Probe raises serious questions about private v public web management

A bug in software pushed out by Cloudflare resulted in failures at the heart of the web’s infrastructure, according to a report published this week by the Internet Systems Consortium (ISC).

ISC runs the so-called F root server; one of the world’s 13 root DNS servers, labeled A through M. These are the central computers that underpin the global internet: they ensure, for instance, that when you visit, you are directed to the correct system serving our homepage.

On January 23 this year, ISC received a report of a breakdown with .net domains. When it investigated, it discovered crucial A and AAAA records, which glue .net domain names to their IPv4 and IPv6 network addresses, were missing.

In essence, all internet addresses ending in .net – one of the internet’s largest registries with 13.4 million domain names – vanished from ISC’s F root machine. Any browser, app, computer or device that, ultimately, relied on the F root machine to connect to websites and services would, worst case scenario, have been unable to reach those systems via their .net addresses.

The issue wasn’t restricted to just ISC’s F-root, either; the report [PDF] said similar problems were experienced by the E root, run by NASA.

Bug fixes

ISC quickly figured out – within five minutes, according to its timeline – that the issue lay with internet nodes it operates in partnership with Cloudflare, and escalated the issue to the web infrastructure business. Cloudflare also acted quickly: within 21 minutes it had identified that a specific code release, designed to fix a bug that it had introduced four hours earlier, was responsible.

Here’s where the report takes a hard left into the fragile world of BGP: the Border Gateway Protocol used by the internet’s sprawling galaxy of networks to automatically organize each other and maintain connections between themselves. How BGP is involved in a DNS root zone issue is not clear, and we’ve asked Cloudflare for a more detailed explanation.

Regardless, it took nearly two hours to withdraw a BGP announcement that was causing the problem, something ISC notes should have happened faster. “In retrospect, we should have initiated the withdrawal of the route prefixes from BGP as soon as it was identified that incomplete / incorrect data was being served,” the report stated under “lesson learned.”

It continued: “The withdrawal of routes did not go as smoothly as expected and Cloudflare and ISC have agreed to perform regular tests to exercise that function… The test suite has been updated to include tests for missing glue, and ISC and Cloudflare will work to devise further conformance tests.”

Hello money, goodbye stability

Thanks to the way that the world’s DNS works, with information cascading down through a distributed hierarchy of name servers, redundancy provisions, and caches – and globally updated every few hours to every few seconds – the impact on netizens was absolutely minimal. With the E and F roots temporarily knackered, browsers and apps would have found other ways to look up .net addresses.

However, the situation is serious in large part because a fundamental underpinning of the public internet’s global addressing system was knocked over through a minor software update by one private organization.

Firefox now defaults to DNS-over-HTTPS for US netizens and some are dischuffed about this


A software update carried out by Cloudflare, a commercial entity that uses a mix of open and closed software. The internet has achieved such a remarkable degree of uptime despite decades of exponential growth due to its tradition of open-source software, carefully checked and tested updates, and maintainer organizations that are kept separate from commercial considerations.

As one veteran internet engineer, Bill Woodcock, noted on Twitter: “What happens when critical functions of the public Internet are co-opted for private benefit? Transparency and accountability are lost, infrastructural spending cut, things break.”

The issue is not an academic one either. Woodcock sounded the alarm recently over the proposed sale of .org to an unknown private equity company – his company provides technical back-end services for the internet registry. Given the profit motive of the proposed purchaser, he concluded that there was likely to be a significant cutback on technical spending, putting the stability of the critical registry at risk. He sent a letter to DNS overseer ICANN about the issue, recommending that it stop the proposed sale.

That’s not the only internet engineer concerned either. Bert Hubert, whose company produces open-source DNS software, noted with respect to the ISC report that “closed source Cloudflare software had a bug which caused closed source Akamai to break over at a large US cable access provider.”

Break point

Hubert has recently been very vocal over his concerns that Firefox will be using Cloudflare as the default provider for its secure DNS, DoH, protocol: something that happened for all Firefox users in the US this morning.

If a software bug in closed Cloudflare software can cause a root server to vanish an entire, significant piece of the internet then it is all too possible – in fact, likely – that at some point a similar issue will cause Firefox users to lose their secure DNS connections. And that could cause them to lose the internet altogether (it would still be there, but most users would have no idea what the cause was or how to get around it.)

There is a famous phrase often repeated by internet engineers, and originally coined by EFF co-founder John Gilmore, that “the Net interprets censorship as damage and routes around it.” That statement has taken on much broader meaning and is often employed by engineers to basically say “don’t worry about it, the internet breaks all the time.” And it does, every second, and mends itself almost immediately.

But with the growing commercialism of the internet and with private and profit-driven companies increasingly inserting themselves into the foundational layer of the internet’s infrastructure, the report by ISC over this F root incident may well be a warning for what is coming.

We’ve asked Cloudflare for comment and will update this story when it gets back. ®

Full disclosure: The Register is a Cloudflare customer.

Sponsored: Quit your addiction to storage

More and more people are choosing to cancel holidays to Italy as the number of cases of coronavirus in the country continues to rise.

But, despite Foreign Office advice against travel to a number of towns in the country, travellers are often being left out of pocket.

Peter and Jill Baker have cancelled a week-long trip to Rome and Venice.

They booked the getaway – along with two friends – in October and they believed they were getting a bargain.

The couple paid just under £600 for the trip, which included four-star accommodation, flights and train travel between the two cities.

But they decided to cancel the holiday after the coronavirus outbreak in Italy, where the government has quarantined 11 towns, one of them near Venice.

Mr Baker said he was “not particularly afraid” of contracting the virus because of what he considers a low mortality risk. Instead, he was worried about an extension to the lockdowns imposed by the government.

He said the Italian government had taken “dramatic action” to contain the spread of the virus and he did not want to find himself “stuck” in Venice.

But that came at a price.

While the couple has received a full refund for the hotel, Mr Baker said Ryanair had not refunded the £180 they spent on flights. They also had to pay a £75 administration fee to the travel agent Broadway Travel to cancel the trip.

The couple have contacted their insurance company to see if it will cover the cancellation. But Mr Baker is not optimistic.

And he is probably right not to hold his breath.

Insurers tend to follow the advice of the Foreign and Commonwealth Office (FCO)

And, while the government has issued a warning against all but essential travel to 11 quarantined towns in Italy – one of which is close to Venice – it has not advised against travel to the country.

“When the FCO advises against travel to a country or a region, people who are booked to travel there should call their airline or travel provider to cancel or postpone and arrange a refund,” insurer Axa UK said in an emailed statement.

However, that advice only applies to people booked to travel to the 11 towns currently under lockdown.

“Then they should contact their insurer to register a claim,” the Axa statement continued.

‘The fun begins’

John Adair from Edinburgh was told that a decision to cancel a four-day trip to Venice was not covered under his policy.

“Our hosts in Venice informed us that all schools, museums and churches were now closed,” he told the BBC.

“There didn’t seem much point in going if you could only look at the outside of the buildings,” he said.

He was not optimistic that the situation would improve and was worried about self-isolating on his return, so he cancelled the trip.

“The fun begins with travel insurance who are not recognising this as a valid cancellation claim,” he said.

But while insurers may not cover cancellations, some airlines are now letting passengers rebook flights.

British Airways has said that passengers with bookings to some airports in the north of Italy – including Milan, Turin, Bologna, Venice, Bergamo and Verona – will now be able to rebook their flights for a later date.

Delta and Air Canada have announced similar policies.

But for travellers like Jill and Peter Baker, they may still be left to pick up the bill.

Disney boss Bob Iger, who led the media company through several blockbuster acquisitions and the launch of a streaming network, is stepping down as chief executive.

Disney said it had appointed Bob Chapek, who previously ran the company’s parks and products division, to replace him.

