Firefox To Enable DNS-over-HTTPS by Default To US Users (techcrunch.com) 101
Mozilla will bring its new DNS-over-HTTPS security feature to all Firefox users in the U.S. by default in the coming weeks, the browser maker has confirmed. From a report: It follows a year-long effort to test the new security feature, which aims to make browsing the web more secure and private. Whenever you visit a website -- even if it's HTTPS enabled -- the DNS query that converts the web address into an IP address that computers can read is usually unencrypted. DNS-over-HTTPS, or DoH, encrypts the request so that it can't be intercepted or hijacked in order to send a user to a malicious site. These unencrypted DNS queries can also be used to snoop on which websites a user visits. DoH works at the app-level, and is baked into Firefox. The feature relies on sending DNS queries to third-party providers -- such as Cloudflare and NextDNS -- both of which will have their DoH offering baked into Firefox and will process DoH queries.
What a sad joke (Score:5, Insightful)
DoH 'solves' the privacy issue by sharing all of your DNS data with the likes of Cloudflare and Google, rather than your ISP. In the meantime your ISP will know exactly where you are going, unless you are using a VPN. Plus DoH will simplify things enormously for those keen on using DNS for encapsulating all sorts of protocols in a way that will be essentially undetectable.
Thanks so much, Mozilla.
.Onion promotion (Score:5, Informative)
DoH 'solves' the privacy issue by sharing all of your DNS data with the likes of Cloudflare and Google, rather than your ISP.
If you are interested in privacy from Cloudflare: .Onion TOR service.
You might be interested to know that Cloudflare can auto-promote HTTPS connection to
It's available for websites using CDN by Cloudflare, and Cloudflare themselves use it for DoH [cloudflare.com].
So, if you have either Tor running or some Foxy Proxy rules to redirect addresses ending .onion to your Tor socks proxxy, whenever Firefox is sending a DoH, it will be actually sending it over Tor, helping you *hide* more efficiently your requests from Cloudflare themselves.
(Also, they have drastically cut down the captcha hell for Tor users: .Onion Tor service as a separate user. Different users definitely use different conduit, so the fact that a few bad player on Tor do bad shit will not automatically discriminate against you just because you happen to also use Tor and the same exit node
now instead of considering only every IPv4 hitting their HTTPS server as a separate users (and thus all traffic coming out of a single exit node will look like a single user and will get a bad reputation due to some of the malevolent traffic from a minority of Tor users)
their will consider each Tor circuit to their
But that's another story).
Re: (Score:2, Informative)
If you are interested in privacy from Cloudflare
Cloudfare's CEO has twice "removed sites from the Internet" on a personal lark. I wouldn't even trust Cloudfare with something as benign as the local path to my Firefox installation. Now you're telling me I should trust Cloudfare to promote my sensitive traffic to TOR? Ahahahahahahahahahahaha
The other way arround: put Tor between you and CDN (Score:5, Interesting)
Now you're telling me I should trust Cloudfare to promote my sensitive traffic to TOR?
Please read the source I am pointing to.
It's the other way around: You can now more reliabily put Tor onion routing between you and cloudflare if you wish so, to hide your self from the aforementioned evil CEO.
You're not counting on Cloudflare to take care of your TOR traffic.
You're counting on Tor to hide you from Cloudflare and now it works better.
It used to be that Tor + Cloudflare == barage of Captchas.
Now it basically works. (Both for DoH and for any website using CDN from Cloudflare that activates Tor on their website).
Really, try it: fire up Tor, test a few Cloudflare CDN-ed websites and notice how now a lot of them just work out of the box instead of complain that your (exit node's) IPv4 has been banned due to abuse and asking you to solve a couple of dozen of captchas.
DoH works exactly the same as above.
You're not protected from the CEO just deciding to STOP serving some name (for that you would be needing some distributed name resolving platform... something like namecoin but done better) (or at least you need to setup a couple of alternative services in your local resolver).
But you're protected from Cloudflare snooping what server names you're connecting. They will not be able to track that the request for the address of the website "barelylegaltinypetitegirlzvsmassivegiantrapistcocks.xxx" has been requested by your IPv4 address, and later if that website uses Cloudflare CDN and has enabled Tor support, Cloudflare won't be able to track either that it is your IPv4 address that is requesting "revenge snuff porn" category from that website.
