SoylentNews is people
SoylentNews
from the and-everyone-else-on-the-network dept.
Arthur T Knackerbracket has found the following story:
Firefox will start switching browser users to Cloudflare's encrypted-DNS service today and roll out the change across the United States in the coming weeks.
"Today, Firefox began the rollout of encrypted DNS over HTTPS (DoH) by default for US-based users," Firefox maker Mozilla said in an announcement scheduled to go live at this link Tuesday morning. "The rollout will continue over the next few weeks to confirm no major issues are discovered as this new protocol is enabled for Firefox's US-based users."
DNS over HTTPS helps keep eavesdroppers from seeing what DNS lookups your browser is making, potentially making it more difficult for Internet service providers or other third parties to monitor what websites you visit. As we've previously written, Mozilla's embrace of DNS over HTTPS is fueled in part by concerns about ISPs monitoring customers' Web usage. Mobile broadband providers were caught selling their customers' real-time location data to third parties, and Internet providers can use browsing history to deliver targeted ads.
Wireless and wired Internet providers are suing the state of Maine to stop a Web-browsing privacy law that would require ISPs to get customers' opt-in consent before using or sharing browsing history and other sensitive data. The telecom companies already convinced Congress and President Trump to eliminate a similar federal law in 2017.
Also at:
Mozilla Blog
The Register
Previously:
Firefox Begins Enabling DNS-over-HTTPS for Users
(Score: 5, Informative) by Anonymous Coward on Wednesday February 26 2020, @05:40PM (13 children)
Seriously, deploying such solution en masse without any means of domain blocking looks like a sabotage of all ad-blocking and malware-blocking facilities. And it's not about visualization layer like adblockers do - it's about connecting to specific server and this is visible in ISP logs nevertheless. So imagine I don't want to connect to specific domain and lots of websites have iframes with this domain inserted. What can I do then? Usually, any software domain-based firewall (even DNS filtering in iptables), hosts file line directed nowhere or, for those who have free electricity, a PiHole, was working perfectly for it. But DNS-over-Cloudflare protects the malicious domains owners against these measures.
Not talking about lots of people who set own things in hostsfile, for example for network services running on other computers. Solution: Buy a server, roll own DNS, hire a few admins, pay... guess which company will start to offer these services first?
And now USA-based CloudFlare known from actively fighting net anonymity will join databases with USA-based e.g. Facebook which spies on all users who unluckily connected to their servers and that's all about "privacy".
A redundant version of DNS over TOR seems to be a feasible solution if Mozilla wants to babble about privacy in this layer. An interesting solution was used a few years ago when some malware had a small P2P network set-up for CC. It was even possible to run it from behind NAT as it just connected to other IPs as nodes and it cleverly authorized commands that they had to come from a several nodes with specific modifications. But relying on a single company who just jumped right off the bat (???CIA funds like with Crypto???) is NOT a "privacy" solution.
If they still want to supply this "healthy-as-fast-food" privacy, there should be some "GTFO regex" in settings turning specific domains from being resolved. It is not, this is just another smile towards Internet advertising and malware suppliers.
If you suspect your ISP spies on you, change the ISP. Vote with your wallet, this is simple.
(Score: 4, Insightful) by Anonymous Coward on Wednesday February 26 2020, @05:49PM
For the majority of people, they have limited to no ISP choice. Until there is real competition and multiple players to choose from, this remains hard.
(Score: 3, Insightful) by vux984 on Wednesday February 26 2020, @09:04PM (10 children)
Just about anyone fiddling with software-domain-based firewalls, iptables, host files, or piholes are paying enough attention to figure out how to uncheck the box in firefox and resume using their preferred solution.
And for everyone else, their lives just got slightly less invaded.
A read cloudflares statements on the subject. The mozilla deal would preclude that. If you don't trust Mozilla and Cloudflare to honor that deal, then pick a different DoH provider, or turn off DoH.
You are already trusting somoene with your DNS traffic, its just a question of who. Most people haven't even thought about it. Mozilla has, if you trust mozilla (which evidently you must to at least some extent if you are using the browser), then its not unreasonable to default to what they recommend. But again, by all means, if you are sophisticated enough to know about the issues and have an actual preference -- you have the option to control these settings.
Most of us have one or two ISPs to choose from, and I suspect both of them are snooping. The only thing I could do with my wallet to fix this is start a new ISP. And I don't have time and my wallet isn't that big.
(Score: 2) by legont on Wednesday February 26 2020, @10:53PM (7 children)
I actually manually configured mine to use Clodflare. Am I missing something?
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 4, Touché) by Joe Desertrat on Wednesday February 26 2020, @11:10PM (2 children)
A u?
(Score: 3, Touché) by PartTimeZombie on Thursday February 27 2020, @02:42AM (1 child)
Hmmm. I can't get Clodflareu to work.
(Score: 2) by Joe Desertrat on Thursday February 27 2020, @10:49PM
Did you try uClodfare?