Mr Iger will remain Disney’s executive chairman until the end of next year to direct “creative endeavours”.

The move came as a surprise.

Mr Iger, who is considered by many to be the most powerful man in Hollywood, had served as chief executive since 2005. He has previously announced plans to retire only to push back his departure date.

‘Optimal time’

In a statement on Tuesday, Mr Iger said it was the “optimal time” to begin to hand control of the company to a new leader.

Disney recently completed the acquisition of Rupert Murdoch’s 21st Century Fox entertainment empire and launched the Disney+ streaming channel late last year.

Earlier, Mr Iger presided over the firm’s acquisition of Pixar, Marvel and Lucasfilm.

“The company has gotten larger and more complex just in the recent 12 months,” Mr Iger said on a conference call on Tuesday.

“I felt that with the asset bases in place and with our strategy deployed I should be spending as much time as possible on the creative side of our business.”

Remaining as executive chairman would ease the transition, he added.

Mr Chapek, who joined Disney in 1993, will be the firm’s seventh chief executive since it was formed in the 1920s. In his prior role, among other achievements, he oversaw the opening of Disney’s park in Shanghai.

“His tremendous understanding of the breadth and depth of the Company and appreciation for the special connection between Disney and its consumers makes him the perfect choice,” said Disney board member Susan Arnold.

Shares in the firm fell 2% in after-hours trading after the news was announced.

Mr Iger, who recently published a memoir, is much beloved by investors for his record steering the company to steady profits, despite upheaval in the television and movie industries.

Disney claimed seven of the top 10 box office hits globally last year and the new streaming channel has already attracted more than 28 million paying customers.

The firm’s market value has increased five-fold during his tenure, Ms Arnold said. The firm is now worth about $230bn.

Financial markets plunged again on Tuesday as investors continued to worry about the spread of the coronavirus.

The Dow shed almost 900 points, falling more than 3% to close at 27,081. The S&P 500 also closed more than 3% lower, while the Nasdaq sank 2.8%,

The declines followed drops overseas. In the UK, the FTSE 100 fell almost 2% to a 12-month low of 7,018, while Japan’s Nikkei 225 index fell 3.3%.

The slump followed a global stock market plunge on Monday.

On Tuesday, airlines and travel companies, as well as firms that rely on China as part of their supply chain, were again among the most affected. Oil prices also dropped.

‘This might be bad’

Losses on US markets accelerated after US health officials warned that the public should expect cases to spread.

“We are asking the American public to prepare for the expectation that this might be bad,” said Nancy Messonnier, director of the National Center for Immunization and Respiratory Diseases.

The number of cases of coronavirus outside China is growing.

At least 280 people have been diagnosed with the virus in Italy, where seven have died. A handful of cases have also been identified in Switzerland, Austria, France and Germany.

In the US, which has confirmed 57 cases, the White House sought to calm fears that the spread would derail the economy.

“This is very tightly contained in the US,” White House economic adviser Larry Kudlow told broadcaster CNBC. “I think this thing will run its course and the US is in excellent shape.”

However, investors continued to sell stocks. Shares in American Airlines fell 9%, while Norwegian Cruise Line Holdings and Marriott dropped almost 8%.


By Samira Hussain, New York business reporter

The mixed messages coming from the federal government are not helping Wall Street.

In an effort to calm panicking investors, the Trump administration’s economic advisor Larry Kudlow said the coronavirus will not result in an economic tragedy and that the virus is contained.

That seemed to be at odds with US health officials, who are warning Americans that an outbreak is coming and it will be bad.

But then Mr Kudlow went even further by advising Americans that the current falls in the market meant that it would be a good time to buy stocks.

Forget for a moment that a member of the Trump administration is offering any sort of economic advice at all, and consider that some very well regarded investors are urging people not to buy on the dip and that this is a very unusual situation.

Then President Trump also weighs in to say the virus in the US is under control.

Again, these are very different messages coming from the same government, so it’s not surprising financial markets are tanking.

Investors are not being given much to be confident about.

