Firefox Plans Controversial New Encryption Setting For Millions, And Update Starts This Month

Posted by , 10-09-2019

Mozilla quietly announced a major change to its Firefox web browser on Friday [September 6], explaining that “after many experiments—we feel confident that enabling DoH [DNS over HTTPS] by default is the right next step.” 

The company assured in its blogpost that “most of our users will benefit from the greater protections of encrypted DNS traffic,” but there was also a recognition at some of the backlash against the new technology. “When DoH is enabled,” it added, “users will be notified and given the opportunity to opt out.”

So what’s going on, why the controversy, and why might users opt out?

The Internet's Domain Name System (DNS) is one of its greatest strengths and also one of its greatest weaknesses. As open traffic IP addresses and browsing activities can be profiled and your requests intercepted and manipulated. But with more and more of what is done online being encrypted, the very act of accessing specific websites can be encrypted as well. This is what DNS over HTTPS (DoH) is all about, bypassing locally held DNS nameservers, sending encrypted traffic to a central server instead.

 

DoH encrypts the addresses of websites, bypassing local Internet Service Providers (ISPs), and connecting directly to central nameservers likely managed by the companies behind the browsers themselves. This means the traffic cannot be hijacked. But it also means that many of the filtering and protection tools in place today, usually administered by ISPs, will no longer work. And this is why it’s controversial. 

The fear is that safeguards might disappear with these changes. Internet Service Providers and child protection software holds lists of dangerous and prohibited sites. Some might be totally blacklisted—think child sexual exploitation, terrorism, illegal activity, others might be subject to parental controls—pornography, violence.

Mozilla says that its research found that “OpenDNS parental controls and Google’s safe-search feature were rarely configured by Firefox users in the USA,” in fact, they said, only “4.3% of users in the study used OpenDNS parental controls or safe-search.” 

This is important because it goes to the heart of one of the issues with DoH, bypassing such controls. “As a result,” the company explained, “we’re reaching out to parental controls operators to find out more about why this might be happening.”

Mozilla has told me before that "DNS-over-HTTPS offers real security benefits,” with their their goal being “to build a more secure internet.”

In the meantime, Firefox will “fallback” to “operating system defaults for DNS” when there is a user-driven requirement—this would include child protection technology being in place or enterprise controls. So, essentially, if the browser is trying to limit which sites can be visited, Firefox will look to respect that and not override the system. 

Mozilla says that it is working with providers and ISPs to make all this work in practice. It will operate a system where such protections “add a canary domain to their blocklists.” This means providing a deliberately blocked site to lists that will alert Firefox, telling the browser that a protection is in place and to block DoH. 

Such an approach is open to abuse by attackers, who might spoof the system to block DoH for the wrong reasons. “If we find that it is being abused to disable DoH,” Mozilla has said, “in situations where users have not explicitly opted in, we will revisit our approach.”

A presentation from BT on the "Potential ISP Challenges with DNS over HTTPS" earlier this year warned that DoH will reduce the ability to derive cybersecurity intelligence from malware activity and DNS insight, open new attack opportunities to hackers, and result in an inability to fulfil government mandated regulation or court orders as potential concerns. And so the change will foster serious debate.

DoH is now going to roll out “gradually” in the USA “starting in late September.” Initially, a smaller percentage of users will see the change, with Mozilla “monitoring for any issues” before the deployment is expanded. “If this goes well,” the company has said, “we will let you know when we’re ready for 100% deployment.”

The U.S. is first, but the rest of the world will follow. A spokesperson for the U.K. Internet Services Providers’ Association told me that "the debate on DNS over HTTPS (DoH) is evidently a topic that polarizes opinion. However, our position is clear. ISPA believes that bringing in DoH by default would be harmful for online safety, cyber security and consumer choice.”