Cloudfare's CEO has twice "removed sites from the Internet" on a personal lark.
Cloudflare hasn't removed sites from the internet: it's not even hosting websites.
It's only a CDN provider.
It is a corporation (not a public utility) and thus can freely decide with which customer to do business.
Just as the owner of 8chan are free to ask Akamai or any other CDN provider [wikipedia.org] to serve as a CDN in front of their website.
(Or switch to a website provider that guarantees their own distribution. Or roll their own multiple servers accross Amazon's or Google's Cloud. etc.)
Looks like blacklist solution to me. (Score:2)
Instead of a whitelist.
Aka full of unknowns and potential holes. Like anti-virus instead of a firewall.
Not that it is worse than this DoH clusterfuck.
I'd say everything over TOR *except* for very specifit things in a very specific separated containment zone.
Re: .Onion promotion (Score:2)
While I like the idea overall, it's ultimately a losing battle until tls is changed to no longer send the host certificate in cleartext. The certificate contains all of the details that an isp would need. So say you visited slashdot.org, the server you connect to will send you the certificate containing its domain name (as well as all aliases and alternates) in order to prove itself. Easy for the isp to snoop that, making doh useless for now, though it could be useful later on. Closing this loophole would r
Re: (Score:2)
Re:What a sad joke (Score:5, Informative)
You can choose your DoH source. You cannot shield your remote DNS lookups from your ISP.
Because we all know that one IP address can have only one FQDN associated with it. Reverse proxies and other various technologies for putting multiple sites behind a single IPv4 address simply do not exist.
Yes, DoH will be the log that breaks the dam open there. Nobody thought to use other protocols to do that before now.
Re: (Score:3, Informative)
Because we all know that one IP address can have only one FQDN associated with it. Reverse proxies and other various technologies for putting multiple sites behind a single IPv4 address simply do not exist.
You're not hiding from your ISP regardless in these cases (which are many/most). Remember that SNI [wikipedia.org] is sent in plain text.
Run your own recursive DNS resolver [nlnetlabs.nl] if you're paranoid.
Re: (Score:3)
Remember that eSNI [eff.org] is the other half of this. It's also the more difficult half because it requires support throughout the server-side chain, i.e. load balancers and reverse proxies, web severs, etc.
Re: (Score:2)
This is only temporarily true. eSNI.
Re: (Score:2)
This is only temporarily true. eSNI.
So is lack of support for encrypted transports in operating system resolvers.
Re: (Score:2)
Agreed. People are letting the perfect become the enemy of the good.
Re: (Score:2)
Re: (Score:3)
You can choose your DoH source.
If this was about providing choice Mozilla would simply provide an option enabling people to turn it on if they wanted to. If they simply did that nobody would care.
Saying you can choose when majority have no idea what any of this crap even means is not credible.
You cannot shield your remote DNS lookups from your ISP.
Because we all know that one IP address can have only one FQDN associated with it. Reverse proxies and other various technologies for putting multiple sites behind a single IPv4 address simply do not exist.
We know that SNI and PKI identity are sent in the clear. We also know fingerprinting of encrypted sessions to public sites has been demonstrated with high accuracy. Nothing is currently preventing an evil ISP from collecting the same data outsid
Re: (Score:2)
They simply did that [mozilla.org]. You're quibbling about opt-in versus opt-out as if your decision that "majority have no idea what any of this crap even means" should default to being out is "credible."
For now. [eff.org]
Re: (Score:3)
You're quibbling about opt-in versus opt-out as if your decision that "majority have no idea what any of this crap even means" should default to being out is "credible."
I don't view ANY of the excuses in support of Mozilla's scheme as credible. Not a single one. I've yet to hear one justification of any technical merit that passes basic test of logic. Changing existing behavior by default with very real risk of change exposing users to additional harm is not something that should ever be "opt-out". There is no technical reason the system could not be architected in a way that avoids such risks. Mozilla has completely failed to even try.
