Mozilla is an ‘Internet Villain’?
ZDNet yesterday reported (https://www.zdnet.com/article/uk-isp-group-names-mozilla-internet-villain-for-supporting-dns-over-https/) that an industry group of UK-based ISPs (Internet Service Providers – the companies that make money selling you your broadband or other Internet connection) voted The Mozilla Foundation, developers of Firefox – one of the most private and secure web browsers available – this year’s “Internet Villain“
To the increasing number of people concerned about the large scale abuses by governments and corporations of surveillance, tracking and data harvesting tools, Firefox is seen as “one of the good guys” – a product with built-in ad-blockers and technologies that automatically block spying technologies like single pixel tracking images and automatic collection of browser finger-printing (a method of identifying you and your machine by collecting details of its hardware and software configuration.)
So, why is Mozilla suddenly a villain?
Because like Google’s Chrome browser Mozilla Firefox has plans to introduce DoH protocol – DNS-over-HTTPS.
A little background
DNS (Domain Name Service) is the mechanism that turns a URL (like www.biznik.co.uk) into the IP address (the ‘dotted’ addresses – in this case 126.96.36.199) that are actually used to route traffic over the Internet. The ‘thing’ that performs this translation is called a DNS server of which there are thousands of public and private examples spread all across the Internet. In order to resolve (translate) the URL of an unknown external domain into an IP address, a public IP server must be found that knows that domain and consulted to obtain the IP address. There’s a bit more involved than that (actually, quite a bit) but that explanation tells you all you need for this discussion.
The highly significant factor is that since the dawn of the Internet, DNS has operated in plain text – out in the open allowing anybody who can see the requests flying back and forth (like your ISP) to monitor every request made – and therefore track everywhere you go on the Internet. A clear abuse of privacy which becomes clearer once you understand that most ISPs sell this information to data brokers who use it to help build the profiles these shady operators try to build on every one of us.
The public DNS server that you use is set by your ISP – unless you have taken steps to set your router (and possibly your workstations or laptops) to specifically use a DNS server of your choice.
Even this is not enough to stop your ISP listening in or simply diverting your DNS requests to its own servers regardless of which server you intend them to go to. This is because all DNS requests travel through the same port (port 53 – think of an Internet port being like a radio channel that you can “tune in” to or choose to listen to). Simply by programming the router at the ISP’s end of your Internet connection, the ISP can either listen in to all traffic flowing through port 53, recording the request and response regardless – or go further and ignore where you want the traffic to go (say, Cloudflare’s public DNS servers) and force the DNS request to its own servers anyway.
Either way, the ISP still gets to record all your DNS requests and may interfere with them.
An example may help.
A number of years ago I moved to rural France. The village in which I live has no fibre Internet – in fact it is so disconnected that I cannot even obtain a telephone landline (the local telephone exchange has no spare lines left) and even if I could, the poor quality of the cables used to carry telephone signals in these parts would prevent even a very slow speed ADSL connection – around 512Kbps – the speed of an old fashioned dial-up modem). In effect, the village is cut off from the outside world of the Internet.
So, I installed an expensive satellite connection that, for around 4 times the price of the gigabit fibre connections available in towns as close as 5Km away, claims to provide 26Mbps download rate (2.6% of a fibre connection) and 6Mbps upload (outgoing). In practice the actual performance ranges between 0% and 60% of these headline figures. On top of this, the amount of data is capped at just 50GB per month – in both directions. If this figure is exceeded the ISP (Eutelsat) clamps the transfer rate (speed) of the connection to sub-dial-up rates – think 100Kbps in practice. In effect, the Internet gets turned off. As the radio signal has to travel several miles into space to reach the satellite then make an equivalent journey back to earth the “round trip” time is over 3.4 second – where a more typical ADSL or fibre timing would be a few milliseconds. On top of which the connection exhibits so much jitter (a technical term which measures the variance of time it takes one packet of data or the next to arrive at its destination) – being so bad that it is impossible to stream simple audio – like a telephone conversation.
But, needs must.
The satellite hardware was installed before we moved in (work was ongoing to adapt the house to my needs). But I installed the satellite modem/router and connected a laptop to perform a quick test that all was working. That done, everything was switched off. So imagine my surprise when I received an email the following morning telling me the whole month’s 50GB of data had apparently been used in a few hours. As the connection is uncapped between midnight and 06:00 even had the equipment been turned on and the line operating flat out at its claimed rate it would have been impossible to consume so much data in the time that had passed.
The company stuck to its guns and over several months similar sudden alleged spikes in traffic occurred – each causing effective cutoff of service.
After about 6 months of wrangling during which I patiently repeatedly insisted the company provide proof of the consumption they claimed I eventually received a spreadsheet containing a list of all the IP addresses and data consumed during that first, disputed night.
