UK ISPs Vilify Mozilla For Trying To Secure The Internet

from the ill-communication dept

Over the years, UK ISPs have been forced by the government to censor an increasing array of "controversial" content, including copyrighted material and "terrorist content." In fits and spurts, the UK has also increasingly tried to censor pornography, despite that being a decidedly impossible affair. Like most global censorship efforts, these information blockades often rely on Domain Name Server (DNS) level blacklists by UK ISPs.

Historically, like much of the internet, DNS hasn't been all that secure. That's why Mozilla recently announced it would begin testing something called "DNS over HTTPS," a significant security upgrade to DNS that encrypts and obscures your domain requests, making it difficult to see which websites a user is visiting. Obviously, this puts a bit of a wrinkle in the government, ISP, or other organizational efforts to use DNS records to block and filter content or track user activity.

Apparently thinking they were helping(?), the UK Internet Services Providers’ Association (ISPA), the policy and trade group for UK ISPs, last week thought they'd try and shame Mozilla for... trying to secure the internet. The organization "nominated" Mozilla for the organization's meaningless "internet villain" awards for, at least according to ISPA, "undermining internet safety standards in the UK":

Of course Mozilla is doing nothing of the sort. DNS over HTTPS (which again Mozilla hasn't even enabled yet) not only creates a more secure internet that's harder to filter and spy on, it actually improves overall DNS performance, making everything a bit faster. Just because this doesn't coalesce with the UK's routinely idiotic and clumsy efforts to censor the internet, that doesn't somehow magically make it a bad idea.

Of course, many were quick to note that ISPA's silly little PR stunt had the opposite effect than intended. It not only advertised that Mozilla was doing a good thing, it advertised DNS over HTTPS to folks who hadn't heard of it previously:

The silly PR stunt also reminded everybody how the bigger players in telecom sector (be it in the US, UK, or elsewhere) are usually all too happy to buckle to requests to censor the internet or spy on internet users. That said, one smaller UK ISP, Andrews and Arnold, decided to donate some money to Mozilla:

UK spy agency GCHQ and the Internet Watch Foundation (which manages the UK's internet watchlist) have also complained that the DNS security upgrade makes it harder to censor content and spy on users. But again, Mozilla says the effort is simply under discussion, won't be enabled by default, wouldn't break things like parental controls, and there's not even a hard date for deployment yet. For those interested, Cloudflare operates a DNS-over-HTTPS-compatible public DNS server at 1.1.1.1.

Update: It looks like ISPA is now in full retreat and have pulled the Mozilla nomination entirely, but not before issuing a "sorry not sorry" press release:

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: censorship, dns, dns over https, privacy, security, streisand effect, uk
Companies: andrews and arnold, cloudflare, ispa, mozilla, uk ispa


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Nathan F (profile), 9 Jul 2019 @ 6:44am

    Can we nominate the ISPAUK for an internet villain award for their use of DC Comic villains, Marvel Comic Villans, AND Disney villains? I'm willing to bet they didn't get a license to use them and I doubt it falls under their so called Fair Dealing either.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Jul 2019 @ 12:08pm

      Re:

      exactly. but they probably won't get pinged like most anyone else would for the use of those trademarked and copyrighted characters, since "block all the things" aligns well with the agendas of the owners of those rights.

      link to this | view in chronology ]

      • identicon
        anonymouse, 10 Jul 2019 @ 9:25am

        Re: Re:

        So Disney and Warner Brothers.

        How much longer before WB is consumed by the House of Mouse?

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Jul 2019 @ 6:53am

    Attempting to censor the internet via DNS blocking is a very silly idea to begin with.

    link to this | view in chronology ]

    • icon
      PaulT (profile), 9 Jul 2019 @ 7:47am

      Re:

      Like many such things, it sounds neat and tidy until you talk to people who knows how things actually work. If only government types would talk to such people who aren't paid to sell them on something...

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Jul 2019 @ 8:08am

      Re:

      Attempting to censor the internet via DNS blocking is a very silly idea to begin with.

      It depends on what you're trying to accomplish. If the goal is to completely block certain content from everyone (e.g. China) then you will do it (because it's easy and can get some people), but you won't rely on it.

      If your goal is to score political points by convincing Luddite voters that you've "stopped the evil internets from corrupting their precious, innocent children," it's fairly effective.

      If your goal is reduce (but not necessarily eliminate) broad public recognition of some topic, both by reducing the number of people who know about it to begin with (as more people than you might expect are incapable,in a practical sense, of getting around DNS blocking) and by reducing the perceived severity or importance as the knock-on effects of DNS blocking incentivize more popular services to remove that content to avoid DNS issues potentially effecting their more important products, then it's also somewhat effective and has the benefit of much weaker public opposition than most alternatives due to opinions like yours.

      I suspect the UK is a lot of option 2, with some smatterings of option 3.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Jul 2019 @ 4:04pm

      Re:

      I personally really appreciated their attempts to control the Internet via ISP DNS. I haven't used an ISP DNS since the 90's, and it means they haven't been messing with my DNS results.

      link to this | view in chronology ]

  • identicon
    Anon, 9 Jul 2019 @ 6:58am

    Thanks

    Thank you, Ms. Streisand. I'd never heard of DNS over HTTPS before and did not know of 1.1.1.1; now I do.