Mozilla could have followed othe
Re: (Score:2)
The EFF cares about it, it has a decent amount of value, it's no more of an added round trip than the DNS query, and is only insecure against active attack (by which I presume you mean forcing a fallback to DNS) because the tinfoil hat brigade is screaming about any mechanism that doesn't automagically follow their blessed DNS settings.
Re: (Score:3)
The EFF cares about it,
It would be awesome if website operators cared. They currently seem to be stuck doing the exact opposite of what the EFF would prefer them do. Pervasive mass cross site surveillance of hundreds of millions is what you can expect more of with DoH as DNS based protections are bypassed.
it has a decent amount of value, it's no more of an added round trip than the D.N.S query, and is only insecure against active attack (by which I presume you mean forcing a fallback to D.N.S)
Personally I would be very surprised to see this widely deployed within the next decade.
While it doesn't seem like much it's an added round trip over the top of normal D.N.S and TLS operations.
To outfits like Google who counts
Re: (Score:2)
Goalpost shifting, I see.
What DNS based protection is it bypassing? The piholes that the "majority [that] have no idea what any of this crap even means" are running?
Re: (Score:2)
FTFY. Live up to your own standard rather than being an obvious hypocrite.
Re: (Score:2)
Actually the assertion was "If it's not worth anything, then why are ISPs crying foul [arstechnica.com]," in rebuttal to:
Re: (Score:2)
For some reason you think you answered his valid points.
The sources for DNS servers were already chosen and overwritten. Having to manually re-enter DNS servers just defeats the purpose not to mention it breaks existing privacy settings. It publishes the requests to a select few.
"Because we all know that one IP address can have only one FQDN associated with it. Reverse proxies and other various technologies for putting multiple sites behind a single IPv4 address simply do not exist."
And? Why do you think t
Re: (Score:2)
You have zero understanding of how this implementation works [mozilla.org], so I will not bother itemizing all the ways in which you've gotten this wrong.
Re:What a sad joke (Score:4, Interesting)
The likes of Cloudflare and Google are the only games in town right now - but there's nothing stopping your ISP, or indeed you, or your router manufacturer from providing a DoH service. In the short term, I suspect you'll need an about:config change to use your own servers, but in the future I'd expect the browser to use the same DNS servers as the system it's running on, possibly with the big names as fallback.
As an aside, we all love to hate Systemd - it's got very big and annoying. One of the things it wants to do is to run a local DNS resolver (and then fiddles with resolv.conf to make everything use it). Right now, that mostly just ends up talking to whatever you'd normally have put in resolv.conf, but one of the purposes of it was to be able to perform DNSSEC queries, thus making any piddly client on your computer DNSSEC aware. I haven't checked, but I'd imagine they could or will implement DoH too, so Firefox could end up using 127.0.0.1 as the DoH service, leaving systemd to work out the details after that. Of course, you'll need a suitably afflicted system for that to work, so I guess the initd holdouts will need to run Unbound or something to simulate the same.
Re: (Score:1)
The likes of Cloudflare and Google are the only games in town right now
You're an idiot. There are multiple providers of encrypted DNS, including OpenNIC and DNSCrypt-proxy (which allows chaining DNS servers so even the DNS server doesn't know who made the request). Mozilla doesn't want to use those because they're building the framework for enabling them and Cloudfare to block access to domains that allow "wrongthink" on the Internet.
Re: (Score:2)
You don't need systemd. You can already get a DoH plugin for normal glibc.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
So I'm a malicious ISP and I see this implementation by browsers. So I create a script that queries every IP that a client requests with a DoH request. If it's positive and an IP is returned I just block the IP and the client still gives me the data. This is what computers are most efficient at. Repetitive tasks.
Meanwhile personal browsing habits of millions is aggregated to a few who already said that they will monetize the information as they have claimed they will.
Malicious ISPs aren't affected and gener
Re: (Score:2)
This doesn't make sense -- what do you mean by "queries every IP"? DoH works by making an HTTPS request with SNI. You don't even know the DoH URL.
Gives what data?
DNS should be a system setting (Score:2)
DoH 'solves' the privacy issue by sharing all of your DNS
But not quite all. It only "solves" requests made by the browsers that implemented it.
I'm not opposed to DoH -- but the browser should really point at a local DNS cache; and that local DNS cache should be configured by the user.