Take a moment to understand what just happened – my ISP produced a list of all the websites and other Internet based services (eg; streaming services, VOIP telephone services, email, cloud storage …) I had allegedly contacted and a measure of the amount of data allegedly passed between here and each of them.
It being the work of a moment to do a reverse DNS lookup (the opposite of normal – translate an IP address into the URL it relates to) I could see that the vast bulk of the traffic was downloads from one of the big CDNs (Content Delivery Networks – in short companies that exist to deliver popular files like Netflix or YouTube videos from servers they operate around the globe – so that the content is delivered in a timely and responsive manner – and the load doesn’t all fall on one server behind a single Inernet connection).
To add to the fun, in an effort to “prove” that I was responsible for the traffic, the spreadsheet had been falsified (if we assume that any of it was true) as some idiot had clearly been watching my actual traffic over the six months it took them to produce the spreadsheet and had inserted a few rows showing alleged connections to the cluster of web and email servers (including the one that hosts the biznik website) which are located in a data centre in Strasbourg.
The problem is – several of the IP addresses quoted in the spreadsheet were not in use until 4 months after that first night as I had purchased an extra block of addresses as part of a reorganisation of server use months after contracting for the satellite service.
Great bunch of crooks. And technical idiots.
When I followed up the spreadsheet provided with the innocent question of exactly HOW the company could even produce a detailed list of all the alleged connections as all my machines are configured to use specific public DNS servers far away from the ones the ISP owns I eventually learned that the company diverts all traffic on port 53 (the DNS port, remember) to its own DNS servers regardless of the address that traffic was intended to go to.
Hence, not only was the ISP recording every single connection made from my premises and the amount of data flowing over those connections, it was taking control of where that traffic actually went.
So, we get to the point
DoH (DNS-over-HTTPS) uses the same encryption that is used to safeguard your connection and flow of data when you do your online banking or pay for some shopping with your credit hard. The same encryption used by this (biznik) web site and every other that runs inside the anadigi.net umbrella and being heavily promoted by groups ranging from the Electronic Frontier Foundation (https://www.eff.org/) to Google and browser addons like HTTPS Everywhere (https://www.eff.org/https-everywhere).
Just as no ISP can see inside the traffic flowing between you and a secure, encrypted HTTPS website (the traffic appears as a meaningless pile of gobbledygook while on route) the forthcoming adoption of DoH denies them the ability to see which URLs are being looked up – and therefore deprives them of the ability to tap this rich stream of data and turn it into revenue by selling it to data brokers we never gave permission to have it in the first place.
So there we have it. As the ZDNet article explains, everybody from the British Government through the self-appointed censors of the Internet the “Internet Watch Foundation” (https://www.iwf.org.uk/ to read what they say about themselves and https://en.wikipedia.org/wiki/Internet_Watch_Foundation to read a little background on the howlers committed and criticism of the organisation’s operations and methods) to the ISPs who are looking at the loss of a very lucrative , if questionably legal, revenue stream want to put a stop to DoH – just so they can continue spying on and monitoring us.
The arguments against DoH
As the ZDNet article reports, DoH is being attacked by governments and private organisations alike using the same worn out arguments that taking back the privacy of our communications will allegedly prevent censorship of “banned” Internet resources, prevent the blocking of child pornography and make it more difficult to catch criminals and allow GCHQ and the NSA to spy one everyone on the planet unhindered.
Couple of points:
- Anyone who wants to engage in criminal or terrorist activities or access perverted materials already has plenty of options to carry out their activities using commonly available technologies from a simple VPN to use of the Tor network (https://www.torproject.org/ – in short, a way to go complete “dark” on the Internet – whether motivated by a wish for privacy or to access the so-call “dark-web”). Please listen, idiot politicians and law enforcement people – you can howl at the moon as much as you like – you are not going to stop bad people from doing unspeakable things by abusing the privacy and rights of the 99%+ of the world’s population who simply want to go about their business without being spied on or told what they can and can’t do.
- I am in no way condoning or defending anyone’s ability to commit crime or engage in child pornography nor any other form of abuse. But DoH does not prevent the kind of censorship embraced by the IWF and British Government. The fundamental DNS mechanism itself allows for domain registrations (the “biznik.co.uk” part of the “www.biznik.co.uk” website URL you are possibly reading this on) to be struck off where it is shown that the domain is hosting illegal material – such as child pornography. Removing a domain entry from the public DNS record doesn’t just block access to a web site (by diverting attempts to visit it to the “naughty bin”), it removes the site completely from any access. Also, a site shown to be illegal can have its IP address removed or blocked at the Internet level – and as truly illegal and repugnant websites don’t even use the DNS system – they are accessed directly by IP address requiring no name lookup at all this is a far more effective way of putting paid to illegal behaviour. As a simple example, if you type the IP address 188.8.131.52 into the address bar of your web browser you will find yourself presented with the test site for our “The Primary Channel” children’s learning platform – normally accessed via the URL https://ttpc.anadigi.net – don’t worry there is no actual child information or child produced content there – the site is full of test guff we use to try out functionality before release – though do feel free to play the video on the home page!