(Score: 2) by vux984 on Wednesday February 26 2020, @11:15PM (3 children)
Manually (e.g. by selectecting 1.1.1.1 or whatever) or via DNS over HTTPS?
If you just pointed your DNS queries at Cloudflare, the ISP can still pretty easily record and mine all your DNS traffic via packet inspection because it is not encrypted traffic.
(Score: 2) by legont on Thursday February 27 2020, @04:18AM (2 children)
I am aware that ISP could mine unencrypted traffic. My comment was mostly targeted at folks who, it appears, did not like 1.1.1.1 itself so encrypting would not help.
I hoped that somebody would reply with a trusted DNS server and explain why he thinks it is better.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 2) by vux984 on Friday February 28 2020, @06:12PM (1 child)
I'd say it's correct of them to be suspicious of mozilla & cloudflare's deal for forward all dns traffic to cloudflare. Very little in life is free, and a good deal often isn't.
Although if you research the deal, it appears to be on the up and up. And that cloudflare has committed to mozilla and the end users that it isn't going to do anything to commercialize or resell the DOH data. I personally am satisified by it. Although I personally have no issue with using my home or office ISP for DNS either. (Although i don't necessarily feel the same when I'm mobile.)
As for alternatives...
https://en.wikipedia.org/wiki/Public_recursive_name_server [wikipedia.org]
There's a column for which are doing DoH. I personally don't really endorse any of them over the others. I think google has enough data without giving them more. AdGaurd and Quad9 at first blush look like they might be suitable alternatives that I'd consider but I am not really familiar with either. And as i said, I don't have an issue with the mozilla cloudflare deal.
(Score: 2) by legont on Friday February 28 2020, @10:46PM
Thanks. I have similar feelings except that I don't want my ISP to handle my DNS queries. It's not necessarily because I don't trust them. They might be forced to reveal my activities and I simply want to be a smaller target. The office is similar.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 1, Interesting) by Anonymous Coward on Thursday February 27 2020, @12:29AM (1 child)
There will be no way to switch to preferred solution in... let's say 8-10 releases, but this is a loose assumption. The usual method in Mozilla is: First "we move preference to about:config". Next, "we delete this as there's add-on for it" and then "add-on is not supported anymore" finishing with "we shut down entire API so you cannot write such add-on even if you want". Deploying unfinished things is a problem in Mozilla, it was seen when they migrated from 3.6 to 4, when they killed half of API and told that there will be "Heuristics" for it (never finished), then when passing to Australis, then Quantum, all time API is unfinished and unstable. Essential features become added "right in the next release" when they flip the API inside out again. The manpower to keep maintaining plugins and themes becomes less and less in reach of normal users who program useful things and more in companies who gather more data. I do a small open source project. Not a popular one, but I just cannot imagine saying to users of my open source program thing like "re-write all your work from ground up" as I know some people built complex systems with it.
No, I don't entirely trust Mozilla (as any software), but I don't see Mozilla as an uniform software group (but it slowly becomes one). I see that there are initiatives to preserve privacy and to loose it, so there must be some groups with ideas for and against. I use customized forks, but when I use mainline Firefox I customize it too as out of the box it sends quite large amount of data and, especially, metadata which sufficiently replaces the data if captured. And for DNS-over-HTTPS there are numerous questions in the Net "how do I override the domain X not to be resolved" - without reply. Removing of security-important feature without giving any alternative and sticking head in sand pretending that problem does not exist is not a good idea.
And there were times that people were thinking about it and developed alternative solutions, usually ending with nonstandard TLDs resolved by specific servers. There were even some servers here and there for it as it was decentralized, but it finally shut down with smaller and smaller amount of diverse websites visited per users and made by users.
If someone has two ISPs to choose from, the best idea is to think what got wrong when there were more, but monopoly has been chosen.
(Score: 0) by Anonymous Coward on Friday February 28 2020, @11:41AM
The Decentraleyes guy rewrite his from the ground up after browser api changes. After first announcing he wouldn't. So many of us are grateful.
(Score: 0) by Anonymous Coward on Thursday February 27 2020, @04:03AM
>If you suspect your ISP spies on you, change the ISP. Vote with your wallet, this is simple.
Not only a spy problem, the same feature that allow then to track you can be use against you.
Not all countries are free, just by accessing some sites you may put yourself in danger.
Some virus may have changed your DNS and be rerouting your traffic for bad servers... DOH may help, as it will not use the OS DNS
ISP or country may be blocking sites by replacing the real DNS with their own (either blocking or inspecting or hijacking)
This feature is good, we just need more alternative DNS servers. Cloudflare was the first one and a few months later we already have another alternative. There are others deploying similar services and requesting the firefox inclusion ⁽that can be accepted if the terms are acceptable... if they fulfill then or not, that is another question )
Finally, with this feature, it is possible to use our own server or expand to use some round-robin or random list and DNS can go to different servers for different companies and make your self even harder to be tracked