Mozilla and Google's support for DoH protocol upsets UK regulators and ISPs Watch Now

The trade association for internet service providers in the UK has nominated Mozilla for this year's award of "Internet Villain" because of the browser maker's plans to support the DNS-over-HTTPS (DoH) protocol in its Firefox browser.

In a statement published this week, the Internet Services Providers Association (ISPAUK) claimed that Mozilla plans to support DNS-over-HTTPS "in such a way as to bypass UK filtering obligations and parental controls, undermining internet safety standards in the UK."

The trade association's comments come after two months of constant criticism aimed at both Mozilla and Google, from both the UK government and various advocacy groups, and all are centered around the new DoH protocol.

What is DoH and why do ISPs hate it?

The DNS-over-HTTPS protocol (IETF RFC8484) works by sending DNS requests via an encrypted HTTPS connection, rather than using a classic plaintext UDP request, as classic DNS works.

The other difference is that besides being encrypted, the DoH protocol also works at the app level, rather than the OS level.

All DNS-over-HTTPS connections take place between an app (like a browser or mobile app) and a secure DoH-compatible DNS server (resolver).

All DoH traffic is basically just HTTPS. DoH domain name queries are encrypted and then hidden in regular web traffic sent to the DoH DNS resolver, which then replies with a domain name's IP address, also in encrypted HTTPS.

As a side-effect of this design, this also means that each app controls the privacy of its DNS queries, and can hardwire a list of DNS-over-HTTPS servers (resolvers) in its settings, and not depend on the operating system's default (and most likely DoH-not-compatible) DNS servers.

This protocol design means that a user's DNS requests are invisible to third-party observers, such as ISPs; and all DoH DNS queries and responses hidden inside a cloud of encrypted connections, indistinguishable from the other HTTPS traffic.

In theory, the protocol is a dream from privacy advocates, but a nightmare for ISPs and makers of network security appliances.

UK fears DoH will cripple its national web blocking scheme

In the UK, ISPs are legally forced to block certain types of websites, such as those hosting copyright-infringing or trademarked content. Some ISPs also block other sites at their discretion, such as those that show extremist content, adult images, and child pornography. These latter blocks are voluntary and are not the same across the UK, but most ISPs usually tend to block child abuse content.

By planning to support DNS-over-HTTPS, Mozilla is throwing a monkey wrench in many ISPs' ability to sniff on customers' traffic and filter traffic for government-mandated "bad sites."

While some UK-based ISPs, such as British Telecom, have shown public support for the DoH protocol, the vast majority have not.

The jab from the ISPAUK trade association follows a two-month period during which both Google and Mozilla have been criticized in the UK for their plans to support DNS-over-HTTPS in their respective browsers, Chrome and Firefox.

In mid-May, Baroness Thornton, MP for the Labour Party, brought up the DoH protocol and its impending support from browser makers in a session of the House of Commons, calling it a threat to the UK's online safety.

Similarly, the GCHQ, Britain's intelligence service, has also criticized both Google and Mozilla, claiming the new protocol would impede police investigations and that it could undermine its existing government protections against malicious websites.

The Internet Watch Foundation (IWF), a British watchdog group with a declared mission to minimize the availability of online child sexual abuse content, also criticized both Google and Mozilla, claiming the browser makers were ruining years of work in protecting the British public from abusive content by providing a new method for accessing illegal content.

The Tor conundrum

Basically, Google and Mozilla's support for DoH effectively narrows down to the same moral dilemma that surrounds the Tor Project and the Tor network.

Browser makers must now decide if it's worth supporting a tool that brings privacy improvements to millions, at the expense of a few that may have to suffer.

Currently, DoH is not supported in the stable versions of Chrome and Firefox. Google is still testing DoH support in Chrome, while Mozilla has completed a successful DoH test in Firefox, and officially said it plans to support the feature in the stable branch, but did not give out a timeline.

Mozilla is nominated for ISPAUK's "Internet Villain" prize together with US President Donald Trump (for causing a huge amount of uncertainty across the complex, global telecommunications supply chain in the course of trying to protect national security) and the EU's Article 13 Copyright Directive (for threatening freedom of expression online by requiring 'content recognition technologies' across platforms).

Asked for comment on its nomination, Mozilla sent back the following reply.

"We're surprised and disappointed that an industry association for ISPs decided to misrepresent an improvement to decades old internet infrastructure," a Mozilla spokesperson told ZDNet. "Despite claims to the contrary, a more private DNS would not prevent the use of content filtering or parental controls in the UK.

"DNS-over-HTTPS (DoH) would offer real security benefits to UK citizens. Our goal is to build a more secure internet, and we continue to have a serious, constructive conversation with credible stakeholders in the UK about how to do that," the organization said.

"We have no current plans to enable DoH by default in the UK. However, we are currently exploring potential DoH partners in Europe to bring this important security feature to other Europeans more broadly."

On the other hand, for "Internet Hero," ISPAUK has nominated Sir Tim Berners-Lee (for spearheading the 'Contract for the Web' campaign to rebuild trust and protect the open and free nature of the Internet in the 30th anniversary of the World Wide Web), Andrew Ferguson OBE, Editor, Thinkbroadband (for providing independent analysis and valuable data on the UK broadband market since the year 2000), and Oscar Tapp-Scotting & Paul Blaker, Global Internet Governance Team, DCMS (for leading the UK Government's efforts to ensure a balanced and proportionate agenda at the International Telecommunications Union Conference).

Article updated on July 5 at 3pm ET with Mozilla statement.

More browser coverage: