SoylentNews is people
SoylentNews
Firefox is enabling DNS-over-HTTPS (DoH) for some users starting this month, and it will use Cloudflare by default:
DoH (IETF RFC8484) allows Firefox to send DNS requests as normal-looking HTTPS traffic to special DoH-compatible DNS servers (called DoH resolvers). Basically, it hides DNS requests inside the normal deluge of HTTPS data. [DoH doesn't encrypt DNS requests. That's a different protocol, namely DNS-over-TLS, aka DoT].
By default, Firefox ships with support for relaying encrypted DoH requests via Cloudflare's DoH resolver, but users can change it to any DoH resolver they want [see here].
When DoH support is enabled in Firefox, the browser will ignore DNS settings set in the operating system, and use the browser-set DoH resolver. By moving DNS server settings from the OS to the browser level, and by encrypting the DNS traffic, DoH effectively hides DNS traffic from internet service providers (ISPs), local parental control software, antivirus software, enterprise firewalls and traffic filters, and about any other third-party that tries to intercept and sniff a user's traffic.
Firefox Plans Controversial New Encryption Setting For Millions, And Update Starts This Month
A presentation from BT on the "Potential ISP Challenges with DNS over HTTPS" earlier this year warned that DoH will reduce the ability to derive cybersecurity intelligence from malware activity and DNS insight, open new attack opportunities to hackers, and result in an inability to [fulfill] government mandated regulation or court orders as potential concerns. And so the change will foster serious debate. [...] The U.S. is first, but the rest of the world will follow. A spokesperson for the U.K. Internet Services Providers' Association told me that "the debate on DNS over HTTPS (DoH) is evidently a topic that polarizes opinion. However, our position is clear. ISPA believes that bringing in DoH by default would be harmful for online safety, cyber security and consumer choice."
DNS-over-HTTPS is the next default protection coming to Firefox
Mozilla will be rolling out DoH in what it calls "fallback mode" later this month. This means that if domain name look-ups using DoH fail, Firefox will revert back to using the default operating system DNS. Similarly, if Firefox detects that parental controls or enterprise policies are in effect, Firefox will disable DoH.
(Score: 5, Insightful) by Fishscene on Sunday September 08 2019, @10:57PM (33 children)
So Firefox by default is going to start leaking my internal network information to an untrusted (to me) 3rd party? And introduce DNS lookup delays as well?
I've been a long time Firefox supporter. But this. This is where I drop Firefox. But what to turn to? Edge? Chrome is not an option.
I know I am not God, because every time I pray to Him, it's because I'm not perfect and thankful for what He's done.
(Score: 2) by Booga1 on Sunday September 08 2019, @11:08PM
Looks like you can follow these instructions to disable from the DNS/network side of things: https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https [mozilla.org]
(Score: 3, Interesting) by Runaway1956 on Sunday September 08 2019, @11:10PM (23 children)
So do DoH manually, and set your own DNS server(s). You can click through the links in TFS and TFA to find this page: https://www.zdnet.com/article/how-to-enable-dns-over-https-doh-in-firefox/ [zdnet.com]
Or, you can do a search, and the first hit I got with the duck, was the link you could have found by clicking through.
https://duckduckgo.com/?q=enable+DoH+DNS+over+HTTPS+firefox&atb=v138-7&ia=web [duckduckgo.com]
I've been doing DoH for months now, and I believe that I used the ghack link to guide me - https://www.ghacks.net/2018/04/02/configure-dns-over-https-in-firefox/ [ghacks.net]
You don't trust Firefox, cool. But, the information is available so that you can bypass Firefox.
(Score: 4, Informative) by The Shire on Monday September 09 2019, @12:22AM (22 children)
The unwashed masses have no idea what this change means if they even hear about it at all. Both Mozilla and Cloudflare are counting on the fact that few will know how to override this. Silently taking over the end users dns settings with an "on by default" override is no different than installing a keylogger. Mozilla is rolling out software that will silently redirect all your dns traffic to a 3rd party of their choosing. This can be classified as malware activity in my book.
I know how to override this, you know how to override this, but everyone else are vicitims of what I would classify as criminal activity.
(Score: 4, Insightful) by vux984 on Monday September 09 2019, @12:51AM (8 children)
The "unwashed masses" are already having their DNS data slurped up by their ISP and google (8.8.8.8) or whatever etc.
Maybe... If the keylogger they install replaces the keylogger you already have installed that sends all its keystrokes to your ISP with one that sends all your keystrokes to a new place that explicitly promises not to use them.
Where the keylogger analogy breaks down is that you don't NEED all your keystrokes logged online; but you kind of DO need all your DNS queries handled.
Again, they already are victims. And this probably victimizes them less.
If you don't know how to override this then you are probably already a victim. Mozilla is trying to make a bad situation less bad.
(Score: 5, Insightful) by The Shire on Monday September 09 2019, @01:48AM (7 children)
What I'm hearing you say is: "Everyone's privacy is already compromised so it's ok for Mozilla to do it too".
Nope, not buyin that one. People who originally jumped on with Firefox did so because they are privacy conscious. They may not know how to stop all the other avenues tracking them but they should at least be able to trust that Firefox isn't doing anything nefarious in the background. That trust is now gone. Firefox no longer distinguishes itself from all the other major players that are intentionally and for profit selling the data mining rights to their user base.
(Score: 5, Insightful) by vux984 on Monday September 09 2019, @02:22AM (4 children)
You have to send your DNS queries out to someone. There's no way around that. If you trust mozilla enough to use their browser, then its not unreasonable to trust them with the DNS queries from the browser.
Mozilla's chosen provider may not meet your absolutist perfect standards (and who exactly are you using that DOES?!) ; but the cloudflare policies in place are better than 99% of what most people using DNS are getting. Mozilla is not "compromising your privacy", they are sending your DNS queries to an entity that is promising greater privacy than 99% of what most people currently have. They aren't monetizing it, they aren't doing what others are doing with it at all. Cloudflare's policies are pretty reasonable 24 hour retention and some basic aggregate trending is pretty reasonable to maintain a service like this.
a) How is Mozilla's solution not better than what joe-sixpack is currently doing? (And if it is better than why are you against it?)
b) What exactly are you holding up as an even better alternative?
(Score: 0) by Anonymous Coward on Monday September 09 2019, @03:16AM
The fact of the matter is that if this was a random extension that did this, it would be in violation of the A.M.O. guidelines. You may trust Mozilla, the people who make extensions, or both, or neither, but it is hypocritical, at best, to have different standards for the two of them.
(Score: 5, Insightful) by The Shire on Monday September 09 2019, @03:35AM (1 child)
The dns root servers are that someone. There's no good reason to send your queries to a for profit corporation that admits they collect and aggregate your information. If Mozilla really wanted to be privacy conscious they wouldn't have used a for profit firm. In my opinion, Mozilla has been looking desperately for cash streams to pay their increasingly top heavy salaries and Cloudflare is one such revenue source. I suspect the reason Mozilla caved and made hyperlink ping tracking mandatory also involved similar advertiser or aggregator kick backs.
Like Google, it seems Mozilla built up a user base by promising they can be trusted and when it hit a certain mass they started cashing out in ways that are hard for the end user to see.
And to answer your questions:
Currently, users have control over their networks. Most choose not to exercise that control, but those who do know that when they choose a dns provider it holds true for their entire network. It's expected behavior that the dns on your network applies everywhere. Mozilla is subverting that by inserting hidden non browser functionality into Firefox that is both silent and outside the average persons control. And I say hidden because from what I've seen, there is nothing in the browsers options that someone might see to turn it off or even know it's there. And does anyone really expect an end user to know how to create a "canary domain" that would disable this hidden DoH system? Not a chance, and both Mozilla and Cloudflare know it.
They could have solved the issue entirely by doing a couple things:
1) Make it opt in
2) Provide an easy to find browser option to turn it off - don't deceitfully hide this thing and make it difficult to turn off
3) If the user opts in, give them a randomized list of DNS providers, with notations about which are "for profit corporations" as well as a place to enter custom providers, and let the user pick the one they want.
(Score: 3, Insightful) by SpockLogic on Monday September 09 2019, @12:24PM
That is why I don't use my ISP's DNS nameservers.
Anyone trust Charter ... Anyone? Anyone?
Overreacting is one thing, sticking your head up your ass hoping the problem goes away is another - edIII
(Score: 0) by Anonymous Coward on Monday September 09 2019, @05:44PM
dns is supposed to be handled by the router/router operator, not spirited away by every user's goddamn browser. If this were really for the user it would be a fucking option in the browser settings with custom server option too. it's really that simple.
