Gov't, ISP Website Blacklisting to be Less Effective

John Lister's picture

Mozilla is to make an important change to Firefox browser security. It could reduce risks for users, but has raised concerns among governments and Internet Service Providers (ISPs), as it could limit their tools for filtering and monitoring online activity.

The change has to do with a feature called DNS-over-HTTPS (DoH), and will first affect users in the US. It's already possible to enable DoH in Chrome, but it takes some technical know-how because the feature currently isn't widely used.

DoH is all to do with the DNS (Domain Name System), which is effectively the phone book of the Internet. It's what turns a website name (Infopackets.com) into an IP address. The IP address is then used to identify the location of where the web server is located, so that it can serve files (such as webpages) to the user and browser connecting to the site.

DNS Used To Blacklist Sites

DNS is a silent service that works behind the scenes.

For example, whenever a user visits a website by typing in its domain name into a web browser, a DNS server is contacted first, which then responds with the IP address for the site being looked up. With most browsers, the DNS lookup is unencrypted. That means its possible for somebody to intercept or spy on the DNS lookup requests and get some clues as to who is looking at which pages. (Source: zdnet.com)

The DNS-over-HTTPS (DoH) method works by encrypting the DNS request while in transit, in the same way data is sent to and from a secure website to a web browser, such when a user connects to their online bank. The end result of having a secure connection is either a positive or negative, depending on your viewpoint.

For example, governments won't be able to spot users visiting websites which they consider problematic. That could mean political dissidents visiting censored news sites, but could equally mean people bad people visiting sites with exploitative images of children.

Court Orders May Be Harder to Enforce

Another effect is that court orders for Internet Service Providers (ISPs) to block traffic to 'illegal' websites, such as file sharing sites that breach copyright, could be harder to enforce. Many providers currently use DNS requests as the easiest way to block access to such sites.

Mozilla says it will use a "canary domain" system which will automatically disable DNS-over-HTTPS (DoH) if it detects that the system, network, or domain is being controlled with parental locks or organization - such as a work environment which uses Windows Server to control DNS.

According to Mozilla, "This [type of fallback system] helps us in situations where the parental controls [or enterprise systems] operate on the network rather than an individual computer. If Firefox determines that our canary domain is blocked, this will indicate that opt-in parental controls [or enterprise systems] are in effect on the network, and Firefox will disable DoH automatically."

That may not satisfy everyone, as it effectively gives Mozilla control over which sites governments and Internet Service Providers can block through an otherwise blocked-DNS-at-the-ISP-level method. (Source: ispreview.co.uk)

What's Your Opinion?

Would you like DoH enabled on your browser? What types of site is it valid to block through DNS request monitoring? How should Mozilla respond to requests to switch off DoH for particular sites, thus letting Internet providers block them as normal?

Rate this article: 
Average: 5 (8 votes)

Comments

Unrecognised's picture

We like security, but we like freedom from oppression more.

It's a little bit funny actually. Maybe we'll have 'Container Wars' in which the Internet continues to be put in increasingly exterior boxes as governments try to control it and other entities thwart them.

eric's picture

I'm surprised you didn't mention UK ISP association labeled Mozilla as an "villain" for providing a service that "could disrupt their ability to censor, track and control various internet / account services".

Is it lost on everyone that the governments and big corps are labeling a personal privacy and freedom move as villainous?

Of course it would be fantastic to have free, secure DNS that is safe from censorship and privacy invasions - but instead, Mozilla is routing thru Cloudflare public DNS, which does it's own measure of traffic blocking.
So, while we might be a little safer on the privacy front from ISPs and other trackers, it's still not an all clear on the censorship front.

In any case, this new service from Mozilla is better than what was before and better than any other browser is offering.