Mozilla says move won’t impinge on network-level parental controls

Firefox DNS-over-HTTPS rollout starts later this month

UPDATED Firefox users will soon have an added layer of privacy, as the browser starts to roll out DNS-over-HTTPS (DoH) as a default setting later this month.

Following a year-long trial, Mozilla confirmed on Friday that it plans to “gradually roll out DoH in the USA starting in late September”.

If the soft launch goes well, the Firefox-maker said, this will pave the way for “100% deployment”.

Privacy by default

For more than 30 years, the Domain Name System (DNS) has served as a key mechanism for accessing sites and services on the web.

It works by ‘resolving’ readily memorized domain names (such as to the numerical IP addresses that computers need to route surfers to websites or deliver emails to the correct domain.

Despite advances in privacy protections taking place across the internet, DNS has been largely left untouched by efforts to make the web safer for users, with requests being sent in cleartext.

This allows third parties, such as governments and internet service providers (ISPs), to view users’ internet browsing activity.

In an effort to improve the privacy of DNS, Mozilla has been spearheading the push towards the DoH protocol, which hides DNS queries inside regular HTTPS traffic – making it more difficult for third parties to snoop on user traffic.

Parental control concerns

DoH has been available as an experimental, opt-in feature for Mozilla’s open source web browser since the June 2018 debut of Firefox 62.

With more than 70,000 users taking part in the trial, Mozilla said it now has a reliable implementation of the technology.

DoH may seem like a no-brainer for privacy-conscious internet users. However, the protocol has faced resistance from a small, yet vocal group of critics.

Back in July, the UK’s Internet Service Providers Association (ISPA) announced that it had nominated Mozilla as a finalist in the ‘internet villain’ category of its awards ceremony.

At the time, the trade association said Mozilla’s move for Firefox would “bypass UK filtering obligations and parental controls, undermining internet safety standards in the UK”.

While the ISPA quickly withdrew the nomination following backlash from the security community, it’s clear that Mozilla is looking to address any concerns surrounding parental controls and DNS-over-HTTPS.

The organization said it would “respect user choice for opt-in parental controls” and would disable the protocol if it detects them.

The browser will also “respect enterprise configuration and disable DoH unless explicitly enabled by enterprise configuration”.

Additionally, Mozilla said it is now working with providers of parental controls, including ISPs, to add a canary domain to their blocklists.

“This helps us in situations where the parental controls operate on the network rather than an individual computer,” Mozilla explained.

RECOMMENDED Serious security flaws found in Chrome ‘portal’ element

“If Firefox determines that our canary domain is blocked, this will indicate that opt-in parental controls are in effect on the network, and Firefox will disable DoH automatically.”

The move was cautiously welcomed by the ISPA.

“It is encouraging that Mozilla has published its strategy to collaborate with existing parental control filters, which hopefully shows that they have been listening to our concerns,” an ISPA spokesperson told The Daily Swig.

“Although Mozilla has repeatedly outlined that it has no plans to roll out DoH by default in the UK at this time, it is clear that their ultimate aim of ‘100% deployment’ suggests that they plan to rollout DoH by default in the UK eventually.

“If this is the case then we would stress that they do so in a way that is compatible with existing UK internet standards and we are ready to work with Mozilla to ensure that it is fit for purpose in the UK.”

Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, a US-based cybersecurity company, added: “By starting to roll out encrypted DNS by default, Mozilla is protecting the information we share from being exploited by those that would do us harm and we should welcome anything that increases security for consumers when browsing online.

“In fact, the privacy-conscious among us already make use of widely available DNS encryption services, something that critics of DNS-over-HTTPS seem to have overlooked.”

Behind the scenes

Firefox is the world’s second most popular browser, taking a 9.2% share of the market as of August 2019, according to W3Schools.

The monthly average Firefox user count is currently tracking at around 246 million.

“We take seriously our mission to protect users and the integrity of the web,” a Mozilla spokesperson told The Daily Swig.

“As part of that work, we are working to fix part of the DNS ecosystem that simply isn’t up to the modern, secure standards that every internet user should expect.

“What goes on behind the scenes of an individual’s web traffic is largely unknown to people, but is rife with misuse.”

The spokesperson added: “We strongly believe that DoH, combined with our Trusted Recursive Resolver policy, would offer real security benefits to users.”

Tech firms including Google and Cloudflare are also trying their hand with DNS-over-HTTPS.

This article has been updated to include additional comment from Mozilla

YOU MAY ALSO LIKE Flag Day, reloaded: DNS enforcers mull second round of stricter controls