Arthur T Knackerbracket has found the following story:
Mozilla is urging Congress to reject the broadband industry's lobbying campaign against encrypted DNS in Firefox and Chrome.
The Internet providers' fight against this privacy feature raises questions about how they use broadband customers' Web-browsing data, Mozilla wrote in a letter sent today to the chairs and ranking members of three House of Representatives committees. Mozilla also said that Internet providers have been giving inaccurate information to lawmakers and urged Congress to "publicly probe current ISP data collection and use policies."
DNS over HTTPS helps keep eavesdroppers from seeing what DNS lookups your browser is making. This can make it more difficult for ISPs or other third parties to monitor what websites you visit.
"Unsurprisingly, our work on DoH [DNS over HTTPS] has prompted a campaign to forestall these privacy and security protections, as demonstrated by the recent letter to Congress from major telecommunications associations. That letter contained a number of factual inaccuracies," Mozilla Senior Director of Trust and Security Marshall Erwin wrote.
(Score: 3, Disagree) by exaeta on Monday November 04 2019, @09:12PM (5 children)
The Government is a Bird
(Score: 2, Funny) by fustakrakich on Monday November 04 2019, @09:41PM
DNS over HTTP is a fine mechanism to circumvent organizational wiretapping of DNS queries. I fully support DNS over HTTPS.
Normally I would agree, but Cloudflare? Eventually the ISP's owners will buy them, and then who has all that DNS info?
And this whole HTTPS thing is a joke also. The certs aren't worth the paper they're printed on.
La politica e i criminali sono la stessa cosa..
(Score: 5, Insightful) by maxwell demon on Monday November 04 2019, @09:59PM (3 children)
The problem isn't exactly that DNS is checked over HTTPS, the problem is that this decision is made on the browser level.
I would have absolutely no problem with a program you install at your computer that makes all the DNS lookups on that computer go through HTTPS. I do have a problem with the browser not using the computer's configured DNS, whatever that is.
And no, it doesn't break just enterprise setups. It breaks every single home router whose web interface is accessed through a local domain name.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Monday November 04 2019, @11:15PM
"A program" which a regular user would not even know about, let alone be able to properly configure, will be used only by a tiny minority. As a consequence, any action against that program, the protocol, and its users, will go through unopposed. Which rather defeats the whole purpose.
Common browser (Chrome) using a common protocol (HTTPS) to a common endpoint (Cloudflare) on the other hand, is where breaking it is "breaking the Internet" for the masses, which isn't yet commonly done. A separate program like you want, could well exist alongside it, and hide in the noise; but its attempting to stand alone will be the very essence of pointless.
(Score: 3, Informative) by exaeta on Tuesday November 05 2019, @04:33PM (1 child)
The Government is a Bird
(Score: 2) by maxwell demon on Tuesday November 05 2019, @05:52PM
Then configure your computer to fetch the DNS from elsewhere. Over HTTPS, from Google, from your friend's private DNS server, it doesn't matter. The point is, the browser is the wrong place for that. Probably you don't even have to do that at your computer; you can configure your home router to use a different DNS server, which will distribute that setting through DHCP.
If I open a page from Firefox, I want to get the IP from the same place as when I use wget. Or links.
And if I make an entry in my hosts file, I want the browser to honour that, too.
What about users of Pi-hole? [wikipedia.org] I'm sure they'll not be amused if all the ads (and possibly malware) suddenly start coming through again, just because the browser no longer honours the settings of the computer.
The Tao of math: The numbers you can count are not the real numbers.