Firefox is enabling DNS-over-HTTPS (DoH) for some users starting this month, and it will use Cloudflare by default:
DoH (IETF RFC8484) allows Firefox to send DNS requests as normal-looking HTTPS traffic to special DoH-compatible DNS servers (called DoH resolvers). Basically, it hides DNS requests inside the normal deluge of HTTPS data. [DoH doesn't encrypt DNS requests. That's a different protocol, namely DNS-over-TLS, aka DoT].
By default, Firefox ships with support for relaying encrypted DoH requests via Cloudflare's DoH resolver, but users can change it to any DoH resolver they want [see here].
When DoH support is enabled in Firefox, the browser will ignore DNS settings set in the operating system, and use the browser-set DoH resolver. By moving DNS server settings from the OS to the browser level, and by encrypting the DNS traffic, DoH effectively hides DNS traffic from internet service providers (ISPs), local parental control software, antivirus software, enterprise firewalls and traffic filters, and about any other third-party that tries to intercept and sniff a user's traffic.
Firefox Plans Controversial New Encryption Setting For Millions, And Update Starts This Month
A presentation from BT on the "Potential ISP Challenges with DNS over HTTPS" earlier this year warned that DoH will reduce the ability to derive cybersecurity intelligence from malware activity and DNS insight, open new attack opportunities to hackers, and result in an inability to [fulfill] government mandated regulation or court orders as potential concerns. And so the change will foster serious debate. [...] The U.S. is first, but the rest of the world will follow. A spokesperson for the U.K. Internet Services Providers' Association told me that "the debate on DNS over HTTPS (DoH) is evidently a topic that polarizes opinion. However, our position is clear. ISPA believes that bringing in DoH by default would be harmful for online safety, cyber security and consumer choice."
DNS-over-HTTPS is the next default protection coming to Firefox
Mozilla will be rolling out DoH in what it calls "fallback mode" later this month. This means that if domain name look-ups using DoH fail, Firefox will revert back to using the default operating system DNS. Similarly, if Firefox detects that parental controls or enterprise policies are in effect, Firefox will disable DoH.
Related Stories
Arthur T Knackerbracket has found the following story:
Firefox will start switching browser users to Cloudflare's encrypted-DNS service today and roll out the change across the United States in the coming weeks.
"Today, Firefox began the rollout of encrypted DNS over HTTPS (DoH) by default for US-based users," Firefox maker Mozilla said in an announcement scheduled to go live at this link Tuesday morning. "The rollout will continue over the next few weeks to confirm no major issues are discovered as this new protocol is enabled for Firefox's US-based users."
DNS over HTTPS helps keep eavesdroppers from seeing what DNS lookups your browser is making, potentially making it more difficult for Internet service providers or other third parties to monitor what websites you visit. As we've previously written, Mozilla's embrace of DNS over HTTPS is fueled in part by concerns about ISPs monitoring customers' Web usage. Mobile broadband providers were caught selling their customers' real-time location data to third parties, and Internet providers can use browsing history to deliver targeted ads.
Wireless and wired Internet providers are suing the state of Maine to stop a Web-browsing privacy law that would require ISPs to get customers' opt-in consent before using or sharing browsing history and other sensitive data. The telecom companies already convinced Congress and President Trump to eliminate a similar federal law in 2017.
Also at:
Mozilla Blog
The Register
Previously:
Firefox Begins Enabling DNS-over-HTTPS for Users
(Score: -1, Spam) by Anonymous Coward on Sunday September 08 2019, @10:20PM (3 children)
http://www.camhub.cc/get_image/2/de75e822e327e574d0e14376e73ce36b/main/9999x9999/0/356/18172.jpg/ [camhub.cc]
(Score: -1, Offtopic) by Anonymous Coward on Sunday September 08 2019, @10:29PM
we love katy takyon
(Score: 0) by Anonymous Coward on Monday September 09 2019, @03:46AM (1 child)
The white balance in that pic is seriously screwed up. Otherwise, sorry takyon, but you are at best a 7/10. (If the wb is correct drop that to 4. That color is weird.)
(Score: 2) by Chocolate on Tuesday September 10 2019, @03:40AM
Are you serious? Minimum 8, probably a 9
Also, that looks to be the wrong ethicality for Takky
Is this a dnsoverhttps test?
Bit-choco-coin anyone?
(Score: -1, Troll) by Anonymous Coward on Sunday September 08 2019, @10:29PM (1 child)
If you try to connect to a site that doesn't meet their CoC, it shuts down your computer.
(Score: 1, Funny) by Anonymous Coward on Sunday September 08 2019, @10:31PM
To visit site, you must swallow the CoC.
(Score: 1, Interesting) by Anonymous Coward on Sunday September 08 2019, @10:51PM (11 children)
My DNS already filter out 18,000 sites. I do not want tracking sites and crap pages that Mozilla will allow to work again.
What is Mozilla doing??? Being the Google? or the Facebook?
(Score: 4, Interesting) by c0lo on Sunday September 08 2019, @11:12PM (9 children)
Then disable it [mozilla.org], you can still do it ATM (or should I say: "while you can"?).
This is not to say that the potential of evil isn't there or is benign:
---
A case of mixed blessing and curse:
1. on one side, the potential of by-passing the ISP-imposed blocks is... ummm.... fine for the moment
2. on the other side, I do hope they will maintain the capability to pick a user custom DoH provider [mozilla.org] and write-enabled access for the exception list [mozilla.org] for the future. The "Note: Do not remove any domains from the list." in the latest link is a bit worrisome.
Overall, I'm a bit pessimistic on the future: looks like the trend seems to increase the control over the fundamental technologies of the Internet-as-we-know-it.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Sunday September 08 2019, @11:51PM (1 child)
An UK ISP implementing UK censorship scheme throwing a fit over this, is natural. You singing along is strange, to say the least.
(Score: 2) by c0lo on Monday September 09 2019, @12:16AM
What exactly made you say that? I don't think anything inside my post says "I sing along with that".
Maybe because I used a double negation? (the "not to say that the potential of evil isn't there"? As in "I'm implying that there may be evil in the future", 'cause ATM one still has enough control to get around).
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Monday September 09 2019, @02:29AM (3 children)
What do you mean "while you still can"? You have the source, don't you?
(Score: 2) by c0lo on Monday September 09 2019, @02:40AM (2 children)
Having the source is inconsequential if the remote support the source relies on (the classical DNS) is declared deprecated and/or illegal and/or, no matter the reasons, is replaced by something else and stops functioning.
(the RFC-es aren't quite natural laws)
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Monday September 09 2019, @04:49AM (1 child)
I think we're quite far away from giving up on DNS.
(Score: 2) by c0lo on Monday September 09 2019, @05:00AM
Time will tell. But, yes, some solutions [wikipedia.org] seems to exist [wikipedia.org].
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by deimtee on Monday September 09 2019, @03:57AM (1 child)
Not that worrying. The only ones in there are localhost and local.
If you cough while drinking cheap red wine it really cleans out your sinuses.
(Score: 2) by c0lo on Monday September 09 2019, @04:22AM
... for now.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by Mer on Monday September 09 2019, @07:43PM
It's good if it gives an incentive for openDNS and other good DNS services to roll out a DoH version.
Better browsers would implement DoH. And then even if Mozilla gimps the censorship bypassing to uselessness you're fine.
Shut up!, he explained.
(Score: 2) by Bot on Tuesday September 10 2019, @09:47PM
>What is Mozilla doing??? Being the Google? or the Facebook?
let me compute... reimplementing standards... no one asked for... now everybody has to adapt...
it's being the systemd.
Account abandoned.
(Score: 5, Insightful) by Fishscene on Sunday September 08 2019, @10:57PM (33 children)
So Firefox by default is going to start leaking my internal network information to an untrusted (to me) 3rd party? And introduce DNS lookup delays as well?
I've been a long time Firefox supporter. But this. This is where I drop Firefox. But what to turn to? Edge? Chrome is not an option.
I know I am not God, because every time I pray to Him, it's because I'm not perfect and thankful for what He's done.
(Score: 2) by Booga1 on Sunday September 08 2019, @11:08PM
Looks like you can follow these instructions to disable from the DNS/network side of things: https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https [mozilla.org]
(Score: 3, Interesting) by Runaway1956 on Sunday September 08 2019, @11:10PM (23 children)
So do DoH manually, and set your own DNS server(s). You can click through the links in TFS and TFA to find this page: https://www.zdnet.com/article/how-to-enable-dns-over-https-doh-in-firefox/ [zdnet.com]
Or, you can do a search, and the first hit I got with the duck, was the link you could have found by clicking through.
https://duckduckgo.com/?q=enable+DoH+DNS+over+HTTPS+firefox&atb=v138-7&ia=web [duckduckgo.com]
I've been doing DoH for months now, and I believe that I used the ghack link to guide me - https://www.ghacks.net/2018/04/02/configure-dns-over-https-in-firefox/ [ghacks.net]
You don't trust Firefox, cool. But, the information is available so that you can bypass Firefox.
(Score: 4, Informative) by The Shire on Monday September 09 2019, @12:22AM (22 children)
The unwashed masses have no idea what this change means if they even hear about it at all. Both Mozilla and Cloudflare are counting on the fact that few will know how to override this. Silently taking over the end users dns settings with an "on by default" override is no different than installing a keylogger. Mozilla is rolling out software that will silently redirect all your dns traffic to a 3rd party of their choosing. This can be classified as malware activity in my book.
I know how to override this, you know how to override this, but everyone else are vicitims of what I would classify as criminal activity.
(Score: 4, Insightful) by vux984 on Monday September 09 2019, @12:51AM (8 children)
The "unwashed masses" are already having their DNS data slurped up by their ISP and google (8.8.8.8) or whatever etc.
Maybe... If the keylogger they install replaces the keylogger you already have installed that sends all its keystrokes to your ISP with one that sends all your keystrokes to a new place that explicitly promises not to use them.
Where the keylogger analogy breaks down is that you don't NEED all your keystrokes logged online; but you kind of DO need all your DNS queries handled.
Again, they already are victims. And this probably victimizes them less.
If you don't know how to override this then you are probably already a victim. Mozilla is trying to make a bad situation less bad.
(Score: 5, Insightful) by The Shire on Monday September 09 2019, @01:48AM (7 children)
What I'm hearing you say is: "Everyone's privacy is already compromised so it's ok for Mozilla to do it too".
Nope, not buyin that one. People who originally jumped on with Firefox did so because they are privacy conscious. They may not know how to stop all the other avenues tracking them but they should at least be able to trust that Firefox isn't doing anything nefarious in the background. That trust is now gone. Firefox no longer distinguishes itself from all the other major players that are intentionally and for profit selling the data mining rights to their user base.
(Score: 5, Insightful) by vux984 on Monday September 09 2019, @02:22AM (4 children)
You have to send your DNS queries out to someone. There's no way around that. If you trust mozilla enough to use their browser, then its not unreasonable to trust them with the DNS queries from the browser.
Mozilla's chosen provider may not meet your absolutist perfect standards (and who exactly are you using that DOES?!) ; but the cloudflare policies in place are better than 99% of what most people using DNS are getting. Mozilla is not "compromising your privacy", they are sending your DNS queries to an entity that is promising greater privacy than 99% of what most people currently have. They aren't monetizing it, they aren't doing what others are doing with it at all. Cloudflare's policies are pretty reasonable 24 hour retention and some basic aggregate trending is pretty reasonable to maintain a service like this.
a) How is Mozilla's solution not better than what joe-sixpack is currently doing? (And if it is better than why are you against it?)
b) What exactly are you holding up as an even better alternative?
(Score: 0) by Anonymous Coward on Monday September 09 2019, @03:16AM
The fact of the matter is that if this was a random extension that did this, it would be in violation of the A.M.O. guidelines. You may trust Mozilla, the people who make extensions, or both, or neither, but it is hypocritical, at best, to have different standards for the two of them.
(Score: 5, Insightful) by The Shire on Monday September 09 2019, @03:35AM (1 child)
The dns root servers are that someone. There's no good reason to send your queries to a for profit corporation that admits they collect and aggregate your information. If Mozilla really wanted to be privacy conscious they wouldn't have used a for profit firm. In my opinion, Mozilla has been looking desperately for cash streams to pay their increasingly top heavy salaries and Cloudflare is one such revenue source. I suspect the reason Mozilla caved and made hyperlink ping tracking mandatory also involved similar advertiser or aggregator kick backs.
Like Google, it seems Mozilla built up a user base by promising they can be trusted and when it hit a certain mass they started cashing out in ways that are hard for the end user to see.
And to answer your questions:
Currently, users have control over their networks. Most choose not to exercise that control, but those who do know that when they choose a dns provider it holds true for their entire network. It's expected behavior that the dns on your network applies everywhere. Mozilla is subverting that by inserting hidden non browser functionality into Firefox that is both silent and outside the average persons control. And I say hidden because from what I've seen, there is nothing in the browsers options that someone might see to turn it off or even know it's there. And does anyone really expect an end user to know how to create a "canary domain" that would disable this hidden DoH system? Not a chance, and both Mozilla and Cloudflare know it.
They could have solved the issue entirely by doing a couple things:
1) Make it opt in
2) Provide an easy to find browser option to turn it off - don't deceitfully hide this thing and make it difficult to turn off
3) If the user opts in, give them a randomized list of DNS providers, with notations about which are "for profit corporations" as well as a place to enter custom providers, and let the user pick the one they want.
(Score: 3, Insightful) by SpockLogic on Monday September 09 2019, @12:24PM
That is why I don't use my ISP's DNS nameservers.
Anyone trust Charter ... Anyone? Anyone?
Overreacting is one thing, sticking your head up your ass hoping the problem goes away is another - edIII
(Score: 0) by Anonymous Coward on Monday September 09 2019, @05:44PM
dns is supposed to be handled by the router/router operator, not spirited away by every user's goddamn browser. If this were really for the user it would be a fucking option in the browser settings with custom server option too. it's really that simple.
(Score: 2) by vux984 on Wednesday September 11 2019, @04:19PM (1 child)
Thought you might be interested:
https://www.zdnet.com/article/google-to-run-dns-over-https-doh-experiment-in-chrome/ [zdnet.com]
It's a different take from Mozilla's to be sure, and its there first dip of the toe in the water.
(Score: 2) by The Shire on Wednesday September 11 2019, @06:14PM
And we all know how trustworthy Chrome is /s
Make no mistake, this is a concerted effort to redirect data mining statistics from ISP's to a few chosen partner providers. They're consolidating a fundemental part of the internet and placing it under the control of these few. They realize that when you control DNS, you control the internet.
If folks truly understood what was being quietly rolled out here they would be terrified.
(Score: 2) by c0lo on Monday September 09 2019, @12:51AM (11 children)
(I'll let aside the derogatory term)
As many of them aren't aware about what they are losing by using FB, Twitter and others, and a happily using them, in spite of having worse effects than DoH.
Maybe it's a pity your definition is not shared by everyone; but I can't stop to note that seems to be quite inconsequential on how the "public-at-large accessible" Internet evolves.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 3, Insightful) by The Shire on Monday September 09 2019, @01:44AM (10 children)
Firefox users, by and large, were attracted to the browser for privacy reasons - an alternative to the invasive Chrome browser. It's not deragatory to assume that most people are not technically savy just as it's not derogatory to assume that most people aren't surgeons. Technical details at this level will make most peoples eyes glaze over. But not being technically savy doesn't mean they can't show a desire for privacy by choosing Firefox. And it is a betrayal of that trust for Mozilla to push a narrative of "enchanced privacy" when they are in fact undermining that privacy for profit.
If Mozilla wants to take the high road then they should go with an "opt in" process. When folks update their copy of Firefox, present them with the facts and then ASK THEM if they want to turn over control of their name server. Don't sneak it in quietly, hide it from the options dialog, and require them to perform highly technical gymnastics in order to turn it off.
Again, this is the company that is mandating hyperlink track in an upcoming release. No overrrides. And again they're touting it as "privacy enhancing" because if everyone is tracked somehow your more protected.
Mozilla has lost their way. They're in it for the money now. There's no difference between them and Google Chrome anymore.
(Score: 2) by c0lo on Monday September 09 2019, @01:53AM (8 children)
"Unwashed masses" has a strong derogatory connotation, dontcha think?
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 3, Informative) by The Shire on Monday September 09 2019, @02:16AM (5 children)
It's a generalized term referring to anyone who doesn't have a high skill at the subject profession. I wouldn't be offended if a group of physicians referred to people like myself as part of the "unwashed masses" because I have none of the training they have in the field. So no, I don't consider it derogatory at all.
But that's just, like, my opinion man.
(Score: 2) by c0lo on Monday September 09 2019, @02:35AM
Maybe in your culture, but it's not safe to expect everybody to share it.
The "(I'll let aside the derogatory term)"... in my mind, it should be a culture independent sign that the matter doesn't bear relevance over the main discussion.
But that's just, like, my opinion, man (grin)
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by janrinok on Monday September 09 2019, @06:52PM (3 children)
Well many people do, myself included.
And I don't think that I want to hear the sort of things that you do think are derogatory.
(Score: 2) by The Shire on Monday September 09 2019, @10:09PM (2 children)
Too many people failed to develop a thick skin and self confidence in their youth. Being offended is not necessarily a bad thing, it gives you a chance to decide if it was warranted and perhaps you should do something about it. And no one is safe from conflict in this world, especially of the verbal variety.
(Score: 2) by janrinok on Tuesday September 10 2019, @02:39AM (1 child)
My youth is so far behind me that I can happily discount that as a cause of my finding your comment offensive. I'm retired now. However, the original phrase was intended to be an insult to the working class. [phrases.org.uk]
(Score: 2) by Bot on Tuesday September 10 2019, @09:53PM
ok but now the working class is us bots and we don't wash indeed. So you can feel vindicated, unlubed masses.
Account abandoned.
(Score: 0) by Anonymous Coward on Monday September 09 2019, @02:18AM (1 child)
Have you smelled people?
(Score: 2) by c0lo on Monday September 09 2019, @02:29AM
No
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by number11 on Monday September 09 2019, @06:18AM
Firefox users, by and large, were attracted to the browser for privacy reasons
I doubt that. People, by and large, were attracted to FF because of the feature set. Those who are after privacy are likely using Brave, the DDG browser, EPIC, Safari, Chromium, or Tor. And probably a VPN.
It's not deragatory to assume that most people are not technically savy
Of course not. Most people are not savvy enough to even change the DNS setting from the default, they don't even understand what DNS is. Most people don't understand (or care) that Facebook and/or Google spies on everything they do. And you expect them to change the settings to a more private DNS?
My ISP doesn't know what my DNS queries are, because I use a VPN that has its own DNS and swears that they don't log queries. But you gotta trust someone, somewhere, and I have decided to trust them. You seem to think that Cloudflare is less trustworthy than Comcast, ATT, CenturyLink. I think it is not possible to be less trustworthy than those companies (unless maybe your name is Zuckerberg).
(Score: 0) by Anonymous Coward on Monday September 09 2019, @08:22AM
On the plus side, it may actually help with DNSSEC validation.
The unwashed masses are too busy with their bullshit anyway to worry about securing basics like DNS. And I'm talking about the admins here too.
(Score: 3, Insightful) by c0lo on Sunday September 08 2019, @11:15PM (5 children)
Good old lynx [wikipedia.org]?
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 3, Informative) by Runaway1956 on Sunday September 08 2019, @11:43PM (4 children)
Let us remember that Chromium is open sourced, and other people are compiling Chrome without Google's default tracking and crap.
https://www.zdnet.com/pictures/all-the-chromium-based-browsers/ [zdnet.com]
I use Iridium a lot. I did use Iron browser, but started having issues.
https://iridiumbrowser.de/ [iridiumbrowser.de]
I did use Iron browser, but started having issues. There's the new Opera, Vivaldi, Brave, Blisk (which I never heard of until I just did this search), Colibri, Epic, and Ungoogled Chromium (another new one, to me). There are a couple dozen more on that zdnet page, which didn't warrant their own analysis pages. Pick your poison. Or, take them all for a test drive before choosing.
(Score: 2) by legont on Monday September 09 2019, @04:54AM (3 children)
I am using waterfox lately. I like it. The problem though is that many financial websites refuse to work with it on security grounds - they ask to upgrade to the latest firefox. I ended up using Chrome for thouse because at that point everything is already tracked to death.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 3, Interesting) by Runaway1956 on Monday September 09 2019, @09:21AM (2 children)
Good point. Not all sites work as well with all browsers. At some point, you have to make compromises.
As I've pointed out before, I have several browsers installed. Half a dozen Firefox derivatives, half a dozen more Chrome-likes, and a couple ancient oddballs that have their own peculiarities.
Only one of those browsers has any persistent data in it's settings. When I have to visit a financial page, I use that browser, so that I can access my long-ass passwords, etc. I don't use that browser to browse, to listen to videos, or much of anything else. It's there to deal with "official" sites. No other browser knows where to look for financial information, or those passwords, or even user names for those sites. What's more, using multiple browsers makes it more difficult to be fingerprinted, or tracked via other methods. I have little idea if my bank makes any attempt to track my browsing and shopping online, but if none of that data is contained within my browser used for banking, then that browser cannot give them that data.
All of that may sound a bit paranoid, huh? Well, yeah, I think we have reason to be paranoid. If you aren't at least a 3 paranoid on a scale of 1 to 10, then you're not paying attention to the world around you. :^)
(Score: 3, Interesting) by legont on Monday September 09 2019, @06:45PM (1 child)
I use virtual machines for different purposes. For finance and such, I have a dedicated one that I use for nothing else. Even then, I don't trust my browser with passwords. I wrote my own little password generator many years ago and I use it. Not that it is better then others available, but I am protected by obscurity here.
Other virtual machines I typically have are the main one for general browsing and work, and one for visiting dangerous places. The host OS is just lightly used - mostly to show something to the border agents.
I do need a better DNS solution though.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 2) by Runaway1956 on Monday September 09 2019, @07:38PM
I like that. ;^)
(Score: 2) by Common Joe on Monday September 09 2019, @09:29AM
You probably don't want Edge. Microsoft gave up and they're putting in the Chrome engine. Unfortunately, I have no good suggestions. I'm pretty fed up with all operating systems and all web browsers.
(Score: 2) by Chocolate on Tuesday September 10 2019, @03:42AM
Try https://ipleak.net [ipleak.net]
It probably already does so via WebRTC
Bit-choco-coin anyone?
(Score: 2) by Gaaark on Sunday September 08 2019, @11:39PM (2 children)
"The U.S. is first"
If I use a VPN, can I get it in Canada?
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 0) by Anonymous Coward on Monday September 09 2019, @12:00AM
Only if you call Canada America Junior.
(Score: 2) by c0lo on Monday September 09 2019, @12:58AM
Mayyybe. Until the US DNS infrastructure refuses to resolve the Canadian VPN and then you'll start using the IP address(es); which will make you look like a terrorist and have all your equipment seized [eff.org].
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 3, Informative) by SomeGuy on Sunday September 08 2019, @11:57PM (1 child)
I don't get it. Unless you are using a VPN, your ISP already knows what sites you are visiting just by the IP address. Encrypting name information is fine, but the one resolving the site names should still usually be the ISP. Why let someone else know what sites you are visiting?
Then again, some (many?) ISPs already have broken DNS, where failed DNS lookups resolve to ADVERTISING.
(Score: 3, Interesting) by Anonymous Coward on Monday September 09 2019, @12:07AM
D'oH will use Cloudflare by default, but chances are the sites you are visiting are behind Cloudflare anyway. Cloudflare already knows what sites you are visiting.
(Score: 5, Insightful) by The Shire on Monday September 09 2019, @12:15AM (18 children)
Joe Sixpack isn't going to know what this is or why it means everything he does will now be tracked by Mozilla's chosen 3rd party partner - cloudflare. Mozilla, Microsoft, and Google don't care about the tiny fraction of people who know they're being tracked and know how to stop it. They count on the fact that the vast majority will do nothing and the additional tracking information will make them a ton of money.
