Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Mozilla Businesses The Internet United Kingdom Technology

Internet Group Brands Mozilla 'Internet Villain' For Supporting DNS Privacy Feature (techcrunch.com) 273

An industry group of internet service providers has branded Firefox browser maker Mozilla an "internet villain" for supporting a DNS security standard. From a report: Internet Services Providers' Association (ISPA), the trade group for U.K. internet service providers, nominated the browser maker for its proposed effort to roll out the security feature, which they say will allow users to "bypass UK filtering obligations and parental controls, undermining internet safety standards in the U.K." Mozilla said late last year it was planning to test DNS-over-HTTPS to a small number of users.

Whenever you visit a website -- even if it's HTTPS enabled -- the DNS query that converts the web address into an IP address that computers can read is usually unencrypted. The security standard is implemented at the app level, making Mozilla the first browser to use DNS-over-HTTPS. By encrypting the DNS query it also protects the DNS request against man-in-the-middle attacks, which allow attackers to hijack the request and point victims to a malicious page instead. DNS-over-HTTPS also improves performance, making DNS queries -- and the overall browsing experience -- faster. But the ISPA doesn't think DNS-over-HTTPS is compatible with the U.K.'s current website blocking regime.

This discussion has been archived. No new comments can be posted.

Internet Group Brands Mozilla 'Internet Villain' For Supporting DNS Privacy Feature

Comments Filter:
  • by WCMI92 ( 592436 ) on Friday July 05, 2019 @09:43AM (#58877312) Homepage

    Worse than Google!

    Worse than Microsoft!!!

    Worse than Oracle!!!!!

    Worse than Oracle's Salesmen!!!!!!!!!

    Oh Noes!!!!

    • by Mr. Dollar Ton ( 5495648 ) on Friday July 05, 2019 @10:14AM (#58877486)

      Worse than the Internet Services Providers' Association (ISPA), too.

  • by Vermonter ( 2683811 ) on Friday July 05, 2019 @09:44AM (#58877318)

    Anyone standing in the way of their control will be slandered and painted as a villain.

    • by Tx ( 96709 ) on Friday July 05, 2019 @10:24AM (#58877544) Journal

      The ISPA isn't the government. And most of its members were very reluctant to have the burden of implementing the government's blocking scheme thrust on them in the first place. That's probably what's actually bothering them here too; if the blocking scheme gets broken, the government will expect the ISPs to fix it or find an alternative solution, at their own expense.

      • by Z00L00K ( 682162 ) on Friday July 05, 2019 @11:41AM (#58878002) Homepage Journal

        Only way to solve that "problem" for the government would be to block all traffic that's not clear text and suffer the consequences.

        So we will then see "The Great Wall of Great Britain". It seems like the government there really uses 1984 and "Brave New World" and maybe also "Equilibrium" as a manuals. But I suspect that their vision is the official world of "Demolition Man".

    • Time to bring back AlterNIC.
  • Good for Mozilla (Score:5, Insightful)

    by Kernel Kurtz ( 182424 ) on Friday July 05, 2019 @09:44AM (#58877320)

    Censorship is not a "safety standard".

    • Not necessarily good for Mozilla. There are many times that "security" features are used against the owners also. WIth everything encrypted and devices that use certificates that not even the owner of the device has access to and the rise of internet of things and/or phone home routines built into literally EVERYTHING now. Owners cannot even verify or block what their devices are sending about them. Depending on how this is implemented, it could be the same way. If Mozilla is hard coding the DNS resolution

      • I don't disagree. In this case we are assuming that Google or Cloudflare's DNS is more trustworthy than your ISP, which may not always be the case.

        Still, it is a useful step. Hopefully DoH will become ubiquitous and then you can choose your DNS provider accordingly.

      • This was the point of "Trusted Computing", formerly known as "Palladium". It was architected by Brian LaMacchia at Microsoft, who failed to acknowledge the risk of leaving the private keys, and the signature authority keys, in Microsoft's hands with no judicial process or oversight in handing them over to private or governmental parties. The private keys are held in escrow by Microsoft, with nearly no recourse for hosting the private keys outside of Microsoft access.