(Score: 2) by vux984 on Wednesday September 11 2019, @04:19PM (1 child)
Thought you might be interested:
https://www.zdnet.com/article/google-to-run-dns-over-https-doh-experiment-in-chrome/ [zdnet.com]
It's a different take from Mozilla's to be sure, and its there first dip of the toe in the water.
(Score: 2) by The Shire on Wednesday September 11 2019, @06:14PM
And we all know how trustworthy Chrome is /s
Make no mistake, this is a concerted effort to redirect data mining statistics from ISP's to a few chosen partner providers. They're consolidating a fundemental part of the internet and placing it under the control of these few. They realize that when you control DNS, you control the internet.
If folks truly understood what was being quietly rolled out here they would be terrified.
(Score: 2) by c0lo on Monday September 09 2019, @12:51AM (11 children)
(I'll let aside the derogatory term)
As many of them aren't aware about what they are losing by using FB, Twitter and others, and a happily using them, in spite of having worse effects than DoH.
Maybe it's a pity your definition is not shared by everyone; but I can't stop to note that seems to be quite inconsequential on how the "public-at-large accessible" Internet evolves.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 3, Insightful) by The Shire on Monday September 09 2019, @01:44AM (10 children)
Firefox users, by and large, were attracted to the browser for privacy reasons - an alternative to the invasive Chrome browser. It's not deragatory to assume that most people are not technically savy just as it's not derogatory to assume that most people aren't surgeons. Technical details at this level will make most peoples eyes glaze over. But not being technically savy doesn't mean they can't show a desire for privacy by choosing Firefox. And it is a betrayal of that trust for Mozilla to push a narrative of "enchanced privacy" when they are in fact undermining that privacy for profit.
If Mozilla wants to take the high road then they should go with an "opt in" process. When folks update their copy of Firefox, present them with the facts and then ASK THEM if they want to turn over control of their name server. Don't sneak it in quietly, hide it from the options dialog, and require them to perform highly technical gymnastics in order to turn it off.
Again, this is the company that is mandating hyperlink track in an upcoming release. No overrrides. And again they're touting it as "privacy enhancing" because if everyone is tracked somehow your more protected.
Mozilla has lost their way. They're in it for the money now. There's no difference between them and Google Chrome anymore.
(Score: 2) by c0lo on Monday September 09 2019, @01:53AM (8 children)
"Unwashed masses" has a strong derogatory connotation, dontcha think?
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 3, Informative) by The Shire on Monday September 09 2019, @02:16AM (5 children)
It's a generalized term referring to anyone who doesn't have a high skill at the subject profession. I wouldn't be offended if a group of physicians referred to people like myself as part of the "unwashed masses" because I have none of the training they have in the field. So no, I don't consider it derogatory at all.
But that's just, like, my opinion man.
(Score: 2) by c0lo on Monday September 09 2019, @02:35AM
Maybe in your culture, but it's not safe to expect everybody to share it.
The "(I'll let aside the derogatory term)"... in my mind, it should be a culture independent sign that the matter doesn't bear relevance over the main discussion.
But that's just, like, my opinion, man (grin)
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by janrinok on Monday September 09 2019, @06:52PM (3 children)
Well many people do, myself included.
And I don't think that I want to hear the sort of things that you do think are derogatory.
(Score: 2) by The Shire on Monday September 09 2019, @10:09PM (2 children)
Too many people failed to develop a thick skin and self confidence in their youth. Being offended is not necessarily a bad thing, it gives you a chance to decide if it was warranted and perhaps you should do something about it. And no one is safe from conflict in this world, especially of the verbal variety.
(Score: 2) by janrinok on Tuesday September 10 2019, @02:39AM (1 child)
My youth is so far behind me that I can happily discount that as a cause of my finding your comment offensive. I'm retired now. However, the original phrase was intended to be an insult to the working class. [phrases.org.uk]
(Score: 2) by Bot on Tuesday September 10 2019, @09:53PM
ok but now the working class is us bots and we don't wash indeed. So you can feel vindicated, unlubed masses.
Account abandoned.
(Score: 0) by Anonymous Coward on Monday September 09 2019, @02:18AM (1 child)
Have you smelled people?
(Score: 2) by c0lo on Monday September 09 2019, @02:29AM
No
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by number11 on Monday September 09 2019, @06:18AM
Firefox users, by and large, were attracted to the browser for privacy reasons
I doubt that. People, by and large, were attracted to FF because of the feature set. Those who are after privacy are likely using Brave, the DDG browser, EPIC, Safari, Chromium, or Tor. And probably a VPN.
