Geo Focus: The United Kingdom , Geo-Specific , Network Firewalls, Network Access Control

Mozilla Nominated for 'Internet Villain' by Angry ISPs

Shaming of Mozilla Over Secure DNS Raises Security Community Eyebrows
Mozilla Nominated for 'Internet Villain' by Angry ISPs

A British internet service provider trade group has cheekily nominated Mozilla for an "internet villain of the year" award over its decision to advance domain name system technology designed to facilitate more secure and private web browsing.

See Also: Close the Case on Ransomware

The U.K.'s Internet Services Providers' Association, whose members include large companies such as BT, AT&T and Verizon, issued a statement nominating Mozilla "for [its] proposed approach to introduce DNS-over-HTTPS in such a way as to bypass U.K. filtering obligations and parental controls, undermining internet safety standards in the U.K."

In a statement, Mozilla says “we’re surprised and disappointed that an industry association for ISPs decided to misrepresent an improvement to decades old internet infrastructure.”

“Despite claims to the contrary, a more private DNS would not prevent the use of content filtering or parental controls in the UK,” Mozilla says. “DNS-over-HTTPS (DoH) would offer real security benefits to U.K. citizens. Our goal is to build a more secure internet, and we continue to have a serious, constructive conversation with credible stakeholders in the UK about how to do that.”

Functioning like a phone directory for websites, DNS allows a domain name, such as, to be resolved into an IP address that can be reached by a browser. Today, most of those requests are done in clear text. Such text can reveal a plethora of web browsing data, as well as the domains of email contacts and chat services.

As the DNS Privacy Project writes: "The DNS is one of the most significant leaks of data about an individuals activity on the Internet."

DNS-over-HTTPS, which is abbreviated as DoH, is an IETF specification that allows for such requests to be encrypted. That prevents the requests from being readable by third parties or ISPs. It also works as an anti-censorship deterrent.

Security experts have widely endorsed DoH. Mozilla, as well as Google, have been working on plans to allow their browsers send DoH requests. Google notably already supports two DoH APIs as part of its Google Public DNS.

Many security experts have expressed surprise and dismay at the tone of the ISPA's "internet villain" suggestion.

In response, Scott Helme, a U.K.-based security expert, tweets:

DNS: Data-Rich Choke Point

Most DNS requests are handled by network providers for consumers, and privacy concerns persist over how that data gets handled. In the U.S., for example, Congress decline to impose rules that forbid network providers from potentially sell browsing histories, The Washington Post reported in April 2017.

But bulk collection of DNS requests is also very useful for security analysts, as it helps with investigating malware and hacking groups. Encrypting DNS traffic also means firewalls can't do traffic analysis on those requests, thus taking away a tool used by security pros to monitor and filter network traffic.

There are already worries that individuals using DoH might bring greater security risks to an organization. For example, Cisco published guidance in December 2018 for its Umbrella gateway for how to try to stop DoH connections.

DNS is also a choke point that can be used by ISPs to block access to certain websites, raising censorship concerns. In the U.K., network providers must comply with laws that require the filtering of certain types of content, ranging from copyright-infringing sites to child pornography to obscene content. But implementing DoH cuts off a channel ISPs use to gain visibility into such content.

As far as the U.K. and its internet-filtering scheme, Mozilla says “we have no current plans to enable DoH by default in the U.K. However, we are currently exploring potential DoH partners in Europe to bring this important security feature to other Europeans more broadly.”

DoH Via Mozilla and Cloudflare

Mozilla began testing DoH last year to see how it would perform with content delivery networks such as Akamai and Cloudflare, writes Selena Deckelmann, Mozilla's senior director of engineering, in an April blog post. Mozilla has continued to test using Cloudflare as its DNS resolver.

For Mozilla product users, that means their DNS requests travel via HTTPS to Cloudflare. As part of its agreement with Mozilla, Cloudflare says it collects a small amount of technical information but discards it after 24 hours.

Cloudflare says it will not transfer that DNS data - or any other personal information, IP addresses or other identifiers that come from a Firefox browser using DoH - to third parties.

If Cloudflare were to receive a government request to block access to domains, it says it "would, in consultation with Mozilla, exhaust our legal remedies before complying with such a request."

Cloudflare adds: "We also commit to documenting any government request to block access in our semi-annual transparency report, unless legally prohibited from doing so."

Awards Ceremony

The U.K.'s ISPA will hold its annual awards ceremony in London on July 11. One of the other two nominees for internet villain is U.S. President Donald Trump "for causing a huge amount of uncertainty across the complex, global telecommunications supply chain in the course of trying to protect national security" (see Huawei Ban: White House Budget Chief Seeks Delay).

ISPA U.K.'s nominees for "villains" of the internet for its annual award ceremony on July 11.

The third nominee is the Article 13 Copyright Directive, which is an EU regulation that holds service providers to stringent requirements when handling copyright-protected content. ISPA U.K. alleges that Article 13 threatens "freedom of expression online by requiring 'content recognition technologies' across platforms."

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.