        One of its key points is that Microsoft c

  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Friday July 05, 2019 @09:47AM (#58877334)
    Comment removed based on user account deletion
    • by Mashiki ( 184564 )

      EDNS and SNI are better options then DNS over HTTPS, but the question at the end of the day will be how will these authoritarian governments respond. Besides the UK, you've also got AUS and NZ blocking websites based on their own morality policing, or because someone in a government position told or suggested it to them. Canada might be next on the list if Trudeau Jr wins again, since he wants to be able to block websites and restrict social media. The draft itself is as flawed and a charter violation, a

      • Justin hasn’t a hope in hell of being re-elected. His attempts to shift blame to former Justice Minister Jody Wilson-Raybould when he got caught trying to interfere with the federal prosecutors decision to pursue criminal bribery charges against SNC-Lavalin totally destroyed any claim he was a feminist. ~p> If the liberals wanted to win, they would have kicked out Justin and run Jody for PM. Justin has done the impossible - made Andrew Scheer look credible.
        • by Mashiki ( 184564 )

          He has a hope, but it looks slimmer by the day. SNC-Lavalin did some serious damage, but his government has already been caught using elections canada to pay left-wing influencers [globalnews.ca] to influence the left-wing youth vote. For non-canadians, it would be like your independent federal election body that exists only to ensure that elections are conducted fair and legally, paying only one group of politically aligned people to show up and vote. And he just got nailed again engaging in patronage, giving high pow [globalnews.ca]

          • by epine ( 68316 )

            Justin's interference in SNC-Lavalin is serious, but not nearly as serious as Trump flat out lying on the campaign trail about whether he was still manipulating the pool table behind the scenes with sugar-plum visions of Trump Tower Moscow.

            A sense of proportion is useful, here.

            Lavalin employs a lot of people. Responsible politicians from any side of the aisle are going to sweat over those jobs.

    • This has been a sticking point for a while. Part of the reason the DNS filter got through was because it was easy and already used for things like blocking CP.

      Though it's already been commonly used to also block IP addresses, that is they block the resolution of the name and/or the IP addresses that resolve from the name.

      However, you've always been able to get around it very easily using all manner of proxies. It's been inevitable the eventually the government would have to block encryption, proxies,
      • by DarkOx ( 621550 )

        The cynic in me thinks this is what these law makers want. Some might be dumb enough to think its possible to construct a filter that isn't easily thwarted by instructions you pass to your buddy on pub napkin but many are not that dumb.

        They know ultimately that blocking content a hopeless mission; you can't enumerate all the bad out there.

        What they *want* is force providers to flip the script and only allow people to access a whitelist of curated content that does not start anyone thinking about anything t

    • What privacy? DNS-over-HTTPs does no hide what you are doing from your DNS-very-HTTPs server. You are just trading a spy for another.
  • by DarkOx ( 621550 ) on Friday July 05, 2019 @09:52AM (#58877366) Journal

    Are the IETF also internet villains, for DNSSEC? I suppose that isn't encrypted so you can still 'block' it but you can't redirect to your nanny/nag server if its enabled (well unless the client does not know the zone should be signed).

  • by xack ( 5304745 ) on Friday July 05, 2019 @09:53AM (#58877374)
    The porn ban has been delayed more times than brexit and now Firefox will have a boost in market share from people using it if the ban actually happens. This is one of the times Mozilla has done something right.
    • Pretty much everyone fails at censorship.

    • >"This is one of the times Mozilla has done something right."

      No, it is actually one of the MANY times Mozilla has done something right. Of course, no organization is perfect, Mozilla included.

  • by DarkOx ( 621550 ) on Friday July 05, 2019 @09:54AM (#58877380) Journal

    I mean the status of discourse these days is basically name calling.

    The FSF calls Chrome, "malware". I happen to think that is a fair characterization but I don't know its really 'helpful' to apply such a label. Isn't it enough just to have a page detail their philosophical issues with Chrome?

    Same here; lots of reasons to dislike Mozilla's proposal some even legitimate; but calling a browser make a villain?

