UK ISPs Vilify Mozilla For Trying To Secure The Internet
from the ill-communication dept
Over the years, UK ISPs have been forced by the government to censor an increasing array of "controversial" content, including copyrighted material and "terrorist content." In fits and spurts, the UK has also increasingly tried to censor pornography, despite that being a decidedly impossible affair. Like most global censorship efforts, these information blockades often rely on Domain Name Server (DNS) level blacklists by UK ISPs.
Historically, like much of the internet, DNS hasn't been all that secure. That's why Mozilla recently announced it would begin testing something called "DNS over HTTPS," a significant security upgrade to DNS that encrypts and obscures your domain requests, making it difficult to see which websites a user is visiting. Obviously, this puts a bit of a wrinkle in the government, ISP, or other organizational efforts to use DNS records to block and filter content or track user activity.
Apparently thinking they were helping(?), the UK Internet Services Providers’ Association (ISPA), the policy and trade group for UK ISPs, last week thought they'd try and shame Mozilla for... trying to secure the internet. The organization "nominated" Mozilla for the organization's meaningless "internet villain" awards for, at least according to ISPA, "undermining internet safety standards in the UK":
@mozilla is nominated for the #ISPAs #InternetVillain for their proposed approach to introduce DNS-over-HTTPS in such a way as to bypass UK filtering obligations and parental controls, undermining #internet safety standards in the UK. https://t.co/d9NaiaJYnk pic.twitter.com/WeZhLq2uvi
— Internet Services Providers Association (ISPAUK) (@ISPAUK) July 4, 2019
Of course Mozilla is doing nothing of the sort. DNS over HTTPS (which again Mozilla hasn't even enabled yet) not only creates a more secure internet that's harder to filter and spy on, it actually improves overall DNS performance, making everything a bit faster. Just because this doesn't coalesce with the UK's routinely idiotic and clumsy efforts to censor the internet, that doesn't somehow magically make it a bad idea.
Of course, many were quick to note that ISPA's silly little PR stunt had the opposite effect than intended. It not only advertised that Mozilla was doing a good thing, it advertised DNS over HTTPS to folks who hadn't heard of it previously:
Given the number of people who’ve enabled DNS-over-HTTPS in the last 48 hours, it’s clear @ISPAUK doesn’t understand or appreciate @mmasnick’s so-called “Streisand Effect.”
— Matthew Prince 🌥 (@eastdakota) July 7, 2019
The silly PR stunt also reminded everybody how the bigger players in telecom sector (be it in the US, UK, or elsewhere) are usually all too happy to buckle to requests to censor the internet or spy on internet users. That said, one smaller UK ISP, Andrews and Arnold, decided to donate some money to Mozilla:
A&A has today donated £2,940 to the Mozilla Foundation.
The amount was chosen because that is what our fee for ISPA membership would have been, were we a member. https://t.co/pr3rNfProm pic.twitter.com/YQQ3JKDJ3r
— Andrews & Arnold Ltd (@aaisp) July 4, 2019
UK spy agency GCHQ and the Internet Watch Foundation (which manages the UK's internet watchlist) have also complained that the DNS security upgrade makes it harder to censor content and spy on users. But again, Mozilla says the effort is simply under discussion, won't be enabled by default, wouldn't break things like parental controls, and there's not even a hard date for deployment yet. For those interested, Cloudflare operates a DNS-over-HTTPS-compatible public DNS server at 1.1.1.1.
Update: It looks like ISPA is now in full retreat and have pulled the Mozilla nomination entirely, but not before issuing a "sorry not sorry" press release:
Read @ISPAUK 's full statement about this year's Internet Villain nomination here: https://t.co/JjVhLsmCJn pic.twitter.com/R9Eu55Sovy
— Internet Services Providers Association (ISPAUK) (@ISPAUK) July 9, 2019
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: censorship, dns, dns over https, privacy, security, streisand effect, uk
Companies: andrews and arnold, cloudflare, ispa, mozilla, uk ispa
Reader Comments
Subscribe: RSS
View by: Time | Thread
Can we nominate the ISPAUK for an internet villain award for their use of DC Comic villains, Marvel Comic Villans, AND Disney villains? I'm willing to bet they didn't get a license to use them and I doubt it falls under their so called Fair Dealing either.
[ link to this | view in thread ]
Attempting to censor the internet via DNS blocking is a very silly idea to begin with.
[ link to this | view in thread ]
Thanks
Thank you, Ms. Streisand. I'd never heard of DNS over HTTPS before and did not know of 1.1.1.1; now I do.
Of course, this is only as secure as how the DNS server gets its data; but by getting data from any server, not your local ISP's, we remove another layer of control from the ISP or local country.
[ link to this | view in thread ]
Re: Thanks
Pi_hole also supports use of DNS over HTTP. It also acts as an add and tracking blockers for tablets and phones etc connecting over your WiFi.
[ link to this | view in thread ]
Re:
Like many such things, it sounds neat and tidy until you talk to people who knows how things actually work. If only government types would talk to such people who aren't paid to sell them on something...
[ link to this | view in thread ]
And also faster response
Considering how many sites have Cloudflare integrated into their operations, using Firefox with the DNS over HTTPS also has the benefit of being much faster for those sites.
[ link to this | view in thread ]
Re:
It depends on what you're trying to accomplish. If the goal is to completely block certain content from everyone (e.g. China) then you will do it (because it's easy and can get some people), but you won't rely on it.
If your goal is to score political points by convincing Luddite voters that you've "stopped the evil internets from corrupting their precious, innocent children," it's fairly effective.