Mozilla touts this as privacy enhancing but really what they've done is sold out their user base to cloudflare for data collection. On by default and pointed at cloudflare by default. Someone needs to track the money just as cloudflare will be tracking everyone's dns requests - I don't think anyone should be surprised to find out that Mozilla is doing this for cash, that cloudflare is paying them to get this data and to control everyone's dns. Remember, this is the same company that is making http ping tracking [bleepingcomputer.com] mandatory - no way to disable it and no way to load a plugin that can turn it off - just wide open third party tracking.
Mozilla is a browser. If they want to push DoH they are free to create an app that does it, but it sure as hell shouldn't be integrated into the browser and silently enabled by default. The function of a browser is to display the contents of the site I visit, period, not to commandeer a users network settings for their own profit.
And let me tell you, no company wants their employees bypassing their network filters. This is a corporate nightmare for any company that allows firefox on their network.
DNS is setup at the network level for a reason - it should apply to ALL systems that need to perform lookups. Mozilla has no standing to implement their own DNS on my or anyone elses systems without my explicit approval. One you have everyone pointing at just cloudflare it's an easy thing for any domain the CEO of cloudflare doesn't like to simply disappear on a mass scale and end users won't understand why. Cloudflare already does it, they filter dns responses based on their opinion of a site being worthy for the requester to see.
I'll say it again, Mozilla is selling out their user base to Cloudflare. Mozilla wants money, Cloudflare wants your data and control over what you are allowed to see. This has nothing to do with enhanced privacy.
(Score: 5, Informative) by vux984 on Monday September 09 2019, @01:02AM (17 children)
Everything he does is currently being tracked by someone else. Mozilla's chosen 3rd party is at least making claims not to keep or use the data. The party's currently tracking you are explicitly not making those claims.
Corporate users can turn it off. They have actual IT people who manage this stuff. This feature is not for corporate users, its for joe-sixpack.
It's good to be skeptical. But what exactly would it take to convince you?
https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/firefox/ [cloudflare.com]
(Score: 4, Insightful) by The Shire on Monday September 09 2019, @01:33AM (16 children)
Cloudflare has already started to delist domains it doesn't like. Some of them are truly terrible, but it's not the job of a dns provider to make those value judgements. You're entrusting them with what you can access and they are not trustworthy.
Your own copy of their privacy statement shows they are collecting records containing IP, Timestamp, and dns query information. And the statement that "Cloudflare will not retain or sell or transfer to any third party (except as may be required by law) any personal information, IP addresses or other user identifiers" means that they have the ability and the willingness to keep records of personally identifiable information. There is nothing to stop a government agency from telling them to retain all records of people who, for example, visit conservative domains.
Bottom line, Firefox is redirecting your information to a 3rd party, without your consent, and then telling you they're protecting your privacy. It's bull. They profit financially from this arrangement and Cloudflare gains control of the firefox user base data. It's a sell out clear and simple. It might even be unlawful.
(Score: 4, Informative) by vux984 on Monday September 09 2019, @02:13AM (10 children)
You are ALWAYS trusting your DNS provider. If you don't like the one Mozilla thinks is the best of the bunch; you can point DoH at someone else or turn it off.
What do you propose as better and free from the threats you perceive here from cloudflare?
The government can issue the same orders to your ISP. Or they can just sniff without a warrant because its not encrypted. Seriously. Cloudflare isn't perfect. I'll be the first to accept that but whatever 99% of the world, especially regular users, is using right now, is not likely to be BETTER.
(Score: 3, Insightful) by The Shire on Monday September 09 2019, @02:23AM (9 children)
I'm always trusting the dns provider "I Select". Because I know what I'm doing, that would be the root servers using dnssec and dns over tls (DoT) and not trusting google or cloudflare to give me clean responses. What Mozilla is doing is trying to pull an end around my choices and mandating that I use theirs. They're not asking nicely if I'd like to use the spiffy new service they're rolling out, they're just overriding my shit without my approval and they're doing it for money. That's precisely what malware does.
(Score: 3, Interesting) by vux984 on Monday September 09 2019, @03:01AM (8 children)
(Score: 3, Insightful) by The Shire on Monday September 09 2019, @04:20AM (7 children)
Since Mozilla has not released their 2018 financials it's impossible to know for sure, but what we do know two things:
1) The largest portion of Mozilla's income derives from selling the default search engine slot and...