In the UK, cruise company Carnival lost about 6% of its value, while Tui shares shed almost 5%.

Japan’s Toyota Motor Corp fell 3.7%, while Uniqlo’s parent company Fast Retailing dropped 4.2%.

“This is not a buy-the-dip market. It is a don’t-catch-a-falling-knife market,” wrote Scott Minerd of Guggenheim Securities on Twitter.

Some analysts said they expect the spread of the coronavirus to peak in the first quarter of this year, with economic activity rebounding in the second quarter.

“Those who expect the virus to kick off a global recession might be disappointed, as the impact is likely to be temporary,” said Margaret Yang, an analyst with CMC Markets. “Central banks around the globe are ready to inject liquidity and cut down interest rates to cushion the headwind.”

Google so sorry after devices fly the coop in multi-hour outage

Google has apologized for 16 hours of downtime for countless Nest cameras that left angry owners unable to watch live video streams from their gizmos.

“We’re still doing some investigating, but at this point I can share that the issue was due to a scheduled storage server software update that didn’t go as intended,” explained Rishi Chandra, Google vice president overseeing Nest in a support note on Monday. “Whenever something like this occurs, we carefully look across our systems to figure out how to make sure it doesn’t happen again.”

Server failure and the complete collapse of an online service is not something most people would expect from Google, given its position as one of the world’s largest providers, if not the largest provider, of online services. “Please accept my apology,” Chandra wrote.

Users started complaining about the issue around midday Pacific Time on Monday. The issue affected all of Nest’s internet-connected streaming cameras – it sells indoor and outdoor cameras and a video doorbell – and even its latest Nest Hub Max smart display. Streams are usually accessible through a smartphone app or by logging into a Nest account through a browser, but instead they saw the Nest equivalent of the Spinning Wheel of Death.

It took a surprisingly long time for Google to fix the problem. It acknowledged the issue on its status page an hour after the first reports, but it took four hours to start restoring access. It then took until another four-and-a-half hours before related services such as notification alerts came back online. The issue wasn’t fully resolved until 0600 PT – roughly 16 hours after the issue first appeared.

The downtime was not appreciated by punters who pay up to $30 per month per camera to have access to 30 days of recordings.

“This outage is unacceptable and leaves my house and family at risk. All the expensive cameras I installed at my property are useless… and even worse zero recording history during this outage. I expect a credit on my Nest Aware account for this inconvenience,” complained one customer we chose at random from a long list of people complaining on Twitter.

Black mark

Google has promised to provide more updates in the coming days. It is notable that it reported what looks like an identical issue back in December, raising questions over how it does critical and customer-facing updates and rollouts.

Ring in the changes: Mandatory two-factor authentication, login alerts, targeted ads opt-out after punters voice privacy gripes


The downtime is also one more black mark against Google since it started pulling Nest into its larger corporate family. The web titan bought the smart home gadget slinger for $3.2bn in 2014, and initially allowed the manufacturer to run autonomously, including using its own proprietary code and protocols.

But when Nest failed to put out any new products for several years, people started wondering what was happening. Then in April 2016, to a chorus of fury, Nest decided to brick its Revolv automation hub. That was the beginning of the end for Nest CEO Tony Fadell who left in June, just days before Nest finally released a new product – an outdoor surveillance camera with cloud-based storage on subscription.

With Fadell gone, the corporate overlords at Google started pulling Nest into its clutches. Nest’s decision not to include Google’s Brillo IoT standard in favor of its own Weave protocol was revised, and Nest’s focus on Apple’s smartphones – because that’s what the majority of its customers used – was slowly bent in favor of Google’s Android devices.

And we’re back

All was forgiven however when Nest put out its first new products for years: a camera with impressive software capabilities in May 2017 and then a whole new range of an outdoor camera, doorbell and security system in September 2017. The outfit was back on top, offering a more expansive range of products, albeit at a higher price than the growing competition, in particular from Ring – recently bought by Amazon.