If your goal is reduce (but not necessarily eliminate) broad public recognition of some topic, both by reducing the number of people who know about it to begin with (as more people than you might expect are incapable,in a practical sense, of getting around DNS blocking) and by reducing the perceived severity or importance as the knock-on effects of DNS blocking incentivize more popular services to remove that content to avoid DNS issues potentially effecting their more important products, then it's also somewhat effective and has the benefit of much weaker public opposition than most alternatives due to opinions like yours.
I suspect the UK is a lot of option 2, with some smatterings of option 3.
[ link to this | view in thread ]
Re: Thanks
DNSSEC helps with that. The server could get the records via carrier pigeon and they'd still be usable if the signature checked out.
[ link to this | view in thread ]
Re: Re: Thanks
Note also that DNSSEC can be transported by DNS-over-HTTPS, and that in principle one only needs to know the trust anchor i.e. E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D. For example, one could publish the www.mozilla.org DNS records verifiably in a newspaper as long as the signatures from . to org., and .org. to mozilla.org., were included.
[ link to this | view in thread ]
this 'organization's meaningless "internet villain" awards"' is as useless as the Special 301 Report put out by the USTR! it doesn't stop freakin' idiots taking notice of it or constantly quoting it when trying to get Congressional Brownie Points!!
[ link to this | view in thread ]
Re: And also faster response
Yep. DNS is faster than ever since switching to DNS over HTTPS. I never get those frequent pauses when going to a different site that used to plague my connection. Connections are damn near instant now.
[ link to this | view in thread ]
ISPA's desire for constructive Dialogue..
Then Why in HELL did you place it into the public???
We learned this in School...HOW TO WHISPER, so the teacher dont hear you..
And really..alittle tech Can probably do better to figure out WHO is on the other side..
Consider the idea that 1000 people on a site or in a game, ALL have to have the DATA sent in the proper direction...
Can you see the internet with 1 billion Chats/connection all WIDE broadcasting in every direction across the net?? Every server int he world would be able to see what you typed..
[ link to this | view in thread ]
Internet villains
War is peace; freedom is slavery; ignorance is strength.
[ link to this | view in thread ]
Re:
exactly. but they probably won't get pinged like most anyone else would for the use of those trademarked and copyrighted characters, since "block all the things" aligns well with the agendas of the owners of those rights.
[ link to this | view in thread ]
Poor ISPAUK - wait til you see the lawsuits headed your way...
I'm waiting for the Marvel/Disney and DC/WarnerBrothers lawsuits, against ISPAUK, due to their unlicensed use of their works.
I'm sure the fines/law-suits will probably bankrupt the ISPAUK.
[ link to this | view in thread ]
Did not think that one through...
'Mozilla is making it harder for people to spy on what you do online, that makes them the bad guys!'
No really, how did you think that would work out for you?
[ link to this | view in thread ]
Re: Did not think that one through...
This.
It takes some special levels obliviousness/ignorance to think what they did was somehow going to be met with roses and applause.
[ link to this | view in thread ]
If you missed this,...
https://1.1.1.1/
Download the free app for both iOS and Android. Speed up the Internet and use 1.1.1.1.
You can also go into your Home Router, and find the DNS settings, and change it from Automatic, which it'll then get the DNS from your ISP, and change to manual and enter 1.1.1.1 instead. Since you generally have a second choice, use 1.0.0.1 for that space!!!
Google has had its own of 8.8.8.8 and 8.8.4.4, I wouldn't use them, I don't want Google spying on my even more so than my ISP.
[ link to this | view in thread ]
Re:
I personally really appreciated their attempts to control the Internet via ISP DNS. I haven't used an ISP DNS since the 90's, and it means they haven't been messing with my DNS results.
[ link to this | view in thread ]
Re: Re:
...or actually filtering my content via other means.
[ link to this | view in thread ]
Re: Thanks
1.1.1.1 is CloudFlare's DNS server, and it peers directly with the second level DNS servers IIRC. Since CloudFlare's business depends on dependable and uncensored DNS service, this is a pretty good DNS to use. The downside is that it's also a single target for any government agencies wanting to harvest or modify data.
The alternatives, which I don' t think support DNS over HTTPS yet (but likely will eventually) are 8.8.8.8 (Google) and 9.9.9.9 (Quad9)
[ link to this | view in thread ]
Re: Re: Thanks
from wikipedia
[ link to this | view in thread ]
There be trade offs to make
DNS-over-HTTPS provides the ability for a browser to take over the DNS service, and to tunnel that out of a network. This is great for user control.
However, it creates problems for people who manage networks, who wish to control DNS for security. RPZ is a security technology based on DNS, and it is totally defeated by DNS-over-HTTPS, assuming that the network allows outbound HTTPS.
The bigger issue, is that instead of your DNS search history being spead over various resolvers in the various networks that you use, your ENTIRE history will be at Cloudflare (or whichever DNS-over-HTTPS provider you choose).
That is the risk. Your DNS search (query) history tells an aweful lot about you.
For this reason, various people in the IETF DPRIVE community (I am a member) have been developing recommendations for DNS-as-as-service providers to publish a privacy policy.
DPRIVE's work can be found at: https://datatracker.ietf.org/wg/dprive/about/
[ link to this | view in thread ]
Just can't help themselves
If you go to www.ispa.org.uk to read their statement you may find that they complain if you have cookies disabled. They just can't help themselves, it seems.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re:
So Disney and Warner Brothers.
How much longer before WB is consumed by the House of Mouse?
[ link to this | view in thread ]