SoylentNews is people
SoylentNews
Firefox is enabling DNS-over-HTTPS (DoH) for some users starting this month, and it will use Cloudflare by default:
DoH (IETF RFC8484) allows Firefox to send DNS requests as normal-looking HTTPS traffic to special DoH-compatible DNS servers (called DoH resolvers). Basically, it hides DNS requests inside the normal deluge of HTTPS data. [DoH doesn't encrypt DNS requests. That's a different protocol, namely DNS-over-TLS, aka DoT].
By default, Firefox ships with support for relaying encrypted DoH requests via Cloudflare's DoH resolver, but users can change it to any DoH resolver they want [see here].
When DoH support is enabled in Firefox, the browser will ignore DNS settings set in the operating system, and use the browser-set DoH resolver. By moving DNS server settings from the OS to the browser level, and by encrypting the DNS traffic, DoH effectively hides DNS traffic from internet service providers (ISPs), local parental control software, antivirus software, enterprise firewalls and traffic filters, and about any other third-party that tries to intercept and sniff a user's traffic.
Firefox Plans Controversial New Encryption Setting For Millions, And Update Starts This Month
A presentation from BT on the "Potential ISP Challenges with DNS over HTTPS" earlier this year warned that DoH will reduce the ability to derive cybersecurity intelligence from malware activity and DNS insight, open new attack opportunities to hackers, and result in an inability to [fulfill] government mandated regulation or court orders as potential concerns. And so the change will foster serious debate. [...] The U.S. is first, but the rest of the world will follow. A spokesperson for the U.K. Internet Services Providers' Association told me that "the debate on DNS over HTTPS (DoH) is evidently a topic that polarizes opinion. However, our position is clear. ISPA believes that bringing in DoH by default would be harmful for online safety, cyber security and consumer choice."
DNS-over-HTTPS is the next default protection coming to Firefox
Mozilla will be rolling out DoH in what it calls "fallback mode" later this month. This means that if domain name look-ups using DoH fail, Firefox will revert back to using the default operating system DNS. Similarly, if Firefox detects that parental controls or enterprise policies are in effect, Firefox will disable DoH.
(Score: 2) by vux984 on Monday September 09 2019, @04:55PM (6 children)
All you know is that mozilla needs funding. It's outright dishonest to claim that mozilla is being paid by cloudfront, or that anyone is selling your data for this without a shred of actual evidence. Especially given that the parties involved have claimed publicly that the data is NOT being monetized, and that all but some same basic aggregate metrics is scrubbed after 24 hours.
In general terms, every single default setting in every single piece of software written amounts to deciding for the users what the least-effort default configuration is going to be. In an ideal world defaults are chosen in the average consumers best interest. Nobody wants to fill out a 200 page questionnaire when they install software.
The issue here I think is that you don't actually believe this is a privacy feature. You appear to believe (without evidence) that this is a data-monetization misfeature masquerading as a privacy feature; and that mozilla and cloudflare are not just monetizing the data but also lying about monetizing the data. And then you are calling it an outrageous invasion of privacy, and that mozilla is selling you out.
Skepticism is healthy, and in engaging with you in this conversation I've learned quite about about the DoH feature that I didn't know. For my part, if anything I'm actually more convinced that its actually a good thing for most people. I don't expect that you'll change your mind, and that's fine.
I don't think you are wrong to have the position that this is a feature that's worth asking about instead of setting a default on. While I understand Mozilla's position on it turning on by default, I am not convinced that they are absolutely right not to ask.
On the other hand I am in general agreement that the software should annoy the user with questions as little as possible.
And I don't really see any value whatsoever in showing my grandmother or my wifes parents a DoH DNS setting prompt and explanation next time they try to use the web. They aren't going to understand it, and they aren't going to read it. Best case they'll try to read it and call me... worst case they'll click on whatever it takes to make it 'go away' so they can get to their webmail etc; and either way they'll be annoyed.
Perhaps there should be an explicit 'advanced mode' and a 'let us manage your settings automatically mode' and when you put it into advanced mode (one time setting), where you get prompts about stuff like this. But now we've made the software more complicated and more expensive to develop, test, and maintain. So that's not a clear win either.