The arguments for DoH
The current plain-text DNS system that dates back to the pre-dawn of the Internet has long been recognised as open to abuse and attack.
Abuses can include the fact that anybody with access to DNS traffic can record and use the information openly revealed – and that means more than just your ISP. The Internet’s resilience comes from its ability to direct traffic via any available route – cut the big cable that connects Asia to the United States and all the traffic it normally carries simply gets routed via Europe. An individual Internet user has no control of the route any message takes over the Internet – and any reply may come back via a completely different route and, to make matters worse two messages sent even simultaneously might take completely different routes.
For example, here’s the result I got when I looked into the route traffic might take from my workstation to Cloudflare’s public DNS server at IP address 184.108.40.206
mtr -r -c 5 220.127.116.11
HOST: gpws.anadigi.loc Loss% Snt Last Avg Best Wrst StDev
1.|– 10.0.0.254 0.0% 5 0.9 0.8 0.8 0.9 0.0
2.|– 192.168.254.251 0.0% 5 1.1 1.3 1.1 1.9 0.3
3.|– ??? 100.0 5 0.0 0.0 0.0 0.0 0.0
4.|– 18.104.22.168 0.0% 5 96.6 89.2 66.3 111.3 17.2
5.|– te1-8-1064.par-p1.as39886 0.0% 5 92.3 91.8 70.7 111.0 14.3
6.|– ae0-4102.par-th2-crluxpe0 0.0% 5 81.3 93.1 81.3 109.4 12.3
7.|– ae1-10.par-th2-crluxpe01. 0.0% 5 100.1 80.7 69.2 100.1 13.8
8.|– equinix-paris.cloudflare. 0.0% 5 78.7 95.4 78.7 109.4 12.0
9.|– one.one.one.one 0.0% 5 60.3 72.6 60.3 96.9 15.3
Looking at the results we can see that our message passed through EIGHT different servers before arriving at Cloudflare.
- Of these, the first is my ISP’s router sitting at the other end of my connection to the Internet
- the second has a private IP address so is probably inside the data centre used by the ISP (yes, I’m guessing as I have no way of knowing who operates it).
- The third is a server running in full stealth mode – it returns no IP address so cannot be looked up in the DNS system to give any clue as to where it is or who operates it and the 100% packet loss shown doesn’t mean that it just gobbles up my message without passing it on – it just doesn’t respond to queries asking who it is, where it is or even how far away it might be – a bit of a concern, maybe?
- The fourth has no domain name associated with it but just returns its IP address. Fortunately another quick query tells me that it is run by Odpop.net in Paris
- The next four all return a named identity that I can look up to see who operates them
The key thing to note, however, is that a DNS query sent to Cloudflare’s servers in plain text (as is the current practice) allows ALL or ANY of these intervening services to record the content of the request – including where it came from (my IP address) and the URL I am looking for. Valuable information that any of these servers could harvest and sell on.
DoH arose from a need to plug a technical hole in the way the Internet works
Plain text DNS is very insecure. For example, having seen that our DNS request passes through many servers (some of highly dubious provenance) on its way to the server we want to answer us, any one of those intervening servers could choose to answer our DNS query itself – or pass it on to a spoof server that takes our request for the IP address of (say) our bank then instead of returning the correct IP address of the real bank’s server sends back the IP address of a web server that delivers an exact replica of the bank’s welcome page, invites you to login as normal, perhaps rejecting your attempts to type in just a few of your password letters as is common … so that within a couple of attempts your entire login ID and password have been collected. This kind of “DNS hijack” (or “man-in-the-middle” attack) is increasingly common and results in $billions of bank fraud each year.
DoH eliminates this security problem (as well as many others I could explain) by simply preventing any of the servers that sit on the route a DNS query takes from the requesting machine to its intended DNS server from seeing that the content of the message being transmitted is a DNS message at all. And, even if some clever clogs says “Ah ha! If this message is going to Cloudflare’s DNS server then it MUST contain a DNS query” – so what? That knowledge helps them not one bit as the encryption would need to be broken before they might see the DNS query itself.
Here we go round the same broken record again
So, is DoH “bad” and an obstacle to preventing criminal activity on the Internet?
Of course it isn’t. As I have explained, anyone with serious criminal or perverted aims in mind doesn’t use the DNS system to begin with.