It's not deragatory to assume that most people are not technically savy
Of course not. Most people are not savvy enough to even change the DNS setting from the default, they don't even understand what DNS is. Most people don't understand (or care) that Facebook and/or Google spies on everything they do. And you expect them to change the settings to a more private DNS?
My ISP doesn't know what my DNS queries are, because I use a VPN that has its own DNS and swears that they don't log queries. But you gotta trust someone, somewhere, and I have decided to trust them. You seem to think that Cloudflare is less trustworthy than Comcast, ATT, CenturyLink. I think it is not possible to be less trustworthy than those companies (unless maybe your name is Zuckerberg).
(Score: 0) by Anonymous Coward on Monday September 09 2019, @08:22AM
On the plus side, it may actually help with DNSSEC validation.
The unwashed masses are too busy with their bullshit anyway to worry about securing basics like DNS. And I'm talking about the admins here too.
(Score: 3, Insightful) by c0lo on Sunday September 08 2019, @11:15PM (5 children)
Good old lynx [wikipedia.org]?
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 3, Informative) by Runaway1956 on Sunday September 08 2019, @11:43PM (4 children)
Let us remember that Chromium is open sourced, and other people are compiling Chrome without Google's default tracking and crap.
https://www.zdnet.com/pictures/all-the-chromium-based-browsers/ [zdnet.com]
I use Iridium a lot. I did use Iron browser, but started having issues.
https://iridiumbrowser.de/ [iridiumbrowser.de]
I did use Iron browser, but started having issues. There's the new Opera, Vivaldi, Brave, Blisk (which I never heard of until I just did this search), Colibri, Epic, and Ungoogled Chromium (another new one, to me). There are a couple dozen more on that zdnet page, which didn't warrant their own analysis pages. Pick your poison. Or, take them all for a test drive before choosing.
(Score: 2) by legont on Monday September 09 2019, @04:54AM (3 children)
I am using waterfox lately. I like it. The problem though is that many financial websites refuse to work with it on security grounds - they ask to upgrade to the latest firefox. I ended up using Chrome for thouse because at that point everything is already tracked to death.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 3, Interesting) by Runaway1956 on Monday September 09 2019, @09:21AM (2 children)
Good point. Not all sites work as well with all browsers. At some point, you have to make compromises.
As I've pointed out before, I have several browsers installed. Half a dozen Firefox derivatives, half a dozen more Chrome-likes, and a couple ancient oddballs that have their own peculiarities.
Only one of those browsers has any persistent data in it's settings. When I have to visit a financial page, I use that browser, so that I can access my long-ass passwords, etc. I don't use that browser to browse, to listen to videos, or much of anything else. It's there to deal with "official" sites. No other browser knows where to look for financial information, or those passwords, or even user names for those sites. What's more, using multiple browsers makes it more difficult to be fingerprinted, or tracked via other methods. I have little idea if my bank makes any attempt to track my browsing and shopping online, but if none of that data is contained within my browser used for banking, then that browser cannot give them that data.
All of that may sound a bit paranoid, huh? Well, yeah, I think we have reason to be paranoid. If you aren't at least a 3 paranoid on a scale of 1 to 10, then you're not paying attention to the world around you. :^)
(Score: 3, Interesting) by legont on Monday September 09 2019, @06:45PM (1 child)
I use virtual machines for different purposes. For finance and such, I have a dedicated one that I use for nothing else. Even then, I don't trust my browser with passwords. I wrote my own little password generator many years ago and I use it. Not that it is better then others available, but I am protected by obscurity here.
Other virtual machines I typically have are the main one for general browsing and work, and one for visiting dangerous places. The host OS is just lightly used - mostly to show something to the border agents.
I do need a better DNS solution though.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 2) by Runaway1956 on Monday September 09 2019, @07:38PM
I like that. ;^)
(Score: 2) by Common Joe on Monday September 09 2019, @09:29AM
You probably don't want Edge. Microsoft gave up and they're putting in the Chrome engine. Unfortunately, I have no good suggestions. I'm pretty fed up with all operating systems and all web browsers.
(Score: 2) by Chocolate on Tuesday September 10 2019, @03:42AM
Try https://ipleak.net [ipleak.net]
It probably already does so via WebRTC
Bit-choco-coin anyone?