In September 2003, VeriSign introduced a service called Site Finder, which redirected Web browsers to a search service when users attempted to go to nonexistent .com or .net domain names. It was subsequently shut down after controversy.
The notion that the root server operators are altruistic trustworthy operators is unsupportable. Cloudflare is no different, but the policy in place is transparent and reasonable, and if they are found to be in violation of it, I'm pretty optimistic that will be sufficiently scandalous to at least dissuade them; especially given that it operates under the auspices of a 'privacy feature'.
(Score: 2) by The Shire on Monday September 09 2019, @06:33PM (5 children)
The only time you see code that ignores your network settings and intentionally bypasses any filters and firewall rules you may have setup is with malware. Commercial code does not do this. DNS is NOT the purview of the browser. For Mozilla to surreptitiously assume that role in Firefox is beyond the pale IMO. If they want to help people protect their DNS queries then they should have written a standalone app to do so, or at worst create a compartmentalized browser extension for it. This is akin to MS Word silently moving all your documents to onedrive without notice or approval because MS has decided that your desktop hard drive isn't secure enough and that they're doing so is for your own good. A browser has a very specific function - pull content from the web. It's not the role of the browser to ignore your network settings in favor of their own. And it sure as hell shouldn't be doing it silently, without notice or approval, and without having an in app option to turn it off. When a company makes a major change to their software and intentionally hides it, that's not an indication they're doing it for your benefit.
Which is why this should be opt in. You don't override the end users network without permission. If the user wants to take advantage of this DoH option then you make it available in the options menu. You don't make it mandatory. The gall of Mozilla to assume everyone using FireFox knows or wants this "feature" is beyond belief. DNS is not something minor you just take over. DNS is a major function of networking and it's WAY outside the realm of what a browser should be handling. And at the corporate level Mozilla is basically telling all IT dept's to make changes to their operation to accommodate this new browser functionality or risk employees bypassing their filters and firewall. The hubris of Mozilla... it's mind boggling.
Verizon violated the ICANN rules regarding operation of root servers. They were severely maligned and proper root server operations was quickly restored. No operator in the subsequent decade and a half has strayed from those rules. I never said they were altruistically trustworth, I said they were safe because their operations are heavily monitored and regulated and are not operated commercially. Meanwhile Cloudflare, a major for profit corporation, is already delisting domains it deems offensive. When you start seeing those "server not found" errors for the sites you used to get your news from, you think the end user will realize it's Cloudflare censors or will they assume it's the news site that has gone offline. Commercial dns providers have already shown they are willing to censor, now it's a matter of how far they will push it before people start to notice.
I'll say it again - only a fool uses a for profit corporation for their DNS. You're handing them the means to filter what you see and hear, and we already have enough of that bias in the media. Mozilla is feeding the beast and if you thing THEY have altruistic intent then you haven't been watching.
(Score: 2) by vux984 on Monday September 09 2019, @09:48PM (4 children)
"The only time you see code that ignores your network settings and intentionally bypasses any filters and firewall rules you may have setup is with malware. "
Don't be so dramatic This also applies to pretty much all mainstream anti-virus/anti-malware. Take a look at what kaspersky, mcafee, symantec, etc products do.
Firefox also isn't the first browser to contemplate this: Tor browser does it too; so that it doesn't generate DNS lookups from the client.
Given that browsers run in a sandbox, steadily approaching a full virtual machine, in an ongoing effort to secure the browser; is it any surprise or even that surprising that this is happening. I wouldn't be surprised if Google follows suit, but points everyone to their own name servers by default.
Lots of other software I've seen runs all its network traffic through its own proxy services. This is HARDLY revolutionary.
So... "never in the history of the internet" to... "oh yeah Verisign did it, but we got really mad so its ok NOW". That's not the first time we've gotten mad at Verisign, nor the most recent. There was that time in 2010 they got breached and tried to hide it -- I guess that's ok from critical trusted internet infrastructure right? Or that time they siezed 82 domains after a court told them to... paragons of virtue.
Mozilla is assuming joe sixpack DOESN'T know anything about this feature, or how DNS works at all for that matter. And they'd be correct.
It's not mandatory.