    • Huh? You want arguments? Details? Nuances? Ain't no body got time for that. If you can't make it a buzzword then you've lost pretty much most of the world as an audience.

    • lots of reasons to dislike Mozilla's proposal some even legitimate

      Such as?

      I'm trying hard to think of a single legitimate reason to dislike it, and so far I've got nothing. Given the nature of the internet today, all communication needs to be encrypted. Anything that isn't encrypted is a huge security hole. And DNS is one of the most important. If DNS isn't secure, nothing on the web is secure. When you type "google.com" into your browser, you could easily get sent to a malicious page because someone has pulled a MITM attack and edited the response.

      • by DarkOx ( 621550 )

        1) Instead of trusting your ISP, Personal, or Organizational DNS, you are now trusting Mozilla. That isn't really their decision to make its not clear this will be obvious that its on or easily turned off, by typical users

        2) Rather than respecting your personal or organization DNS choices which might already implement behavior YOU want like certain types of filtering you are giving control to Mozilla.

        3) HTTPS for DNS request will be a lot more network overhead.

        4) Split horizon DNS and geographicall

  • Better perfomance? (Score:5, Interesting)

    by Viol8 ( 599362 ) on Friday July 05, 2019 @09:55AM (#58877382) Homepage

    " DNS-over-HTTPS also improves performance"

    So wrapping a DNS request up in an HTTP request then encrypting it and doing the reverse at the other end is actually faster than sending a few unencrypted UDP packets? Pull the other one.

    If they're going to justify this fairly pointless re-invention of the wheel they should at least make the technical reasons plausible.

    • by DarkOx ( 621550 ) on Friday July 05, 2019 @10:01AM (#58877430) Journal

      I suspect it improves performance in some instances. Consider how most places are configured. Odds are good there is some local nat box. It probably also runs a local NS server. Its like some slow-ass arm box from five years ago. So you send a few UDP packets to it the local name server decides if its got cached content it ought to serve and if not goes after its forwarders waits for the response and they relays it.

      It IS probably faster to push a little more IP thru the highly optimized NAT path way.

      Now if the client has been configured to go after 8.8.8.8 or 1.1.1.1 or the like; I'll be the response time of that vs DNS/HTTPS is blowout and traditional DNS will be a full order of magnitude faster.

      How the performance is in larger organizations with real DNS infrastructure probably varies widely.

    • " DNS-over-HTTPS also improves performance"

      So wrapping a DNS request up in an HTTP request then encrypting it and doing the reverse at the other end is actually faster than sending a few unencrypted UDP packets? Pull the other one.

      If they're going to justify this fairly pointless re-invention of the wheel they should at least make the technical reasons plausible.

      I guess it basically comes down to that vs how much of a performance hit blocklists add.

    • Once the secure connection is established and it can send and receive more then one request per packet.

    • In one case that could be : UDP => ISP 1 filtering tool => Root server

      And the other be DNS request=>HTTP=>https=> Filtering tool knows nothing so forward it ad hoc => Root Server => decryption on root server.

      Without knowing how quick the filtering tool are in UK ISP you can't tell that this is "reinventing the wheel" or slower. For all we know the ISP use 100 ms on a shitty programmed lookup to check if the url is porn.
    • If they're going to justify this fairly pointless re-invention of the wheel they should at least make the technical reasons plausible.

      It's worth thinking beyond "it's encrypted so must be slower". The reality is there are many reasons why it could be faster for example:
      - Recursive lookups from your router to your ISP to the root server. vs simply going directly to Google who have a complete copy of the database.
      - Handing the tasks to an OS to perform the lookup where it will likely try several other options including things like multicasting before going out to do a DNS lookup (ever wonder why digging a server directly is faster than lett

    • So wrapping a DNS request up in an HTTP request then encrypting it and doing the reverse at the other end is actually faster than sending a few unencrypted UDP packets? Pull the other one.

      It depends on usage patterns. If you only need exactly one DNS request, and you do the full handshake, transfer of info, then disconnect, that would be slower due to the overhead. But Firefox is a web browser, and web pages have a different usage pattern.