That local DNS cache should in turn either goes straight to the authoritative DNS servers for a domain (by default, which has pretty good privacy properties); or DNS over tor if you care about privacy.
But in no scenario is sending all requests to Google a win for privacy.
No need for a DNs cache. (Score:2)
Actually, resource-wise, everyone could just run their own DNS server. No forwarding, nothing.
Given that it doesn't even register, CPU- and memory-wise, or a 1GB RAM first-gen Raspberry Pi clone.
All that is missing, is a ready-made package that even a clueless user can just install.
Or, on Linux, a ready-made config directory to untar.
Re: (Score:2)
DoH 'solves' the privacy issue by sharing all of your DNS data with the likes of Cloudflare and Google, rather than your ISP.
Chrome will only use DNS over TLS if you explicitly change your DNS provider to one of a whitelisted set. The one mentioned in Google's docs is Quad9 (9.9.9.9), which has no affiliation with Google, AFAICT.
And why in the world would Google need to monitor your DNS traffic? If you're using Chrome, the browser already knows every site you visit; DNS lookups are irrelevant.
Re: What a sad joke (Score:1)
"And why in the world would Google need to monitor your DNS traffic?"
Big Brother Google likes to watch.
Re: (Score:2)
"And why in the world would Google need to monitor your DNS traffic?"
Big Brother Google likes to watch.
Did you not read the sentence after the one you quoted?
Re: What a sad joke (Score:1)
It's not that Big Brother needs to watch your DNS. You're right, he doesn't, your browser is already fully snooped. It's that Big Brother _wants_ to watch your DNS. The same was the local drunk doesn't _need_ to drink another beer, but does anyway.
Re: (Score:2)
It's not that Big Brother needs to watch your DNS. You're right, he doesn't, your browser is already fully snooped. It's that Big Brother _wants_ to watch your DNS. The same was the local drunk doesn't _need_ to drink another beer, but does anyway.
That makes no sense whatsoever. Even if we were to assume that Google is the sort of Big Brother you do (which I flatly deny, but will go with it for the hypothetical), there's no value in getting a subset of the data when you already have more of it from a better source.
Re: (Score:2)
You must think there are only two DoH providers out there. I use two that aren't in your list.
Quad9: https://www.quad9.net/doh-quad... [quad9.net]
Clean Browsing Security: https://cleanbrowsing.org/guid... [cleanbrowsing.org]
Time to stop using Firefox (Score:1, Troll)
This is the wrong way to do DNS (at the app level). They are essentially selling your data to their corporate partners (Cloudflare). Firefox guys: you sold out. I hope you guys go out of business soon.
Re: (Score:2)
It's also on by default on Chrome variants (and points to Google) so those choices are even worse.
Funny seems like just (Score:2)
Just my 2 cents
No one listened to the independent browsers (Score:3)
I hope you like browser dictatorships in the name of security, because you made your bed.
You can still apply patches. (Score:2)
E.g. under Gentoo, patching is trivial.
p=$(equery w firefox) /var/tmp/portage/*/*/work/ /etc/portage/patches/firefox /etc/portage/patches/firefox/remove-crap.patch
ebuild $p prepare
cd
mv *firefox* a
cp -a a b
# now edit stuff in b
mkdir -p
diff -u a b >
ebuild $p clean
emerge firefox
# It will automatically pull in the patch, If I remembered this procedure correctly.
Workaround (Score:1)
Which obviously will fail. (Score:2)
How would they know if I run my own?
I AM my ISP!
At least from the browser and OS and internal network users and router perspective.
This is just lies.
Re: (Score:2)
Re: (Score:3)
I have a hard time understanding why "the DNS server set on the device" (probably the ISP) won't just make that special lookup unresolvable and continue selling your coarse browsing data.
Re: (Score:1)
A question regarding encrypted DNS (Score:3)
It seems it'd make much more sense just to run DNS on a secure socket (just like HTTP or SMTP is currently done).
What is the reasoning behind doing DNS over HTTPS but not SMTP?
It seems messy and like it'll be a PITA in the long run.
