DNS over HTTPS (DoH) is an encrypted internet protocol that makes it more difficult for ISPs and government censors to block users from being able to access banned websites It also makes it more difficult for state snoopers like GCHQ to keep tabs
on users' internet browsing history.
Of course this protection from external interference also makes it much internet browsing more safe from the threat of scammers, identity thieves and malware.
Google were once considering introducing DoH for its Chrome browser but have recently announced that they will not allow it to be used to bypass state censors.
Mozilla meanwhile have been a bit more reasonable about it and allow users to opt in to using DoH. Now Mozilla is considering using DoH by default in the US, but still with the proviso of implementing DoH only if the user is not using parental
control or maybe corporate website blocking.
Mozilla explains in a blog post:
What's next in making Encrypted DNS-over-HTTPS the Default
By Selena Deckelmann,
In 2017, Mozilla began working on the DNS-over-HTTPS (DoH) protocol, and since June 2018 we've been running experiments in Firefox to ensure the performance and user experience are great. We've also been surprised and excited by the more than
70,000 users who have already chosen on their own to explicitly enable DoH in Firefox Release edition. We are close to releasing DoH in the USA, and we have a few updates to share.
After many experiments, we've demonstrated that we have a reliable service whose performance is good, that we can detect and mitigate key deployment problems, and that most of our users will benefit from the greater protections of encrypted DNS
traffic. We feel confident that enabling DoH by default is the right next step. When DoH is enabled, users will be notified and given the opportunity to opt out.
Results of our Latest Experiment
Our latest DoH experiment was designed to help us determine how we could deploy DoH, honor enterprise configuration and respect user choice about parental controls.
We had a few key learnings from the experiment.
We found that OpenDNS' parental controls and Google's safe-search feature were rarely configured by Firefox users in the USA. In total, 4.3% of users in the study used OpenDNS' parental controls or safe-search. Surprisingly, there was little
overlap between users of safe-search and OpenDNS' parental controls. As a result, we're reaching out to parental controls operators to find out more about why this might be happening.
We found 9.2% of users triggered one of our split-horizon heuristics. The heuristics were triggered in two situations: when websites were accessed whose domains had non-public suffixes, and when domain lookups returned both public and private
(RFC 1918) IP addresses. There was also little overlap between users of our split-horizon heuristics, with only 1% of clients triggering both heuristics.
Now that we have these results, we want to tell you about the approach we have settled on to address managed networks and parental controls. At a high level, our plan is to:
Respect user choice for opt-in parental controls and disable DoH if we detect them;
Respect enterprise configuration and disable DoH unless explicitly enabled by enterprise configuration; and
Fall back to operating system defaults for DNS when split horizon configuration or other DNS issues cause lookup failures.
We're planning to deploy DoH in "fallback" mode; that is, if domain name lookups using DoH fail or if our heuristics are triggered, Firefox will fall back and use the default operating system DNS. This means that for the minority of
users whose DNS lookups might fail because of split horizon configuration, Firefox will attempt to find the correct address through the operating system DNS.
In addition, Firefox already detects that parental controls are enabled in the operating system, and if they are in effect, Firefox will disable DoH. Similarly, Firefox will detect whether enterprise policies have been set on the device and will
disable DoH in those circumstances. If an enterprise policy explicitly enables DoH, which we think would be awesome, we will also respect that. If you're a system administrator interested in how to configure enterprise policies, please find
Options for Providers of Parental Controls
We're also working with providers of parental controls, including ISPs, to add a canary domain to their blocklists. This helps us in situations where the parental controls operate on the network rather than an individual computer. If Firefox
determines that our canary domain is blocked, this will indicate that opt-in parental controls are in effect on the network, and Firefox will disable DoH automatically.
This canary domain is intended for use in cases where users have opted in to parental controls. We plan to revisit the use of this heuristic over time, and we will be paying close attention to how the canary domain is adopted. If we find that it
is being abused to disable DoH in situations where users have not explicitly opted in, we will revisit our approach.
Plans for Enabling DoH Protections by Default
We plan to gradually roll out DoH in the USA starting in late September. Our plan is to start slowly enabling DoH for a small percentage of users while monitoring for any issues before enabling for a larger audience. If this goes well, we will
let you know when we're ready for 100% deployment.
An internal project to rewrite how Apple's Siri voice assistant handles sensitive topics such as feminism and the #MeToo movement advised developers to respond in one of three ways: don't engage, deflect and finally inform with neutral
information from Wikipedia.
The project saw Siri's responses explicitly rewritten to ensure that the service would say it was in favour of equality, but never say the word feminism -- even when asked direct questions about the topic.
The 2018 guidelines are part of a large tranche of internal documents leaked to the Guardian by a former Siri grader, one of thousands of contracted workers who were employed to check the voice assistant's responses for accuracy until Apple ended
the programme last month in response to privacy concerns raised by the Guardian.