It would be overriding the network if it affected anyhting OUTSIDE of the browser. It doesn't.
Hey I agree. P2P distributed DNS for the win. But that's a solution for tomorrow maybe. This is a solution for today.
Most people aren't setup to query the root servers directly via encryption. (Assuming you want to trust the root servers). Most people are querying ISPs and/or Google. THIS is better than THAT.
(Score: 2) by The Shire on Monday September 09 2019, @10:24PM (3 children)
Antivirus software does not override your network settings.
Tor is a product designed to circumvent filters, that's it's purpose. Firefox is not. If Mozilla wants Firefox to behave like Tor them perhaps they should retire Firefox and start promoting Tor as their mainstream browser.
It is mandatory. When the new release arrives it will be on by default and cannot be turned off without doing some fancy footwork on the network, and even then you can't be entirely sure it's turned off. If it's voluntary then it should have an on/off switch in the options dialog but they have already indicated it will not. This is a hidden "feature" designed such that people will be unaware their queries are being redirected. IMO it's behavior is that of malware.
Browser functionality is an integral part of enterprise and personal interaction on the internet. Until now, browsers have behaved like all internet enabled apps - they use the system networking configuration. To silently override it is going to cause all manner of confusion when intranets cease to function because the browser isn't using the local dns. And when you choose to telecommute but your browser isn't working with the company network even though you have your dns pointed at it because the browser is quietly ignoring your preferences.
Look, a browser is a network application. By design it should use your networks configuration not go rogue. And this "solution" doesn't even fix the problem. It's of no consequence if your ISP is collecting your DNS query data or Cloudflare is. Don't forget that all HTTPS connections can already be monitored by your ISP by extracting the plain text SNI connection information - so they already know the domain you're going to hit. All Mozilla is doing is handing than same data to yet another 3rd party, Cloudflare. It doesn't benefit the end user it harms them by spreading their data to yet another profit motivated data miner. This only benefits Mozilla and Cloudflare. There is no helping hand here - there's only forced data mining.
(Score: 2) by vux984 on Tuesday September 10 2019, @01:11AM (2 children)
Many Antivirus packages include full on VPN services that route all your traffic through the A/V providers site; under the guise of 'network security features' to protect you when on wifi and so forth. Then they install certificates and proxy the sites you visit so that they can scan the pages for malware content before your browser gets them. Your browser doesn't even see the certificates the site hosts if you click the certificate information you'll see the a/v vendor certificates. This is also under the auspices of protection.
That's overriding your network settings in my books.
Are you sure? My reading is that it will be switched on by default, and the fancy footwork on the network is to allow you signal to firefox with it turned on to not use it there WHILE its still enabled. But that the user can still turn it off manually. Where did you read that it would not be something that you could turn off? I am willing to concede that point if you can cite it; and it would even go a long way to convincing me that mozilla is in the wrong here.
Encrypted SNI is a thing; and that is a component this endeavour...
https://blog.mozilla.org/security/2018/10/18/encrypted-sni-comes-to-firefox-nightly/ [mozilla.org]
Depends who you trust; and where you are; and who that ISP is. Some are are substituteable with cloudflare but most are worse.
A data miner scrubbing your data after 24 hours as part of this service. If you want to refuse to beleive they are doing it because you don't like cloudflare, or something that's fine. But if they are doing what they publicly commit to doing, what exactly is the problem? Oh, and you can ALSO select a different DOH provider it doesn't have to be cloudflare. That's not forced either.
(Score: 2) by The Shire on Tuesday September 10 2019, @01:32AM (1 child)
You must admit this discussion is getting a little tedious. I think we understand each others positions.
I don't believe for a moment that Mozilla or Cloudflare's motivations are any more than finding ways to improve their market share, data mine as much of the nets traffic as possible, and of course make money.
You seem to believe that both companies believe they can save end users from themselves and it's all about helping the little guy.
One of us is wrong.
(Score: 2) by vux984 on Tuesday September 10 2019, @03:49PM
I don't think it is quite as either-or as you put it though, but sure, I'm good to agree to disagree. And see how it plays out.
I am also still very curious where you saw that Mozilla said they wouldn't let you turn it off via a setting?!