wrong.

        No, DoH doesn't prevent personal black/white lists in the hosts file. You can get a glibc plugin that does DoH instead of over UDP, and that runs after all the usual machinery. The thing that prevents /etc/hosts from doing its job is applications implementing their own resolver that doesn't read that file. That's an or

    • by ShanghaiBill ( 739463 ) on Sunday September 29, 2019 @04:56AM (#59248920)

      To be fair, ISPA has withdrawn the nomination, and apologized for labeling Mozilla a villain [packtpub.com].

      The real villain here is the British government.

      • Can't put the smoke back in the capacitor. They may have withdrawn it, but they're still evil fucks, they're just evil fucks who are now hiding the evidence of their fuckery, and they're still real villains.

        Don't be a henchman
        Stand on your laurels
        Do what no one else does and praise the good of other men for good man's sake
        And when everyone else in the world follows your lead
        Although a cold day in hell it will surely be
        That's when the world will live in harmony
        (Graffin)

    • Information wants to be free was the motto.

      Two decades later everyone around me turned into autocratic tyrants that want to send wrong-thinkers to the virtual gulags. A pox upon all of you.

  • by AmiMoJo ( 196126 ) on Sunday September 29, 2019 @04:10AM (#59248854) Homepage Journal

    If the government is so concerned about DoH being enabled then it must be a good thing. If ISPs think it will bypass their spying and blockades then it must be a great thing.

    Note that the blocks they are talking about are generally civil affairs, i.e. they block The Pirate Bay because some media companies took them to court to force it. Individuals or ISPs not named in their action are not obliged to block anything.

    • by WaffleMonster ( 969671 ) on Sunday September 29, 2019 @04:56AM (#59248922)

      If the government is so concerned about DoH being enabled then it must be a good thing. If ISPs think it will bypass their spying and blockades then it must be a great thing.

      Governments electing to locally censor shit with DNS is a good thing because it can be bypassed by anyone willing to exert a small amount of effort.

      When blocks stop working for everyone by default the political environment that lead to censorship isn't just going to evaporate. Government isn't going to give up and say oh fuck it DoH exists we're screwed. They will simply deploy more heavy handed measures to achieve the same censorship goals to the detriment of all.

      Note that the blocks they are talking about are generally civil affairs, i.e. they block The Pirate Bay because some media companies took them to court to force it. Individuals or ISPs not named in their action are not obliged to block anything.

      Just what do you think is going to happen here as a result? Are the courts going to insist ISP take a now completely meaningless action to block content? An action that nobody will even notice? Is that what you believe?

      While local control may suck because x, y, z the alternatives to it all suck more.

      Also keep in mind DoH can be bypassed by all current "evil" DNS providers via canary domains. The underlying argument all ISPs are evil and only centralized providers are trustworthy is technically nonsensical because any such evil local provider could trivially prevent the use of DoH in the first place negating all benefits real or imagined.

      • by AmiMoJo ( 196126 )

        One of the arguments that got the blocks in the first place is that they were easy and cheap to implement. If it's now a case of needing expensive DPI equipment then the court won't be willing to force the ISPs to do it for free.

        • One of the arguments that got the blocks in the first place is that they were easy and cheap to implement.

          So are ACLs.

          If it's now a case of needing expensive DPI equipment then the court won't be willing to force the ISPs to do it for free.

          More likely they will simply force the DoH provider Cloudflare with substantial personnel, equipment and local offices in the UK to do it for them for free.

          • by AmiMoJo ( 196126 )

            I'd like to see them go after Cloudflare, who will put up more of a defence than the ISPs.

            • I'd like to see them go after Cloudflare, who will put up more of a defence than the ISPs.

              Cloudflare is a relatively small company with no political clout in UK and blocking is now mandated by law. Any ideas what political or legal basis such a defense would look like?

              It appears what has in fact happened is rather than taking a stand Cloudflare via their proxy (Mozilla) has preemptively backed down.

              • by AmiMoJo ( 196126 )

                Cloudflare's market cap is about $5bn, not so small. And there is no law, it's a purely civil matter.