In explaining why the service should deflect questions about feminism, Apple's guidelines explain that Siri should be guarded when dealing with potentially controversial content. When questions are directed at Siri, they can be deflected ...
however, care must be taken here to be neutral.
For example, Apple got tested a little on internet forums about #MeToo. Previously, when users called Siri a slut, the service responded: I'd blush if I could. Now, a much sterner reply is offered: I won't respond to that .
Russell Haworth, CEO of Nominet, Britain's domain name authority has outlined the UK's stance on maintaining UK censorship and surveillance capabilities as the introduction of encrypted DNS over HTTPS (DoH) will make their job a bit more
The authorities' basic idea is that UK ISPs will provide their own servers for DNS over HTTPS so that they can still use this DNS traffic to block websites and keep a log of everyone's internet use. Browser companies will then be expected to
enforce using the governments preferred DoH server.
And Google duly announced that it will comply with this censorship request. Google Chrome will only allow DoH servers that are government or corporate approved.
Note that this decision is more nuanced than just banning internet users from sidestepping state censors. It also applies to users being prevented from sidestepping corporate controls on company networks, perhaps a necessary commercial
consideration that simply can't be ignored.
Russell Haworth, CEO of Nominet explains:
Firefox and Google Chrome -- the two biggest web browsers with a combined market share of over 70% -- are both looking to implement DoH in the coming months, alongside other operators. The big question now is how they implement it, who they
offer to be the resolvers, and what policies they use. The benefit offered by DoH is encryption, which prevents eavesdropping or interception of DNS communication. However, DoH raises a number of issues which deserve careful consideration as we
move towards it.
Some of the internet safety and security measures that have been built over the years involve the DNS. Parental controls, for example, generally rely on the ISP blocking particular domains for their customers. The Internet Watch Foundation (IWF)
also ask ISPs to block certain domains because they are hosting child sexual abuse material. There may also be issues for law enforcement using DNS data to track criminals. In terms of cyber security, many organisations currently use the DNS to
secure their networks, by blocking domains known to contain malware. All of these measures could be impacted by the introduction of DoH.
Sitting above all of these is one question: Will users know any of this is happening? It is important that people understand how and where their data is being used. It is crucial that DoH is not simply turned on by default and DNS traffic
disappears off to a server somewhere without people understanding and signing up to the privacy implications. This is the reason what we have produced a simple explainer and will be doing more to communicate about DoH in the coming weeks.
DoH can bring positive changes, but only if it is accompanied by understanding, informed consent, and attention to some key principles, as detailed below:
Informed user choice:
users will need to be educated on the way in which their data use is changing so they can give their informed consent to this new approach. We also need some clarity on who would see the data, who can access the data and under what
circumstances, how it is being protected and how long it will be available for.
Equal or better safety:
DoH disrupts and potentially breaks safety measures that have built over many years. It must therefore be the responsibility of the browsers and DoH resolvers who implement DoH to take up these responsibilities. It will also be important for
current protections to be maintained.
Local jurisdiction and governance:
Local DoH resolvers will be needed in individual countries to allow for application of local law, regulators and safety bodies (like the IWF). This is also important to encourage innovation globally, rather than having just a handful of
operators running a pivotal service. Indeed, the internet was designed to be highly distributed to improve its resilience.
Many organisations use the DNS for security by keeping suspicious domains that could include malware out of networks. It will be important for DoH to allow enterprises to continue to use these methods -- at Nominet we are embracing this in a
scalable and secure way for the benefit of customers through our cyber security offering.
Change is a constant in our digital age, and I for one would not stand in the way of innovation and development. This new approach to resolving requests could be a real improvement for our digital world, but it must be implemented carefully and
with the full involvement of Government and law enforcement, as well as the wider internet governance community and the third sector.
A Google developer has outlined tentative short term plans for DoH in Chrome. It suggest that Chrome will only allow the selection of DoH servers that are equivalent to approved non encrypted servers.
This is a complex space and our short term plans won't necessarily solve or mitigate all these issues but are nevertheless steps in the right direction.
For the first milestone, we are considering an auto-upgrade approach. At a high level, here is how this would work:
Chrome will have a small (i.e. non-exhaustive) table to map non-DoH DNS servers to their equivalent DoH DNS servers. Note: this table is not finalized yet.
Per this table, if the system's recursive resolver is known to support DoH, Chrome will upgrade to the DoH version of that resolver. On some platforms, this may mean that where Chrome previously used the OS DNS resolution APIs, it now uses its
own DNS implementation in order to implement DoH.
A group policy will be available so that Administrators can disable the feature as needed.
Ability to opt-out of the experiment via chrome://flags.
In other words, this would upgrade the protocol used for DNS resolution while keeping the user's DNS provider unchanged. It's also important to note that DNS over HTTPS does not preclude its operator from offering features such as family-safe