Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Sunday September 08 2019, @10:18PM   Printer-friendly
from the Who-do-YOU-trust? dept.

Firefox is enabling DNS-over-HTTPS (DoH) for some users starting this month, and it will use Cloudflare by default:

DoH (IETF RFC8484) allows Firefox to send DNS requests as normal-looking HTTPS traffic to special DoH-compatible DNS servers (called DoH resolvers). Basically, it hides DNS requests inside the normal deluge of HTTPS data. [DoH doesn't encrypt DNS requests. That's a different protocol, namely DNS-over-TLS, aka DoT].

By default, Firefox ships with support for relaying encrypted DoH requests via Cloudflare's DoH resolver, but users can change it to any DoH resolver they want [see here].

When DoH support is enabled in Firefox, the browser will ignore DNS settings set in the operating system, and use the browser-set DoH resolver. By moving DNS server settings from the OS to the browser level, and by encrypting the DNS traffic, DoH effectively hides DNS traffic from internet service providers (ISPs), local parental control software, antivirus software, enterprise firewalls and traffic filters, and about any other third-party that tries to intercept and sniff a user's traffic.

Firefox Plans Controversial New Encryption Setting For Millions, And Update Starts This Month

A presentation from BT on the "Potential ISP Challenges with DNS over HTTPS" earlier this year warned that DoH will reduce the ability to derive cybersecurity intelligence from malware activity and DNS insight, open new attack opportunities to hackers, and result in an inability to [fulfill] government mandated regulation or court orders as potential concerns. And so the change will foster serious debate. [...] The U.S. is first, but the rest of the world will follow. A spokesperson for the U.K. Internet Services Providers' Association told me that "the debate on DNS over HTTPS (DoH) is evidently a topic that polarizes opinion. However, our position is clear. ISPA believes that bringing in DoH by default would be harmful for online safety, cyber security and consumer choice."

DNS-over-HTTPS is the next default protection coming to Firefox

Mozilla will be rolling out DoH in what it calls "fallback mode" later this month. This means that if domain name look-ups using DoH fail, Firefox will revert back to using the default operating system DNS. Similarly, if Firefox detects that parental controls or enterprise policies are in effect, Firefox will disable DoH.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Insightful) by The Shire on Monday September 09 2019, @01:48AM (7 children)

    by The Shire (5824) on Monday September 09 2019, @01:48AM (#891489)

    What I'm hearing you say is: "Everyone's privacy is already compromised so it's ok for Mozilla to do it too".

    Nope, not buyin that one. People who originally jumped on with Firefox did so because they are privacy conscious. They may not know how to stop all the other avenues tracking them but they should at least be able to trust that Firefox isn't doing anything nefarious in the background. That trust is now gone. Firefox no longer distinguishes itself from all the other major players that are intentionally and for profit selling the data mining rights to their user base.

    Starting Score:    1  point
    Moderation   +3  
       Insightful=3, Disagree=1, Total=4
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 5, Insightful) by vux984 on Monday September 09 2019, @02:22AM (4 children)

    by vux984 (5045) on Monday September 09 2019, @02:22AM (#891502)

    What I'm hearing you say is: "Everyone's privacy is already compromised so it's ok for Mozilla to do it too".

    You have to send your DNS queries out to someone. There's no way around that. If you trust mozilla enough to use their browser, then its not unreasonable to trust them with the DNS queries from the browser.

    Mozilla's chosen provider may not meet your absolutist perfect standards (and who exactly are you using that DOES?!) ; but the cloudflare policies in place are better than 99% of what most people using DNS are getting. Mozilla is not "compromising your privacy", they are sending your DNS queries to an entity that is promising greater privacy than 99% of what most people currently have. They aren't monetizing it, they aren't doing what others are doing with it at all. Cloudflare's policies are pretty reasonable 24 hour retention and some basic aggregate trending is pretty reasonable to maintain a service like this.

    a) How is Mozilla's solution not better than what joe-sixpack is currently doing? (And if it is better than why are you against it?)
    b) What exactly are you holding up as an even better alternative?