But then came Google’s efforts to cram its own products into the Nest range. Google Assistant was added as a voice-activated controller – with very mixed results – and Google’s answer to Amazon’s Alexa, the Google Mini, was pushed as an extension to the Nest product range. It didn’t work well and ruined Nest’s hard-earned reputation for seamless integration.

Those painful integration efforts continued regardless. In 2018, Google announced that Nest was going to “join forces with Google’s hardware team,” i.e. be fully subsumed into the corporate monster. And the next year, all the names were changed: the Google Home Hub became the Nest Hub and all Nest products had the “Google” unceremoniously stuck on the front of them.

But when Google announced in May 2019 it was going to kill off its third-party integration program Works with Nest, there was such an explosion of anger that Google was forced to backtrack – at least for a while.

Come this way

Since then Google has been trying to force Nest users to move over to Google accounts – something that large numbers of customers are stubbornly refusing to do, based on the fair assumption that everything they do from that point will be added to the Google advertising-database.

As Google tries to suck Nest’s tightly focused ecosystem into its larger world of online services, users keep reporting problems – of which this week’s server upgrade is just the latest example.

The truth is that a lot of people don’t want to invite Google into their home. It’s great for searching the web and email, but everyone knows that the internet giant exists to sell your data to advertisers and people don’t want their homes and daily lives to be turned into dollar signs.

Nest products were different. They were standalone, worked seamlessly and efficiently and you paid for them, so there was no profit motive to sell whatever information could be gleaned from their use. But Google just can’t help itself: everything is saleable and now it just needs to pull those Nest products into its systems to access all that delicious data.

The fact that users were unable to see their camera live streams for half-a-day may have been an irritant, but it’s not clear that most of them recognize what it really represents: Google eyeballs on your life. You’d think the Silicon Valley kingpin would have been more careful about the transition given the sensitivities, but it wasn’t. Because, after all, if the shit hits the fan, it only takes 20 minutes to write an apology. ®

PS: Internet-controlled pet feeder biz Petnet went offline for a week this month, leaving animals to go hungry, it was reported.

Sponsored: Detecting cyber attacks as a small to medium business

Pair engineer malicious code from public source tweak before official binary releases

Google has updated Chrome for Linux, Mac, and Windows to address three security vulnerabilities – and exploit code for one of them is already public, so get patching.

In a release note on Monday, Krishna Govind, a test engineer at Google, said Chrome version 80.0.3987.122 addresses three flaws identified by various researchers. Each is rated high severity.

One, reported by André Bargull, is an integer-overflow bug in International Components for Unicode (ICU), a set of libraries for C/C++ and Java that handle Unicode and globalization support. This bug earned a $5,000 bounty from Google for Bargull, and no CVE has been issued.

The second flaw, reported by Sergei Glazunov of Google’s Project Zero team, is an out-of-bounds memory access in the streams component of the Chromium browser. It’s designated CVE-2020-6407.

The third, reported by Clement Lecigne of Google’s Threat Analysis Group, is a type-confusion bug in the TurboFan compiler for V8, the open-source Chromium JavaScript engine.

This particular remote-code execution vulnerability, CVE-2020-6418, was disclosed by Lecigne to the Chromium team on February 18, and quietly fixed a day later.

If you’re running Windows, I feel bad for you, son. Microsoft’s got 99 problems, better fix each one


Interestingly enough, at the time, this public source-code tweak was spotted and studied by Exodus Intelligence researchers István Kurucsai and Vignesh Rao, who hoped to see whether it’s still practical to identify security bug fixes among code changes in the Chromium source tree and develop an exploit before the patch sees an official release, a practice known as patch-gapping.

As such, Kurucsai and Rao developed proof-of-concept exploit code for CVE-2020-6418 after spotting the fix buried in the source tree, and before Google could emit an official binary release. The duo have now shared their exploit code [ZIP] which can be used by white and black hats to target those slow to patch.