Re: (Score:3)
Re: (Score:2)
What are you talking about? At a lower level you will make an IP request to your ISP in order for them to request your HTTP/HTTPS DoH connection. Your ISP then sends a DoH request to the IP you requested and sees whether it's a DoH server and if it is, blocks the request. Your browser then sends the DNS request to your ISP. Nothing gained here except where the ISP is not malicious. The malicious actors here are the Browsers which will monetize this information with the DoH providers. That is why they make
Re: (Score:3)
It's way harder for an oppressive regime or a data-hoarding ISP to block, for one. Can't really block access to 445 while it would be trivially easy to enforce the use of your "official" DNS server and block whatever secure one is being run at a non-sanctioned port.
And if it's done over HTTPS, even deep-packet inspection won't be able to identify that you're trying to resolve something that whoever controls your connection doesn't want you to resolve.
Re: (Score:2)
443. Sorry. It's time to shut down for today. Can you tell I spent way too much time today hunting down ancient SMB implementations?
Re: (Score:2, Informative)
It's way harder for an oppressive regime or a data-hoarding ISP to block, for one.
You have to give your ISP an IP address no matter what connection you wish to establish. Your ISP makes a DoH request to the IP you provided. If a positive response is received the ISP blocks the IP. Your DoH solution was simply disabled by the malicious ISP that you are trying to protect yourself from.
When the ISP is not malicious and doesn't collect your data your browser just ensured that your data can now be monetized by the worst offenders. All this with the protection of HTTPS.
The hens sleep well at n
Re: (Score:2)
Fortunately our governments usually know jack shit about the internet and mostly use DNS blocking these days. Not to mention that IP blocking is kinda useless in the times of cloud computing. What do you want to block, AWS?
Re: (Score:3)
Why is the focus on DNS over HTTPS?
It seems it'd make much more sense just to run DNS on a secure socket (just like HTTP or SMTP is currently done).
What is the reasoning behind doing DNS over HTTPS but not SMTP?
It seems messy and like it'll be a PITA in the long run.
Because no one port blocks 443. If you stick it on it's own port everyone can easily block it. It's why so many people choose to run SSH over 443 also.
Re: (Score:2)
There is already a hack for DNS-over-SMTP. There was no hack for DNS-over-HTTP. Next they will have DNS-over-AvianCarriers because, well, you can. Note that there is also a setting to enable DNS-over-Telegram (the old morse code longwire telegram, not the new fangled shit that goes by the same name).
Re: A question regarding encrypted DNS (Score:2)
It seems to be answered above though.
Thanks for poking a hole in my privacy! (Score:2, Interesting)
I don't need Mozilla to spy on me!
I run a DNS server at home, and on my server, which everyone of my friends and clients can use.
This shit deliberately circumvents that, and even leaks internal network structures through VPNs, TOR, everything!
And now we have a single point of failure. Guess where every state and corporation and other evildoer will go to grab my metadata!
No fuckin thanks, you self-centered, ego-inflated, condescending assholes!
Follow the money (Score:2)
In other words, they are deliberately breaking any/all DNS-based adblocking and content filtering. So much for OpenDNS protecting my kids from pr0n or malware or etc., and no more pfblockerNG or pihole adblock filtering.
Re: (Score:2)
What money? None of those people are paying them. Following the money lens following me, not making up random shit. And if you don't like it, use normal dns instead. Such a storm in a teacup
Re: (Score:2)
None.
They have given nobody, anywhere, any reason to think there isn't such a quid-pro-quo, because they have a track history of doing exactly that.
The storm-in-a-teacup is over it being the default.
To those who reasonably distrust the Mozilla Corporation's motives, this is them showing their hand.
It's no storm in a teacup. This is a real issue with a lot of people.
Re: (Score:2)
They have given nobody, anywhere, any reason to think there isn't such a quid-pro-quo, because they have a track history of doing exactly that.
[citation needed]
Re: (Score:2)
Mozilla's business model is to sell their default parameters to people interested in their user base's behavior. [zdnet.com]
I almost have to wonder if you're trolling, or if you legitimately did not know that.
Re: (Score:2)
I think I can see the comparison you're making between a default search provider and defaulting DNS to be funneled to another company by default which is probably interested in your browsing habits. Not that our ISPs aren't also interested in that data. But I didn't distinctly get the impression of anything evil happening by changing one default search to another. Except that I might have preferred seeing one that is supposed to be less of a stalker, like Duck Duck Go maybe.