    Of course, this is only as secure as how the DNS server gets its data; but by getting data from any server, not your local ISP's, we remove another layer of control from the ISP or local country.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Jul 2019 @ 7:28am

      Re: Thanks

      Pi_hole also supports use of DNS over HTTP. It also acts as an add and tracking blockers for tablets and phones etc connecting over your WiFi.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Jul 2019 @ 8:25am

      Re: Thanks

      Of course, this is only as secure as how the DNS server gets its data

      DNSSEC helps with that. The server could get the records via carrier pigeon and they'd still be usable if the signature checked out.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Jul 2019 @ 4:10pm

      Re: Thanks

      1.1.1.1 is CloudFlare's DNS server, and it peers directly with the second level DNS servers IIRC. Since CloudFlare's business depends on dependable and uncensored DNS service, this is a pretty good DNS to use. The downside is that it's also a single target for any government agencies wanting to harvest or modify data.

      The alternatives, which I don' t think support DNS over HTTPS yet (but likely will eventually) are 8.8.8.8 (Google) and 9.9.9.9 (Quad9)

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 9 Jul 2019 @ 5:22pm

        Re: Re: Thanks

        from wikipedia

        Quad9 offers DNS over TLS over port 853,[5] DNS over HTTPS over port 443,[6] and DNSCrypt service over port 443.[7]

        link to this | view in chronology ]

  • identicon
    TryItYouWillLikeIt, 9 Jul 2019 @ 8:02am

    And also faster response

    Considering how many sites have Cloudflare integrated into their operations, using Firefox with the DNS over HTTPS also has the benefit of being much faster for those sites.

    link to this | view in chronology ]

    • icon
      JoeCool (profile), 9 Jul 2019 @ 11:03am

      Re: And also faster response

      Yep. DNS is faster than ever since switching to DNS over HTTPS. I never get those frequent pauses when going to a different site that used to plague my connection. Connections are damn near instant now.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Jul 2019 @ 9:58am

    this 'organization's meaningless "internet villain" awards"' is as useless as the Special 301 Report put out by the USTR! it doesn't stop freakin' idiots taking notice of it or constantly quoting it when trying to get Congressional Brownie Points!!

    link to this | view in chronology ]

  • icon
    ECA (profile), 9 Jul 2019 @ 11:14am

    ISPA's desire for constructive Dialogue..

    Then Why in HELL did you place it into the public???

    We learned this in School...HOW TO WHISPER, so the teacher dont hear you..

    And really..alittle tech Can probably do better to figure out WHO is on the other side..
    Consider the idea that 1000 people on a site or in a game, ALL have to have the DATA sent in the proper direction...

    Can you see the internet with 1 billion Chats/connection all WIDE broadcasting in every direction across the net?? Every server int he world would be able to see what you typed..

    link to this | view in chronology ]

  • identicon
    David, 9 Jul 2019 @ 11:44am

    Internet villains

    War is peace; freedom is slavery; ignorance is strength.

    link to this | view in chronology ]

  • identicon
    TruthBeTold, 9 Jul 2019 @ 12:26pm

    Poor ISPAUK - wait til you see the lawsuits headed your way...

    I'm waiting for the Marvel/Disney and DC/WarnerBrothers lawsuits, against ISPAUK, due to their unlicensed use of their works.

    I'm sure the fines/law-suits will probably bankrupt the ISPAUK.

    link to this | view in chronology ]

  • icon
    That One Guy (profile), 9 Jul 2019 @ 1:28pm

    Did not think that one through...

    'Mozilla is making it harder for people to spy on what you do online, that makes them the bad guys!'

    No really, how did you think that would work out for you?

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Jul 2019 @ 1:52pm

      Re: Did not think that one through...

      This.

      It takes some special levels obliviousness/ignorance to think what they did was somehow going to be met with roses and applause.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Jul 2019 @ 2:29pm

    If you missed this,...

    https://1.1.1.1/

    Download the free app for both iOS and Android. Speed up the Internet and use 1.1.1.1.

    You can also go into your Home Router, and find the DNS settings, and change it from Automatic, which it'll then get the DNS from your ISP, and change to manual and enter 1.1.1.1 instead. Since you generally have a second choice, use 1.0.0.1 for that space!!!

    Google has had its own of 8.8.8.8 and 8.8.4.4, I wouldn't use them, I don't want Google spying on my even more so than my ISP.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Jul 2019 @ 2:18am

    There be trade offs to make

    DNS-over-HTTPS provides the ability for a browser to take over the DNS service, and to tunnel that out of a network. This is great for user control.

    However, it creates problems for people who manage networks, who wish to control DNS for security. RPZ is a security technology based on DNS, and it is totally defeated by DNS-over-HTTPS, assuming that the network allows outbound HTTPS.

    The bigger issue, is that instead of your DNS search history being spead over various resolvers in the various networks that you use, your ENTIRE history will be at Cloudflare (or whichever DNS-over-HTTPS provider you choose).

    That is the risk. Your DNS search (query) history tells an aweful lot about you.

    For this reason, various people in the IETF DPRIVE community (I am a member) have been developing recommendations for DNS-as-as-service providers to publish a privacy policy.

    DPRIVE's work can be found at: https://datatracker.ietf.org/wg/dprive/about/

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Jul 2019 @ 6:54am

    Just can't help themselves

    If you go to www.ispa.org.uk to read their statement you may find that they complain if you have cookies disabled. They just can't help themselves, it seems.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Jul 2019 @ 8:08am

    It's funny how the non-profit who are trying to improve internet security are being vilified, while those who for-profit organizations who are providing material assistance to pedophiles (ICANN, Nominet, et al.) in the form of domain names are completely omitted from this... And lets not forget all those ISP's who have derived profit from DNS tracking. I wonder who the real villian of the internet here is

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.