Issue 41

Mozilla, internet villain

Last week the United Kingdom's Internet Services Providers’ Association (ISPA), a Trade Association lobby group, released its finalists for internet 'hero' and 'villain' of the year, listing  Mozilla - creator of the Firefox web browser - as one of three finalists  in the villain category. After some serious backlash, it subsequently withdrew both Mozilla's nomination and the villain category altogether.

Let's  take a quick look at why Mozilla, "a non-profit organization that  promotes openness, innovation and participation on the Internet", might  have been nominated. But first, the other contenders.

Joining  Mozilla as finalists for internet villain of the year was the European  Union's Article 13 Copyright Directive, "for threatening freedom of  expression online", and President Donald Trump, "for causing a huge  amount of uncertainty across the complex, global telecommunications  supply chain in the course of trying to protect national security".

I  actually took little issue with those two, which are both deserving for  the reasons cited, although I might have nominated Peter Dutton for  Australia's ill-conceived encryption bill instead of the EU's Article  13. But Mozilla? It was listed because of its plan to allow Firefox to  use DNS over HTTPS (DoH, a relatively new method to encrypt DNS requests  directly in the browser):

"...in such a way as to bypass UK filtering obligations and parental controls, undermining internet safety standards in the UK."

Right. It might as well have rephrased that to:

"...in  such a way as to bypass the UK government's censorship and undermine  our members' ability to monetise consumer browsing activity."

For  those unaware, DNS requests are the last bastion of the old internet  yet to undergo a cryptographic revolution. DNS requests - that is,  requests to a public directory that translates domain names (e.g.  finelybalanced.com) into corresponding IP addresses (e.g.  123.123.123.123) - are sent in plain text and so can be used by internet  service providers to monitor people's browsing history.

https://finelybalanced.com/images/isp-dns-leak.png

This can happen even if you're using a VPN (as shown in the image above) unless you've manually changed your DNS server or enabled what  is called "DNS leak protection", which routes all DNS queries to the  provider through the encrypted VPN tunnel.

As you might expect,  the whole plain-text DNS data collection process can be quite lucrative  to ISPs when that data are on-sold to advertisers or any other  organisation that might be interested in people's digital footprints.

Work to fix the DNS privacy hole has been under way for some time. For example, Cloudflare, Google and Quad9 have all been pushing for DNS over TLS (DoT), a similar technology to DoH but one which uses its own unique port, 853.

However,  the advantage of DoH is that requests are effectively buried in the rest of the internet's encrypted traffic on port 443, making it indistinguishable from the vast majority of data that flow across the  internet every day. This is how many VPNs operate in places such as China, where conventional VPN ports are blocked as part of its "great firewall".  Without DNS leaks and with everything funnelled through port 443, the  only way to censor people would be to effectively turn the internet off  (and yes, that happens more than you think).  Being able to properly encrypt data, including something as seemingly  simple as browsing history, can literally be a matter of life and death for some people.

Essentially  Mozilla should be praised, not condemned, for trying to improve privacy  on the internet by allowing people to enable DoH directly in their  browser. The real villains are those such as the ISPA and its political  lackeys, whose constant attacks on encryption are nothing but a blatant  attempt by lobbyists to keep the gravy train flowing, all under the  opaque guise of national security (kudos to UK provider Andrews &  Arnold for donating the equivalent of an ISPA membership fee to Mozilla).

Mozilla's Firefox 68 was released last week.  If you use Chrome or one of Microsoft's god-awful browsers, consider  giving it a whirl. You can enable DoH by going to Preferences ->  General -> Network Settings -> Enable DNS over HTTPS.

Enjoy the rest of this week's issue. Cheers,

— Justin


The bits

Google's creepiness

What  a week for Google. First it was revealed that, like Amazon, the things  Google Home devices record are listened to by humans (as I've said many  times, that's how "artificial intelligence" - as the term is being  improperly used, anyway - works). Worse, it was recording private  conversations without first being "triggered" by the user.

Then  we have more "business as usual" news, such as Google making your  private photos semi-public and oh yeah, it's also "helping China’s  authoritarian government conduct mass surveillance against its  citizens". Do no evil, right...

Learn more:


China

That  didn't take long: Huawei is back in business. Maybe not for 5G in the  countries that banned it for "national security", but all of its  consumer devices should be fine (which are more of a threat to national  security than Huawei's network infrastructure).

Learn more:


Other bits of interest


Image of the week


This week's data breaches

The bigger the database, the more valuable it is to hackers.

The breaches:

That's all for now. If you enjoyed this issue, feel free to share it via email


Issue 41: Mozilla, internet villain was compiled by Justin Pyvis and delivered on 16 July 2019. Join the conversation on the fediverse at Detrended.net.