      HTTPS connections can persist and they allow for out-of-order pipeling so you can get the data as soon as available rather than waiting for prior requests. If you use the Internet in more typical web browsing patterns (make a burst of DNS requests every

  • by Luthair ( 847766 ) on Friday July 05, 2019 @10:02AM (#58877436)
    Its almost like ISPs want to be able gather data about every site their customers visit, build a profile and sell it.
    • Plenty of us who run ISPs have quite the opposite desire. If we're able to gather the data, we're easily served a "technical capability notice" to send that data off somewhere else. If we don't gather the data already then the cost of that is passed back to the body asking us to build that capability.

  • I like turtles. I'm trying to mix things up. Keep it fresh and edgy. What were you expecting?!
  • by Anonymous Coward on Friday July 05, 2019 @10:05AM (#58877458)

    War is Peace; Freedom is Slavery; Ignorance is Strength.

  • by Anonymous Coward on Friday July 05, 2019 @10:26AM (#58877568)

    DNS-over-HTTPS does suck, but not because it annoys the UK nanny state.

    First, DoH is a stupid layering violation: the sensible way to encrypt DNS traffic is to use [D]TLS directly. But when you're a web developer, HTTP is your hammer and everything looks like a nail.

    Second, the current implementation of DoH protects your privacy by routing all your DNS queries through giant semi-monopolies like Cloudflare. I can only assume that Mozilla is being paid for selling out their users like that, or maybe Mozilla developers are so corrupted by the Silicon Valley culture that it seems completely normal to them. Either way, their definition of privacy is completely disconnected from reality.

    • Mozilla lets you choose which DoH resolver you use. For that reason I set one up at the ISP I run: http://faelix.link/pdns [faelix.link]

      Mozilla is soliciting other trusted recursive resolver partners than Cloudflare, and I'm fully intending to speak to them about that.

  • But the ISPA doesn't think DNS-over-HTTPS is compatible with the U.K.'s current website blocking regime.

    Routing around damage...

  • by paulpach ( 798828 ) on Friday July 05, 2019 @10:47AM (#58877684)

    The internet group is seriously confused here. Who is the villain here?

    1) Mozilla who is adding a feature to protect privacy, which just like any other encryption can be used for good and bad.
    2) The UK government doing censorship?

    And by that logic, isn't plain old HTTPS also evil? Plenty of porn can slip through HTTPS under the nose of the UK nanny state. Or is it ok because it is already established?

  • "But the ISPA doesn't think DNS-over-HTTPS is compatible with the U.K.'s current website blocking regime".

    "Website blocking regime"... does that simply mean "censorship"?

    • Comment removed based on user account deletion
    • The UK has two current reasons for blocking websites nationally, and one proposed:

      1. The secret list of child abuse. Produced by the IWF, and distributed to ISPs. A few people grumble about the severe lack of accountability involved - because of the nature of the material, the block list is obviously secret, to the point that some ISPs will produce fake 404 errors to make it difficult to spot that censorship is taking place at all - and there is no means of appeal. Few people of any importance dare to say t

  • "But the ISPA doesn't think DNS-over-HTTPS is compatible with the U.K.'s current website blocking regime."

    Like a VPN?

    Well, you people had one of the stupidest Internet blocking mechanism on this planet and now it doesn't work anymore.
    You're fucked.

  • The situation, presented in form of a conversation:

    Government: "ISPs! I think most of the country can agree we need to block child abuse imagery, and the most blatant copyright infringement, and a couple more things. We'll force you if we have to, but we're in a deregulatory mood right now, so how about you just do it 'voluntarily' and we won't have to break out the regulatory stick?"

    ISPs: "An offer we can't refuse kind of deal? Yeah, we can do that. Simple DNS block. Can you give us a list of sites to bloc

  • > doesn't think DNS-over-HTTPS is compatible with the U.K.'s current website blocking regime.
    How is this firefox's problem?
    It's not their job to help the UK ban porn or whatever.
    If they want to control their citizens they should go full china and put the entire country behind a giant firewall that blocks all non sanctioned traffic.
  • The villains of the villains are the good guys.

