Mozilla has promised not to include DoH encryption in the UK. What does this mean for Russia?

Two weeks ago, on Habré, they talked about the DNS-over-HTTPS (DoH) protocol , recently adopted as the RFC 8484 standard. Developed by Mozilla, Google and Cloudflare, the DNS encryption protocol negates attempts to monitor human-in-the-middle traffic. It eliminates the “weakest link” in HTTPS — open DNS queries, by which the state or an attacker at the provider level can now track the contents of DNS packets and even replace them. This allows you to block access to the resource by IP address or domain name.



And most importantly, the Mozilla organization decided to enable it by default in the Firefox browser. So far, only for US users. But in light of the fact that less than a month and a half is left before the law on isolation of the Runet comes into force, and the Yarovaya law has already entered into force, traffic encryption methods are more relevant than ever to protect against snooping on the Russian Internet.



But now the news is not very good. It turns out that in some countries where censorship of traffic at the state level is already in place, Mozilla may change its mind. This is being discussed in the UK . Theoretically, this could happen in Russia.



Mozilla’s decision to turn on DoH was a concern in the UK as the technology violates many of the centralized filtering and blocking systems, which “prevent easy access to child abuse images, pirated and terrorist materials, and also affect parental control systems.”



The Guardian has accessed a letter sent by Nicky Morgan to the UK Secretary of Culture. In it, Mozilla’s vice president of global politics, trust and security, Alan Davidson, writes that the nonprofit organization “has no plans to enable our default DoH feature in the UK and will not do so without further engagement with public and private stakeholders” .



Davidson explains the benefits of traffic encryption: “We strongly believe that DoH will offer real security benefits for UK citizens. DNS is one of the oldest parts of the Internet architecture and remains largely untouched by efforts to improve Internet security. Since the current DNS queries are not encrypted, the path between the citizen and the site is still open and used by bad participants who want to violate user privacy, attack communications and spy on activities on the Internet. People’s most personal information, such as their health-related data, can be tracked, collected, transmitted and used against people's interests. Your citizens deserve protection from this threat. ”



Thus, Mozilla is trying to convince government services and explain to them the merits of DoH. But everyone understands that one of the side effects of traffic encryption in the UK is that it also bypasses UK web filters, which use the same DNS interception technique to prevent access to websites blocked by Internet service providers.



The Internet Watch Foundation, which provides Internet providers with a list of blocked websites for filtering, expressed its concern about this technology: “We believe that the way that it is proposed to implement DNS-over-HTTPS can show millions of people around the world terrible images of children who are sexually abused, and may mean that victims of such violence will be open to viewing by countless viewers, ”said a spokeswoman for The Register.



Recently, for this reason, the Internet Service Providers Association of Great Britain (ISPA-UK) called Mozilla "one of the main villains of the Internet . " According to ISPA-UK, Mozilla received the title of “Internet villain” “for their proposed approach to implementing DNS-over-HTTPS in such a way as to circumvent UK filtering and parental control obligations, undermining Internet safety standards in the UK.”



“We are worried about companies and organizations that secretly collect and sell user data. Therefore, we added tracking protection, ” wrote Clark on behalf of Mozilla shortly after the adoption of the standard. “Thanks to these two initiatives (+ Trusted Recursive Resolver), data leaks that have been part of the domain name system since its inception 35 years ago are eliminated.”

“Typically, the resolver tells each DNS server which domain you are looking for. This request sometimes includes your full IP address. And if not a complete address, then more often the request includes most of your IP address, which can be easily combined with other information to establish your identity.



This means that each server that you ask for help with the resolution of domain names sees which site you are looking for. Moreover, anyone on the way to these servers also sees your requests. There are several ways in which such a system compromises user data. The two main ones are tracking (tracking) and spoofing (spoofing).



Based on full or partial information about the IP address, it is easy to determine the identity of the person who requests access to a particular site. This means that the DNS server and any user on the way to this DNS server (router on the way) can create a user profile. They can make a list of all the sites that you viewed.



And this is valuable data. "Many people and companies are willing to pay a lot to see your browsing history."



From an article by Lin Clark

However, after a wide public outcry, a month later ISPA-UK withdrew this “award” and completely canceled the nomination with the comment that it “clearly sends the wrong message”.



Google has also announced plans to test DoH in its Chrome browser starting in October. The company will not include DoH for each user, but says that by default, DoH will work for those technically advanced users who choose to switch their DNS provider to companies such as Google, Cloudflare, and OpenDNS.



To preserve censorship, the UK government spokesman cites the need to protect children: “Sexual exploitation of children is a heinous crime that the government seeks to fight,” he said. While we strive to maintain security and privacy on the Internet, it is imperative that all sectors of the digital industry take children's safety into account when designing their systems and services. "We are working with the industry to resolve any potential problems as part of our ongoing work to make the UK the safest place in the world to access the Internet."



Why did such disagreements arise around DNS blocking? Industry experts believe that the problem may be in corporate agreements. It was because of them that everyone rebelled against Mozilla like this:



“In fact, everything is simple,” wrote Russian expert Mikhail Klimarev, executive director of the Internet Security Society. - The Association of UK Providers has long fought against locks. As a result, they agreed with the government that the blocking will be done “by DNS”. That is, without any DPI and “by IP”. That is why Mozilla is a villain. For blocking by DNS will be useless. More precisely, everyone knew about this before, and Mozilla has publicly stated that now all this is useless. And now the members of the Association will have to renegotiate somehow. Or take lessons from the ILV. ”



The DoH protocol makes it much more difficult for authorities to block, but theoretically, authorities can still monitor traffic. If you look at the problem of locks more globally, then in this situation the question arises again and again. The wording of supporters of state filtration suggests that the introduction of encryption and good privacy threatens the security of the user, because the state “defender” will not be able to protect him. In this case, DNS-over-HTTPS prevents providers from filtering harmful content. This logic contrasts privacy and security.



Personal privacy can indeed be contrasted with public safety. Now there are discussions about what is more important and in which direction to shift the emphasis. For example, the authorities of some countries are inclined to prohibit end-to-end encryption in any messengers in general . Some governments introduce forced filtering of traffic, restricting public access to a specific list of sites, both in the UK and Russia.



Proponents of the opposite concept of personal privacy point to the spread of surveillance, which in the future threatens the normal life of a person. This is also stated in the Mozilla Manifesto, where principle No. 4 reads: “The security and privacy of Internet users are fundamental and cannot be regarded as secondary issues.”



Refusing encryption, a person actually refuses to protect himself. This is clearly seen in the example of DNS-over-HTTPS, which protects against MiTM attacks, including spoofing pages. So traffic encryption and protection from Internet surveillance is not a matter of choice, but a matter of survival in the technological society of the future, advocates of personal privacy say.

---

SPECIAL CONDITIONS for PKI solutions for enterprises are valid until 11/30/2019 under the promo code AL002HRFR for new customers. For details, contact the managers +7 (499) 678 2210, sales-ru@globalsign.com.