I'm sure it's not an entirely
Re: (Score:2)
Not that our ISPs aren't also interested in that data.
I'm the senior network engineer at a large regional ISP.
We're not interested in that data. At all.
I care about networks you're going to, and I get that from the layer-3 headers of your traffic, not your DNS queries.
Though, having access to your live DNS queries cuts support call times by over half, I'd estimate. So that's going to be awesome for our front-line support personnel.
(Currently, over half of support calls are internal problems that can general be located quickly simply by seeing if the custom
Re: (Score:2)
I'm the senior network engineer at a large regional ISP.
We're not interested in that data. At all.
I care about networks you're going to, and I get that from the layer-3 headers of your traffic, not your DNS queries.
Though, having access to your live DNS queries cuts support call times by over half, I'd estimate. So that's going to be awesome for our front-line support personnel.
(Currently, over half of support calls are internal problems that can general be located quickly simply by seeing if the customer is hitting our resolver)
Perhaps I used too strong wording, and should have said that I assumed ISPs had an interest in the data. I mean, I can certainly understand and appreciate from a diagnostic point of view how this could be useful in a way that directly benefits the user.
My opinion stems from work I did as a contractor (well an employee of a company that contracted out to communications providers) to help build platforms on top of IPTV middle-ware. And while quite a bit different than DNS queries, we were at one point contr
Re: (Score:2)
The big ISPs may be in that business too. I don't know.
All I do know, is that we are not, nor were any of the 6 other ISPs we purchased.
The board would have a very difficult time pushing that through me (and those below me if I capitulated) without a revolt.
Furthermore, I just don't think they'd do it. That's not our business, and it's frankly not something we want to have to throw in
Re: (Score:2)
For what it's worth as a random guy on the internet, I think you are a good actor.
I happen to be Canadian, and ISP's, our choices, how much we spend etc largely depends on prices agreed upon by the big three. (for some reason not touched by our collusion laws)
my story though, that was for a large ISP in the southwestern US, not Canada, but we deal with similar shit here.
It's enough for me to know good actors exist in large corporations, it's never the big ISP that has my back, it's the folk I deal with.
I ap
Far more Relevant though ... (Score:2)
Is how the hell do they plan to enable it by default? Are they going to reach into every FIrefox install and change the configuration? Without permission?
This seems to be far more problematic than just using the Homer Simpson protocol. It will be interesting to see this work given that I have specifically disabled the Homer Simpson protocol *AND* the ability for Mozilla to do remote-fuckery with my computer. I guess we shall see what happens ...
Re: (Score:2)
Is how the hell do they plan to enable it by default?
By changing what the defaults are in the next version. If you install or update to a new version of Firefox then you'll have whatever defaults are built into that version. If you don't then you will continue to use the old version with its old defaults.
Are they going to reach into every FIrefox install and change the configuration? Without permission?
No, they are not going to remotely change configurations. This is only about defaults. If you chose not to use DoH then you will continue to not use it.
Privacy or honeypot? (Score:2)
Re: (Score:2)
Of course. But they can also change what you have set on a whim and change whatever setting they want to whatever their little hearts and pocketbooks desire. You can, of course, disable this "remote-management", at least in theory. It is called "app.normandy.enabled" and the default is true. You can set it to false and then Mozilla cannot fuck with your settings via remote control.
Enterprise Fail (Score:1)
Well, that totally screws any organization that uses internal / external DNS views.
Also makes data exfiltration via DNS much, much easier-- the bad guys thank you, Mozilla!
are we 1 step from authoritarian internet? (Score:2)
Is that the direction this is going?
If you don't think that's possible consider that the IRS was auditing people based on their political views in the last administration, and the FBI was spying on and trying to stop opposition to the current party in the 2016 election.
My provider already sees my traffic. (Score:2)
Why do I want a third party to see all my DNS requests? No thank you. Who actually trusts cloudflare? Please keep DNS services spread around multiple companies. Sounds like a DNS take over attempt to me.
Hell at this point why not just give us all dumb terminals and go back to the massive mainframes so that all the data companies can just pull your data from there in real time?
