The organization’s vice president of global policy, trust and security, Alan Davidson has expressed this decision in a letter sent to UK culture secretary Nicki Morgan, reproduced by The Guardian.
In the letter he clarifies that Mozilla “has no plans to turn on our DoH feature by default in the United Kingdom and will not do so without further engagement with public stakeholders,” but added that the organization “do strongly believe that DoH would offer real security benefits to UK citizens.”
The Internet Watch Foundation – a charity that supplies ISPs with a list of websites which host or distribute child abuse images – has recently expressed its concern that introducing this additional level of security would make it harder to restrict criminal activity online.
In June 2019 a representative of the Internet Watch Foundation told The Register that DoH “could render the service obsolete[…]risking millions of internet users across the globe to seeing such content.”
Developed by the Internet Engineering Task Force (IETF), DNS-over HTTPS, or DoH, represents a significant overhaul to the Domain Name System (DNS) – a fundamental part of internet architecture which allows browsers to convert URLs into TCP/IP addresses and information.
In his letter, Davidson highlights that the “DNS is one of the oldest parts of the internet’s architecture, and remains largely untouched by efforts to make the web more secure[…]People’s most personal information can be tracked, collected, leaked and used against people’s best interest.”
Traditional DNS requests must be left entirely unencrypted, and vulnerable to interception from other, potentially malicious parties. It is even possible for other devices to block or replace data from DNS lookups.
The DoH protocol attempts to overcome this vulnerability by encrypting DNS requests and responses within HTTPS. HTTPS is already widely used to secure communication between browser and a web server, but DoH seeks to expand that security to the DNS.
Because web filters function by intercepting DNS lookups in the same manner as malicious parties, in addition to protecting users from malicious interception, DoH also has the potential to circumnavigate these filters.
This follows an announcement from Mozilla on 6 September 2019 that it intends to gradually make DoH encryption the default for US users from late September onwards.
In the same announcement Mozilla specified that it is working with ISPs and other providers of parental controls to automatically disable DoH “in cases where users have opted in to parental controls.” This would allow parental controls to continue functioning as normal.
Mozilla has been working with the DNS provider Cloudflare to implement the new protocol. Cloudflare is to take all Mozilla Firefox DoH requests, although Mozilla has published instructions to manually configure the browser to another DNS provider.
Google has also announced plans to test the DoH protocol in Google Chrome from late October. At first, Google only plans to introduce the protocol with a small set of DNS providers, including itself, Cloudflare, and OpenDNS.
Until the introduction of DoH or an equivalent DNS encryption protocol, a VPN is one of the only ways for users to protect themselves from malicious DNS interception. If you are interested in getting a VPN, we recommend looking at our list of the current best VPN services.