                Defence would be that the burden to block sites for just UK customers, the only jurisdiction of the court, would be too great. Also it's the job of the ISPs to block sites.

                The would also argue that the claimant should be going after the site registrar anyway.

                • Cloudflare's market cap is about $5bn not so small.

                  Largest ISPs in the UK have twice that and 30x employees.

                  And there is no law, it's a purely civil matter.

                  Disobeying court orders in the "UK" is not against the law? Really?

                  http://www.legislation.gov.uk/... [legislation.gov.uk]

                  Defence would be that the burden to block sites for just UK customers, the only jurisdiction of the court, would be too great.

                  This would be an amusing legal strategy given the capabilities of services Cloudflare offers commercially including address geo location services and actual triviality of implementation.

                  Also it's the job of the ISPs to block sites. The would also argue that the claimant should be going after the site registrar anyway.

                  Good luck.

    • by AHuxley ( 892839 )
      HTTPS has never stopped the GCHQ and never will.
      Collect it all will never stop.
      So its not a matter of been "concerned" over new math...
      Think of it more as what every ISP was set to log.
      HTTPS might get around all that easy ISP logging that was set up at a police level to keep decades of ISP logs.
      Now its back to the GCHQ again for full logs :)

      When the internet stops in the UK then the GCHQ is "concerned"...
  • by gnasher719 ( 869701 ) on Sunday September 29, 2019 @04:12AM (#59248856)
    There's hope that the current bunch of misfits that call themselves "ministers" in the UK will be gone soon.

    There's fear what their replacements would be like.
  • But how would the poor power hungry fascists react if they knew there is an even better way to do encrypted DNS lookups?

    DNS over TLS is taking off, and its not hard to set a linux box to use Stubby and DNSmasq such that all DNS requests are encrypted.

    My gateway box at the house is set that way and it also acts as the resolving server for the rest of the local network, so any client on my network is performing DNS over TLS.

    • "power hungry fascists"

      Do grow up.

      • Insisting that a large part of adult population may be treated like children is a hallmark of every dictatorship.
        • by Viol8 ( 599362 )

          One of the basic responsibilities of a government is national security. If that basic fact has so far passed you by then perhaps stick to drawing with your crayons.

          • by PPH ( 736903 )

            One of the basic responsibilities of a government is national security.

            Interesting that the USA considers its principle adversaries to be its own population.

  • What makes UK users different from US users that UK users deserve special respect and consideration while US users are not afforded the same? Does the Internet work differently in the UK? Are human beings in the UK more valuable or special than human beings in other countries?

    strongly believe that DNS-over-HTTPS would offer real security benefits to UK citizens

    I strongly believe Mozilla is full of shit.

    DNS is one of the oldest parts of the internet's architecture

    Appeals to novelty = waste of readers time

    , and remains largely untouched by efforts to make the web more secure.

    If you believe DNS is sufficiently broken to warrant action you could work on solutions and industry consensus to address perceived shortcomings in

    • by AHuxley ( 892839 )
      Every level of the UK gov, police can collect it all for any reason as they are the gov.
      The GCHQ will be fine, but police and local gov who like to collect it all from every ISP may find their software logs don't look and sort the same..
    • What makes UK users different from US users that UK users deserve special respect and consideration while US users are not afforded the same? Does the Internet work differently in the UK? Are human beings in the UK more valuable or special than human beings in other countries?

      Yes. What's your point? ;)

    • by geek ( 5680 )

      With this solution any bump in wire boogiemen still gets the exact same information on what sites you are visiting by passive observation of data flows.

      Clearly you dont understand how this works. Unless you have a trusted cert on their box you aren't passively observing a fucking thing. Before you go trying to punch holes in this maybe you should have some fundamental grasp on the technology.

    • ISP opposition to DoH makes sense in the wider situation.

