Mozilla’s DoH Encryption Initiative Praised by the EFF Drew Wilson | September 21, 2019 Mozilla’s DoH (DNS over HTTPS) initiative got praise from the EFF (Electronic Frontier Foundation). The EFF calls it a fix to a big privacy gap. Mozilla is has been spearheading DoH encryption for the better part of two years at this point. The initiative essentially is another layer of security for those who browse the web. At the moment, HTTPS adds a level of encryption for web browsing sessions. The encryption helps add a level of privacy for users. A problem arises when people try and access a website through the domain name itself. Domain names are essentially something that helps point a user to the correct address. After all, the Internet utilizes long strings of numbers and dots to communicate with each other. Unfortunately, ##.###.###.### is much harder to remember than freezenet.ca. So, various services, such as your Internet Service Provider, allow users to access DNS lookup lists. So, if one were to type in freezenet.ca, the request will look up the IP address of freezenet.ca, then download the necessary content so the website can load it. The problem, Mozilla sees, is that there is nothing really securing those requests. If someone types in an address, someone could theoretically eavesdrop and find out what website you are accessing. Another possibility is that the DNS record could be tampered for a particular user. So, when they access freezenet.ca, a malicious third party could re-direct that user to a malicious website. The user might not know any better and have their information (or computer) compromised. So, Mozilla decided to create a layer of encryption that would secure this communication. As Mozilla moved forward with this initiative, spy agencies attacked the initiative, saying that creating a more secure web could have unintended consequences. That was back in June of this year. The EFF, however, doesn’t see DoH encryption as a threat, however. In a recent post about DoH encryption, the organization questioned why various groups would ever be opposed to better security. From their comments: Alongside technologies like TLS 1.3 and encrypted SNI, DoH has the potential to provide tremendous privacy protections. But many Internet service providers and participants in the standardization process have expressed strong concerns about the development of the protocol. The UK Internet Service Providers Association even went so far as to call Mozilla an “Internet Villain” for its role in developing DoH. ISPs are concerned that DoH will complicate the use of captive portals, which are used to intercept connections briefly to force users to log on to a network, and will make it more difficult to block content at the resolver level. DNS over HTTPS may undermine plans in the UK to block access to online pornography (the block, introduced as part of the Digital Economy Act of 2017, was planned to be implemented through DNS). EFF is very excited about the privacy protections that DoH will bring, especially since many Internet standards and infrastructure developers have pointed to unencrypted DNS queries as an excuse to delay turning on encryption elsewhere in the Internet. But as with any fundamental shift in the infrastructure of the Internet, DoH must be deployed in a way that respects the rights of the users. Browsers must be transparent about who will gain access to DNS request data and give users an opportunity to choose their own resolver. ISPs and other operators of public resolvers should implement support for encrypted DNS to help preserve a decentralized ecosystem in which users have more choices of whom they rely on for various services. They should also commit to data protections like the ones Mozilla has outlined in their Trusted Recursive Resolver policy. With these steps, DNS over HTTPS has the potential to close one of the largest privacy gaps on the web. At this point, we are only at the beginning of a practical rollout of the encrypted protocol. In a post earlier this month, Mozilla said that they are experimenting with DoH encryption as a fallback mechanism – that is, if a primary DNS server is unavailable, Mozilla will utilize DoH encryption as a backup. From their post: Now that we have these results, we want to tell you about the approach we have settled on to address managed networks and parental controls. At a high level, our plan is to: Respect user choice for opt-in parental controls and disable DoH if we detect them; Respect enterprise configuration and disable DoH unless explicitly enabled by enterprise configuration; and Fall back to operating system defaults for DNS when split horizon configuration or other DNS issues cause lookup failures. We’re planning to deploy DoH in “fallback” mode; that is, if domain name lookups using DoH fail or if our heuristics are triggered, Firefox will fall back and use the default operating system DNS. This means that for the minority of users whose DNS lookups might fail because of split horizon configuration, Firefox will attempt to find the correct address through the operating system DNS. In addition, Firefox already detects that parental controls are enabled in the operating system, and if they are in effect, Firefox will disable DoH. Similarly, Firefox will detect whether enterprise policies have been set on the device and will disable DoH in those circumstances. If an enterprise policy explicitly enables DoH, which we think would be awesome, we will also respect that. We plan to gradually roll out DoH in the USA starting in late September. Our plan is to start slowly enabling DoH for a small percentage of users while monitoring for any issues before enabling for a larger audience. If this goes well, we will let you know when we’re ready for 100% deployment. For the moment, we encourage enterprise administrators and parental control providers to check out our config documentation and get in touch with any questions. As more devices become loaded with DoH encrypted technology, it will be interesting to see if this will eventually become a default setting once more test results come in. Who knows? If things go well, we could see DoH on by default much like how HTTPS has become a norm in everyday web browsing. Drew Wilson on Twitter: @icecube85 and Facebook.