The bug arises from a side-effect of the JSCreate operation and the way it handles JavaScript objects; this can be abused by a malicious webpage to execute arbitrary code within the browser sandbox. This involves modifying the length of an array to an arbitrary value to get access to the V8 memory heap. A hacker would need to break out of the sandbox to hijack a device or PC, we note.

In their write-up, Kurucsai and Rao observe that it took three days to analyze the flaw and develop exploit code. “Considering that a potential attacker would try to couple this with a sandbox escape and also work it into their own framework, it seems safe to say that one-day vulnerabilities are impractical to exploit on a weekly or bi-weekly release cycle,” they said.

According to Govind, Google is keeping the discussion of the V8 bug private until the update, usually distributed automatically, reaches the majority of Chrome users. The Googler noted the we giant “is aware of reports that an exploit for CVE-2020-6418 exists in the wild.”

Google’s most recent Chrome zero-day fix arrived last November, when the Chocolate Factory repaired a use-after-free vulnerability (CVE-2019-13720). ®

Sponsored: Quit your addiction to storage

Digital transformation? Pah, pass the tins of beans and firelighters

The top level of IT management is preparing for a recession in 2020 while getting poor results from the industry’s most hyped technologies, a study by the Hackett Group found.

Following interviews with nearly 200 executives, the consultancy company concluded 94 per cent of IT leaders were preparing for a domestic recession while 91 per cent for were putting plans in place for a global recession.

The study found 26 per cent of the top IT professionals surveyed developed contingency plans for a global recession, 30 per cent have accounted for the possibility in their capital spending plans and 35 per cent have put cash aside in baseline operating plans and budgets.

“IT is being forced to build concern over recession and economic uncertainty into their budget planning,” the group said, adding: “This priority may undercut IT’s ability to achieve its transformation goals in 2020.”

Although it did not collect data about preparations for recession in its 2019 predictions, it did say that C-suites were conservative with their financial resources in 2019, offering IT departments a 2.2 per cent increase in operating budget, on average, despite an expected 6 per cent increase in revenue.

While analytics were the second most important improvement objectives for 2020, behind security, there was also a need to improve performance in order to support “digital transformation”, the report said.

Chin up. 2019’s been tough on IT spending – but next year will be great, Gartner says so


“Analytics and data visualisation have the largest deployment growth projections for 2020, but they are also ‘critical development areas’ where IT simply does not have the capabilities it needs,” said Rick Pastore, a Hackett Group senior director and IT research advisor.

“As a result, advanced analytics implementations have been disappointing, and it will be particularly challenging for IT to turn this around quickly. That’s a dangerous situation, particularly in light of the high growth rates expected in these areas in 2020. Corporate leaders may have unrealistic expectations about when they’ll get results.”

Michael Spires, the Hackett Group’s technology transformation principal and practice leader said: “CIOs need to force the issue of data governance and create tools and processes that identify gaps and data siloes, while also mandating that the business and functional leaders own and address data and data reconciliation.”

Despite Gartner predicting growth of in robotic process automation (RPA) of around 60 per cent, Hackett found the much-hyped field is producing disappointing results. While exactly half of organisations surveyed were investing in the technology, 47 per cent of them found it fell short of expectations.

But it was not the only technology to disappoint. Chatbots and virtual assistants fell short of expectations for 73 per cent of organisations. Analytics, AI and data visualisation tools disappointed IT leaders in around 50 per cent of implementations.

Which makes The Reg wonder if IT leaders are being short-sighted in preparing for a recession when so much of the technology they are being asked to invest in fails to fulfill its promise. It seems they know on which side their bread is buttered.

The full study is on the Hackett Group’s website. ®

Sponsored: Detecting cyber attacks as a small to medium business

Farming leaders have said it would be “insane” to sign a trade deal that allows the import of food that would be illegal to produce in the UK, such as chlorinated chicken.

The National Farmers Union (NFU) president, Minette Batters, said allowing these imports would be “morally bankrupt”.

The NFU called for rules on minimum standards for imports to be made law.