  • But the ISPA doesn't think DNS-over-HTTPS is compatible with the U.K.'s current website blocking regime.

    That's because it isn't compatible. I'm not a fan of DNS-over-HTTPS, but even I have to admit that the UK's attack on its citizens' DNS is a great example of what DNS-over-HTTPS might be able to fix, for users who won't run their own DNS.

    I'd think that if you want to criticize DNS-over-HTTPS, the UK's approach to censorship is something you should never bring up, and if someone else does, you should chang

  • When I read this, first thing I thought was maybe ISPs in the UK do a lot of content caching to save bandwidth costs - in which case Firefox would be doing an end-around, to use an idiom from American football. But that’s not an argument which is going to resonate with anybody, except other ISPs... so they came up with the one we’re discussing.

  • How big are the DNS tables anyway? Is there some reason, esp. for just web browsing, that Mozilla couldn't just keep a local DNS lookup table it pulls updates from? I mean, are we talking about a hundred meg or a 5 gigs or what?

    • by noahm ( 4459 )

      You're basically describing a local DNS cache. But it can't be pre-distributed because DNS is decentralized. There's no one location for all DNS data from which you could pull these tables. A name resolution process may need to involve several DNS servers, all managed by different entities, in order to determine the final result. This is a good thing, and has allowed DNS to scale.

      • I assume when someone uses Verizon's or Google's or Cloudflare's DNS, that those are centralized repositories of DNS cached lookups that are kept up-to-date. Why couldn't those just have up-to-date mirrors kept locally? Is it size?

        It seems like all the DNS information for everything in the world could be under maybe a few hundred MB, and therefore every computer could trivially have a local cache.

        • by noahm ( 4459 )

          No, there literally is no centralized location that has, or can have, all of the DNS information. By design, anybody can add a DNS server to the internet at any time, and they own 100% of the data served by that server. That means that they can change the content at any time, one whatever schedule or frequency they choose. Content served by that server is completely unknown to any other DNS server or client resolver until it is explicitly requested. Once the resolver (e.g. Cloudflare or Google) knows about

          • Yeah, I get that someone who owns randomdomain.com can add more subdomain records. But once Cloudflare or Google finds out about it, they'll query them regularly. And Cloudflare/Google have a cache that is 99.999% accurate at any given time. My question is, how large is that cache? Because you're talking about "I want to make sure that I have 100% information" and I'm talking about "This seems like it would prevent people from sniffing on DNS 99.999% of the time, and speed things up, just with a local c

            • by noahm ( 4459 )

              Keep in mind that DNS was invented specifically to solve the problems with the solution you're proposing. Prior to the invention of DNS, name->IP mapping info was distributed exactly as you describe. That stopped being feasible in the mid 1980's, and it's certainly no more feasible now than it was then.

              Further, data isn't "immediately out of date." TTL on DNS changes is canonically 24 hours.

              The TTL on "google.com" is 300 seconds. Slashdot.org is 900 seconds. Amazon.com is 60 seconds.

              Beyond that, you're ignoring the fact the DNS can, and regularly does, return different results to users in dif

        • by noahm ( 4459 )

          It seems like all the DNS information for everything in the world could be under maybe a few hundred MB, and therefore every computer could trivially have a local cache.

          (Splitting my reply across posts because slashdot's lameness filter is being rather lame)

          As to how big the complete DNS dataset would be, I suspect you're underestimating by an order or two of magnitude, but again, because there is no centralized location for DNS information, it's literally impossible to know. But consider:

          Per https://www.verisign.com/en_US... [verisign.com], there are 142,573,540 ".com" domains as of today (July 5 2019). We don't have statistics on the sizes of the individual names, but for the sake of a

  • If I was Mozilla, I'd make a big poster celebrating the receipt of this award and display it proudly.

  • Rather than demonize the security minded browser, why don’t they work with them. Seems a blind attack by them without real secure alternatives offered, they should perhaps work together.
  • Comment removed based on user account deletion

Bus error -- please leave by the rear door.

Working...