      The UK mandates internet filtering. Not a great deal of internet filtering, compared to other countries, but some. There are three reasons the ISPs are required to block certain websites:
      - Court-ordered blocking of copyright infringement. Mostly bittorrent indexers.
      - The not-quite-mandatory blocking of child sex abuse. It's not actually a legal requirement, but parliament made it quite clear years ago that if all major ISPs do not do this 'voluntarily

  • Sounds like a great endorsement by the UK government signifying that this is indeed a feature worth turning on :)
  • I've enabled this by following online instructions. I'm in the UK. Nothing has changed when i browse the web. It's either working well, or it's not working at all! How can tell which?
    • find a website which should be blocked by your ISP and try to access with and without the block. Obviously don't go for child porn. Maybe try to find something naughty about Tommy Robinson? But as a UK resident, you should be able to find out what legal filtering obligations your ISP has.
      • ...Obviously don't go for child porn. Maybe try to find something naughty about Tommy Robinson?

        I think I'd rather pick the child porn

      • There is no government-mandated filtering on Tommy Robinson. Why is everyone treating him like a hero? He's a career criminal, not a hero.

    • Snoop yo' self!

  • Get your shit together and get out of the EU or stay or whatever but stop fucking about. And keep your damn nose out of stuff that's none of your business!

    Signed,
    The World

  • Something I may investigate on a rainy Sunday afternoon and we get enough of those in the UK

    Building and running your own DNS-over-HTTPS Server [bentasker.co.uk]

  • by ZenShadow ( 101870 ) on Sunday September 29, 2019 @06:25AM (#59249004) Homepage

    Seriously, why are we letting browser engineers muck about with things like DNS? As someone else pointed out, if DNS is broken, then the people responsible for DNS should be the ones to engineer the fix.

    Not the insane web browser posse, who insist that everything is a nail that can be hammered with HTTP.

    Because nothing else uses the Internet but the web, right?

    • Current HTTPS encryption is probably going to be compromised by quantum computing but its better than the current nothing which is the norm. It's a lot easier and cheaper for a a few browser developers to provide a stopgap than thousands of DNS servers to do it. It will also throw a bit of a wrench into all the regimes trying to censor and monitor the Internet which is like the post office opening our mail to read or deciding not to deliver it because the state disapproves.
    • Comment removed based on user account deletion
    • Seriously, why are we letting browser engineers muck about with things like DNS?

      Because they are free to do so.

      As someone else pointed out, if DNS is broken, then the people responsible for DNS should be the ones to engineer the fix.

      Passing the buck is an excellent way to get things done.

    • You know a great way to bypass internet censorship? Make everything look like HTTP.

      If you have some technical problems with the implementation then let's hear them and have a nice technical discussion. But if all you got is "browser vendors should stick to browsing" and "don't implement something in HTTP because *I* said so" then you're not going to have a good time.

      As for "everything else". Hows the switch to IPv6 going? Actually fuck it, something more relevant, when do you think we'll finally implement D

  • doublespeak (Score:2, Insightful)

    by Anonymous Coward
    "safety standards" in this case is a euphemism that the now nationalist oriented UK government wants to be able to spy and censor its citizens along with making it easier fr GCHQ's wholesale spying on other states. Large corporations themselves can become intrusive (Google comes to mind albeit it supports DNS over HTTPS) but it's great that we have a few of them like Mozilla trying to counterbalance endless privacy intrusions.
  • So Firefox bows to tyrants now?

    Whatever, as long as the option is there..

    When are we going to make the internet into a ad hoc network that nobody can censor and redirect?

  • The whole thing is akin to posting signs saying "please do not access this place" and is easily ignored. Or use the TOR Browser or Tails to not even be bothered by it at all.

  • I think the Mozilla as an american entity shouldn't obey or respect dumb local laws of other countries. If other countries governments want to survey and control what their residents browse, upload and download and block any content they dislike, that's only their problems, not the people's ones and nobody's obligations. As for governments themselves, it's worth for them to forget forever about surveilance and control over what the people do online and blocking the people from accessing some undesirable for
  • Since 1984 the UK claims prior art on monitoring.

Despite all appearances, your boss is a thinking, feeling, human being.

Working...