As for the secretive, shadowy, self-appointed and technically incompetent Internet Watch Foundation, while its stated objective (removing all child pornography from the Internet) is laudable, DoH does precisely nothing to stop their work (though I would argue that work should be conducted in a more open and transparent manner and certainly not in the control of a single government).
The global DNS system is jealously guarded by a multi-national group of sensible trustworthy elected people who will remove the DNS entry of any domain shown to be hosting illegal content of any sort and help to block the IP address from being accessed as well..
The question that begs an answer is whether a shady group of self-appointed guardians (who have made some horrendous mistakes in their time) and a single government should be allowed to control of what an entire population is allowed to see or watch. Or, as there is broad agreement between at least democratic societies on what constitutes “illegal” material IF such a mechanism is to exist it should exist at a supra-national level.
To explain the dangers very simply. There is no technical difference whatever between the actions and laws being put in place by western democratic governments and “the Great Firewall of China”. Both simply apply a blocklist to routers carrying Internet traffic in and out of the country.
The ONLY difference is the contents of the blocklist used. In the UK example cited by ZDNet the blocklist (purportedly – nobody knows as the websites on it are neither explained nor told that they are being blocked) and users of the list must either use it in full or be forbidden to use it at all.
In China the population is denied from obtaining Google search results, stream their news from CNN, Fox News, the BBC or Al Jazeera and are forbidden from reading the London Times, the New York Times or the Straits Times – so being forced to hear only the news, information and religious views approved by the Chinese government – because if the Chinese Government wants to block CNN (as an example) all it needs to do is add “cnn.com” and the associated IP address(es) to its blocklist and, hey presto!, CNN does not exist in China.
In the same way, there is nothing to stop someone telling the IWF in the UK to add an allegedly Muslim jihadist site to the blocklist (in fact there is an additional, mandatory blocklist in force for just that purpose).
So, here’s the problem
If I want to visit a web site promoting “extreme” views – whether far-right, far-left or religious based – in order to educate myself, decide whether the people behind the site have reasonable grounds for whatever grievance or action they are espousing or gain a better understanding of how young people are persuaded to travel half-way round the globe to pick up weapons and suicide vests and give up their lives … then I expect to be able to do that.
And, I expect to be able to do that without my government or shady, unaccountable, private organisation either blocking my access to that information or adding me to some watch-list because their self-delusional paranoia tells them that anyone searching for or looking at such material is of course a supporter of the cause.
Sigh! I’m an adult who has been on this planet for over 60 years. I am entirely capable of “being exposed to” extremist material from any direction without feeling the need to run off to learn how to fire weapons and set off bombs. That’s just not me. What is me is a curious individual who wants to know what motivates such groups so that I might better understand how to moderate whatever motivates them – and, as the father of three sons (way too sensible to be swayed by extremists of anyp ersuasion as they are) I would quite like to understand anything that their younger minds might have taken to in order – as a responsible parent – to hold a sensible, informed conversation with them.
When the UK Government (just as they’re the example we’re talking about here – I suspect the U.S, French and other governments act in similar ways) blocks a website because they consider it too extreme to be seen by the sensitive eyes of their citizens there is NO difference between their action and that of the Chinese Government blocking access to BBC, CNN or other sources of news and information.
And as for monitoring and recording every Internet connection I make I’ll just ask a single question.
If it was considered reprehensible that the East German Stasi police employed people to sit in postal sorting offices noting the sender and recipient of every letter passing through the post, why is it acceptable that democratically elected governments record the time, date originator and destination of not only every email or simple text message we send but every single Internet web page, image and service we connect to.
Just because governments have the technical means to do this does not give them the right to do it.
Bring it on, Mozilla!
To the good folks beavering away at Mozilla I say “Bring it on – more power to your elbow”.
As I have explained, there are very good technical reasons for the replacement of plain text DNS with DoH technology. It’s a weaknesss in the structure of the Internet that has been left unattended for too long.
And why pick on Mozilla? Google’s Chrome browser is used by many times more people than use Mozilla’s Firefox browser and Google is an equally staunch supporter of DoH. So – UK Internet Service Providers – why not point your arrogant fingers at Google? Anything to do with the fact that upsetting the Internet’s biggest player could hurt your business in oh so many ways – while taking a pot-shot at Mozilla (a non-profit foundation) lets you mouth off with no fear of retribution?
Do I really have to say it again?
None of us signed up to be spied on. None of us signed up to have our right to privacy removed. None of us signed up to have some unaccountable do-gooder or civil servant decide what we can look at, see or read. None of us should expect to come under the watchful eye of a secret service just because we happen to have sneaked a peek at some “suspicious material”.
As I have said many times, any technology is as equally capable of use for good or evil. The Internet and all the technologies that comprise and surround it were designed for good,
So just stop using them for evil. OK?