Downing Street said food standards would be protected in any trade deal.

‘Bottom rung’

At the NFU’s annual conference on Tuesday, Ms Batters said: “This isn’t just about chlorinated chicken. This is about a wider principle.

“We must not tie the hands of British farmers to the highest rung of the standards ladder while waving through food imports which may not even reach the bottom rung.”

She said: “To sign up to a trade deal which results in opening our ports, shelves and fridges to food which would be illegal to produce here would not only be morally bankrupt, it would be the work of the insane.”

Ms Batters called for rules in the Agriculture Bill, which is currently going through Parliament, to ensure that food that would be illegal to produce here will not be imported.

In countries such as the US, chicken is sometimes washed in chlorine or other chemicals to remove harmful bacteria.

This practice was banned in the European Union in 1997 over food safety concerns.

The prime minister’s official spokesman said: “The UK has long been a world leader in food safety and animal welfare and we will continue to uphold our high food safety standards in all future trade deals.”

The EU will demand that the UK keeps its ban on chlorinated chicken as a requirement for a trade agreement with Brussels, the Guardian reported, citing documents it has seen.

The move is to protect European meat exports, but it could prove to be a potential stumbling block in any deal with the US.

Last month, US Treasury Secretary Steve Mnuchin said that the US wanted to agree a post-Brexit trade deal with the UK in 2020.

New environment secretary George Eustice drew criticism on Sunday after refusing to rule out chlorinated chicken and hormone-treated beef being imported from the US under a new deal.

But the EU believes that relying on chlorine at the end of the meat production process could be a way of compensating for poor hygiene standards – such as dirty abattoirs.

In 2020, the UK will be negotiating a trade deal with Brussels for when the Brexit transition period ends on 31 December.

According to reports in the Guardian newspaper, the EU will demand that the UK maintains a ban on chlorinated chicken as the price for a trade agreement with the bloc.

Mr Eustice’s predecessor, Theresa Villiers, had previously told the BBC that the current European Union ban on chlorine-washed chicken would be carried over into UK legislation after Brexit.

Good for privacy – or an alarming move towards further internet centralisation?

Mozilla has started rolling out encrypted DNS-over-HTTPS (DoH) by default for US users of the nonprofit’s Firefox browser.

DoH encrypts DNS (Domain Name System) traffic, which has both security and privacy benefits, though use of the DoH protocol itself is not the only issue here. The other question is, whose server do you use for name resolution?

DNS is the process by which internet names are translated into network addresses. The system goes back to the earliest days of the internet and has several security and privacy issues.

Typically the DNS servers you use are provided by the network you connect to: the server that allocates an IP number to your machine also provides the address or addresses of DNS servers, via DHCP (Dynamic Host Configuration Protocol).

DNS has a number of security and privacy weaknesses. A malicious DNS server could direct you to a site you did not request, or someone could eavesdrop or tamper with DNS traffic. Privacy is an issue because the server that resolves your DNS requests has a record of your browsing history, which has commercial value as well as being of potential interest to spies and law enforcement.

Mozilla’s answer to the problems thrown up here is to set the DNS resolver in Firefox to Cloudflare by default, with an option for NextDNS or your own custom provider if you’re sufficiently techie to dig into the browser’s networking settings.

The argument is that the named providers are “trusted recursive resolver” partners, as described here, so that users are assured of encryption as well as protection from malicious redirection. These partners – and currently there are only two – agree to delete all identifiable data within 24 hours, to keep only aggregate data, and not to sell user data to any third party. They also agree “not to block or filter domains unless specifically required by law in the jurisdiction in which the resolver operates”.

Today’s announcement states: “We’re enabling DoH by default only in the US. If you’re outside of the US and would like to enable DoH, you’re welcome to do so by going to Settings… DoH is just one of the many privacy protections you can expect to see from us in 2020.”