Controlling DoH (TRR) (Score:2)
user_pref("network.trr.mode", 5);
Side effect (Score:5, Informative)
We discovered a minor side effect of DNS over HTTPS: host file overrides no longer work. We believe it's because the resolver is now in the browser and no longer uses the system resolver. IMHO, it's a bug in the DoH implementation that should be fixed.
Re: (Score:2)
Re: (Score:2)
I can think of reasons why they would want to do that, but it was very puzzling when we were trying to do some testing
Mozilla is alone in making dishonest statements (Score:2)
"Since our work on DoH began, many browsers have joined in announcing their plans to support DoH"
Mozilla is alone in this scheme to override local DNS resolvers without regard for source and direct all traffic to a different provider. No other browser vendor is doing this. Not even Google.
They are intentionally trying to confuse the issue by leading people to assume some kind of equivalence where absolutely none exist.
What a farce (Score:2)
It follows a year-long effort to test the new security feature, which claims to make browsing the web more secure and private.
FTFY.
Meanwhile, in the real world:
Shouldn't things like this be at the OS level? (Score:4, Interesting)
Re: (Score:3)
What makes you think Firefox can't use the standard OS resolver?
The feature is important. As to why it's not in the OS, why don't you ask the glibc people how difficult it would be to put it into the stack or why they didn't do it yet, instead of making the perfect the enemy of the good.
Re:REAL REASON 4 FORCING HTTPS 4 ALL!!! (Score:5, Insightful)
Here is the main rationale document: https://tools.ietf.org/html/rf... [ietf.org]
It explains the attitude that pervasive monitoring is an attack on computer systems. In other words it expresses the sentiment that, by default, people don't want all their computer activities collected by unnecessary people.
Are Google and Firefox teams being altruistic? Maybe. But the immediate precursor to this whole movement was that the United States National Security Agency infiltrated the Google and other networks to take large amounts of user data, beyond the scope of their mission charter. This was done without court oversight. Also, the leaders of this organization lied to the public. In free societies (whatever that means, usually it is just referring to places where it is possible for people to publicly criticize government) we generally frown on this type of behavior.
Yes, this frustrates the efforts of law enforcement. But not all law enforcement supports justice and humanity. See also: the drug wars, COINTELPRO, and disproportionate use of police force against minorities.
Re: (Score:2)
When it is turned on as the default, I now no longer have control (unless I change the default) that I had using whatever system resolver I may have been using.
Whoever they select as their default provider is now the single place the 5-0 needs to send the warrant.
It doesn't frustrate law enforcement- it helps them.
Who the fuck is my browser manufacturer to unilaterally decide to buck all common sense and good practice and decide to handle its own name
Re: REAL REASON 4 FORCING HTTPS 4 ALL!!! (Score:2)
They have to keep logs of it first.
Re: (Score:1)
Re: (Score:1, Troll)
My guess is DoH (what an appropriate name) is being forced because Mozilla can profit or someone is leaning on them. Can't wait for the upcoming systemd alpha release of a DoH module either.
Re: (Score:2)
I mean, HTTPS isn't supposed to hide where you are going, it's supposed to make sure that you ended up where you intended to go. It's also supposed to ensure that you aren't being eavesdropped on, and that the information itself hasn't been tampered with.
But, on the note of HTTPS protecting criminals... I just... *looking into my coffee mug for voice of reason...* =)
Honestly, Government and Law Enforcement shouldn't be assuming every citizen is a criminal, nor should they assume an expectation to privacy i
Typical for humans ... (Score:3)
...they assume others are also like them.
This is why politicians assume everyone's a criminal.
And why Abrahamic religious fundamentalists assume all almost all sex is perverse, everyone is sexually perverted and everyone abuses children.
Re: (Score:2)
What, no terrorism?
Or was that horseman of the infocalypse already unmasked as a boogieman and joke?
The EU public is. (Score:2)
The GDPR is very popular in the EU.
You need to update your self-fulfilling prejudices. *Especially* older people care a *lot* about their privacy.
Half the news is.scare stories about privacy breaches, FFS!
Also, yeah, Mozilla just sold its users to Cloudflare for data mining and selling..You can be as sure of that as of the amen in the church.