    • (Score: 0) by Anonymous Coward on Monday September 09 2019, @03:16AM

      by Anonymous Coward on Monday September 09 2019, @03:16AM (#891518)

      The fact of the matter is that if this was a random extension that did this, it would be in violation of the A.M.O. guidelines. You may trust Mozilla, the people who make extensions, or both, or neither, but it is hypocritical, at best, to have different standards for the two of them.

    • (Score: 5, Insightful) by The Shire on Monday September 09 2019, @03:35AM (1 child)

      by The Shire (5824) on Monday September 09 2019, @03:35AM (#891524)

      You have to send your DNS queries out to someone.

      The dns root servers are that someone. There's no good reason to send your queries to a for profit corporation that admits they collect and aggregate your information. If Mozilla really wanted to be privacy conscious they wouldn't have used a for profit firm. In my opinion, Mozilla has been looking desperately for cash streams to pay their increasingly top heavy salaries and Cloudflare is one such revenue source. I suspect the reason Mozilla caved and made hyperlink ping tracking mandatory also involved similar advertiser or aggregator kick backs.

      Like Google, it seems Mozilla built up a user base by promising they can be trusted and when it hit a certain mass they started cashing out in ways that are hard for the end user to see.

      And to answer your questions:

      a) How is Mozilla's solution not better than what joe-sixpack is currently doing? (And if it is better than why are you against it?)

      Currently, users have control over their networks. Most choose not to exercise that control, but those who do know that when they choose a dns provider it holds true for their entire network. It's expected behavior that the dns on your network applies everywhere. Mozilla is subverting that by inserting hidden non browser functionality into Firefox that is both silent and outside the average persons control. And I say hidden because from what I've seen, there is nothing in the browsers options that someone might see to turn it off or even know it's there. And does anyone really expect an end user to know how to create a "canary domain" that would disable this hidden DoH system? Not a chance, and both Mozilla and Cloudflare know it.

      b) What exactly are you holding up as an even better alternative?

      They could have solved the issue entirely by doing a couple things:
      1) Make it opt in
      2) Provide an easy to find browser option to turn it off - don't deceitfully hide this thing and make it difficult to turn off
      3) If the user opts in, give them a randomized list of DNS providers, with notations about which are "for profit corporations" as well as a place to enter custom providers, and let the user pick the one they want.

      • (Score: 3, Insightful) by SpockLogic on Monday September 09 2019, @12:24PM

        by SpockLogic (2762) on Monday September 09 2019, @12:24PM (#891638)

        There's no good reason to send your queries to a for profit corporation that admits they collect and aggregate your information.

        That is why I don't use my ISP's DNS nameservers.

        Anyone trust Charter ... Anyone? Anyone?

        --
        Overreacting is one thing, sticking your head up your ass hoping the problem goes away is another - edIII
    • (Score: 0) by Anonymous Coward on Monday September 09 2019, @05:44PM

      by Anonymous Coward on Monday September 09 2019, @05:44PM (#891760)

      dns is supposed to be handled by the router/router operator, not spirited away by every user's goddamn browser. If this were really for the user it would be a fucking option in the browser settings with custom server option too. it's really that simple.

  • (Score: 2) by vux984 on Wednesday September 11 2019, @04:19PM (1 child)

    by vux984 (5045) on Wednesday September 11 2019, @04:19PM (#892771)

    Thought you might be interested:
    https://www.zdnet.com/article/google-to-run-dns-over-https-doh-experiment-in-chrome/ [zdnet.com]

    It's a different take from Mozilla's to be sure, and its there first dip of the toe in the water.

    • (Score: 2) by The Shire on Wednesday September 11 2019, @06:14PM

      by The Shire (5824) on Wednesday September 11 2019, @06:14PM (#892843)

      And we all know how trustworthy Chrome is /s

      Make no mistake, this is a concerted effort to redirect data mining statistics from ISP's to a few chosen partner providers. They're consolidating a fundemental part of the internet and placing it under the control of these few. They realize that when you control DNS, you control the internet.

      If folks truly understood what was being quietly rolled out here they would be terrified.