The DoH setting in Firefox, currently Cloudflare, NextDNS or Custom

DoH combined with a third-party resolver makes it harder for ISPs to filter and block web traffic and is therefore unpopular with those keen on such blocking, such as the UK’s Internet Watch Foundation charity and, it seems, the UK government.

Last year, Mozilla’s VP of trust and security, Alan Davidson, told the government that it “has no plans to turn on our DoH feature by default in the United Kingdom and will not do so without further engagement with public and private stakeholders”. Mozilla told us today: “We have no further information on a UK release date for DoH.”

Cloudflare argues that filtering and blocking traffic via DNS is a poor approach. “Application-specific controls such as browser extensions would be more effective since they can actually look into the URLs and selectively prevent content from being accessible,” said Peter Wu, part of the Crypto Team at Cloudflare.

Google also has plans to roll out DoH in Chrome, but with an important difference. It will only use DoH if the configured DNS server supports it, saying: “This would upgrade the protocol used for DNS resolution while keeping the user’s DNS provider unchanged.”

Google said it has no plans to follow Mozilla’s approach.

Bert Hubert, founder of PowerDNS, is a vocal opponent of Mozilla’s move. He told The Reg today: “I find it highly disappointing that Mozilla decided, on behalf of all users it deems American, that this was a good idea. So while encrypted DNS is great, it matters a great deal who you encrypt your DNS to (since in the end, someone is going to have plaintext).

“Mozilla ‘dark-patterned’ the choice so almost everyone will take the new default. Essentially they are saying ‘we decided it is best that you send all your DNS queries to Cloudflare’.”

Hubert said that the issue is centralised DoH rather than DoH as a protocol, but that the two are deliberately confused by proponents. “A lot of people pro-centralisation have attempted to paint detractors as hating encryption,” he said. “It is far easier to defend ‘DoH the protocol’ than to defend ‘DoH the landgrab’.”

Admins and technical users can easily override Mozilla’s choices, but many will likely accept the defaults. One question is who is more trustworthy? Do you choose your ISP’s DNS resolver (which might include the DNS provided via Wi-Fi in an airport or café) or Mozilla’s chosen partner, currently Cloudflare?

Another relevant question is whether further centralisation of the internet is, inherently, a bad thing. ®

Sponsored: Detecting cyber attacks as a small to medium business

Chinese tat bazaar’s latest smartphone effort will set you back £459

Xiaomi’s Mi Note 10 phablet – first introduced last November – has hit UK shores with the entry-level model retailing at £459.

The phone is available from today at Xiaomi’s online shopping portal.

The Mi Note 10 is a weird beast focused on productivity and photography alike. The camera system packs Sony’s relatively new ISOCELL Bright HMX 108MP sensor for the main shooter, which produces 12,032 x 9,024 snaps. Of course, if the phone is in low-light conditions, it’ll activate its pixel-binning tech, which will reduce the size of those shots considerably to produce clearer pictures.

Accompanying that is a macro lens for close-ups, a 5MP telephoto lens, another 12MP telephoto lens, and a 20MP ultra-wide-angle lens. This supports 50x hybrid zoom, although odds are you’d never max that out.

On the front, you’ll spot a lonely 32MP selfie camera, which supports the usual AI accoutrements, including a beauty mode that’ll probably make you look like a slightly warm Madame Tussauds waxwork – such has been our experience with “beauty modes”.

The phone packs a 6.47-inch 3D curved AMOLED display, which is encased in Corning’s Gorilla Glass 5. The rear gets the Gorilla Glass treatment too, which should make it more resistant to scratches and nicks.

Under the hood, it packs a capacious 5,260 mAh battery, which supports 30W fast charging. Xiaomi reckons this’ll give you two days’ worth of charge. That sounds about right given that it ships with Qualcomm’s Snapdragon 730G platform, which isn’t exactly a speed demon but is designed to be power efficient.

The 6GB/128GB retails at £459 and comes in Glacier White, Aurora Green and Midnight Black. An extra £100 doubles your storage, and comes with the white and green colour options. ®

Sponsored: Quit your addiction to storage