2) Mozilla was dealing with expenses growing at twice the rate of revenue. [computerworld.com]
Given they already make money selling partnerships with search engine companies, it's not unreasonable to assume they would also expand their data mining product venue to now include a similar paid partnership with Cloudflare, along with a paid partnership with other 3rd party data mining companies to make the hyperlink ping tracking mandatory.
If Mozilla popped up and said "We made this cool new service that can automatically help protect your privacy - it's free! Do you want to try it?", then the privacy minde folks would be quite capable of making that choice. What you're arguing is "People are too dumb to know what's good for them so I'm going to decide for them". That's bad business. Explain what you want to do, and ask permission.
You are calling out mozilla for "outrageous privacy breaches" when for 99.9+% of users who DON'T know what's going on they are improving privacy by bypassing their ISP
It's about trust. Most people don't know how a car engine works, but they TRUST that the professionals who designed it DO know and did it correctly. People who moved to Firefox did so because they TRUSTED Mozilla to protect their privacy in that same manner. They don't need to fully understand the implications because they expect Mozilla to behave ethically.
I don't believe for a second they are inserting this code because they think it improves privacy, I believe they're doing it because they're facing financial shortfalls and needed a new revenue partner. And they knew that the fewer choices and notifications they gave to the end user, the more solid that partnership would be. If the end user doesn't know something was inserted or if they do know but disabling it is outside their technical abilities then Cloudflare can be more assured that the bulk of Mozillas user base will now be fed their way. And the more assured they are of getting that data the more they will be willing to pay Mozilla for it. All Mozilla is doing is shifting the data mining from the ISP to Cloudflare and then collecting a finders fee for doing it.
Short answer - if you want to be trusted you better give the end user a choice. This "on by default and no way to easily disable it" bullshit is in no way trustworthy. They're pulling it here and they're pulling the same stunt with hyperlink tracking. It's sly and underhanded. If Mozilla is proud of this service then they shouldn't hide it.
I am not aware of any instance in history of that happening. It's possible of course, but it would be big news in the tech sector. The root servers require trust more than any other segment of the internets infrastructure. To compromise that trust would result in global fragmentation.
(Score: 2) by vux984 on Monday September 09 2019, @04:55PM (6 children)
All you know is that mozilla needs funding. It's outright dishonest to claim that mozilla is being paid by cloudfront, or that anyone is selling your data for this without a shred of actual evidence. Especially given that the parties involved have claimed publicly that the data is NOT being monetized, and that all but some same basic aggregate metrics is scrubbed after 24 hours.
In general terms, every single default setting in every single piece of software written amounts to deciding for the users what the least-effort default configuration is going to be. In an ideal world defaults are chosen in the average consumers best interest. Nobody wants to fill out a 200 page questionnaire when they install software.
The issue here I think is that you don't actually believe this is a privacy feature. You appear to believe (without evidence) that this is a data-monetization misfeature masquerading as a privacy feature; and that mozilla and cloudflare are not just monetizing the data but also lying about monetizing the data. And then you are calling it an outrageous invasion of privacy, and that mozilla is selling you out.
Skepticism is healthy, and in engaging with you in this conversation I've learned quite about about the DoH feature that I didn't know. For my part, if anything I'm actually more convinced that its actually a good thing for most people. I don't expect that you'll change your mind, and that's fine.
I don't think you are wrong to have the position that this is a feature that's worth asking about instead of setting a default on. While I understand Mozilla's position on it turning on by default, I am not convinced that they are absolutely right not to ask.
On the other hand I am in general agreement that the software should annoy the user with questions as little as possible.
And I don't really see any value whatsoever in showing my grandmother or my wifes parents a DoH DNS setting prompt and explanation next time they try to use the web. They aren't going to understand it, and they aren't going to read it. Best case they'll try to read it and call me... worst case they'll click on whatever it takes to make it 'go away' so they can get to their webmail etc; and either way they'll be annoyed.
Perhaps there should be an explicit 'advanced mode' and a 'let us manage your settings automatically mode' and when you put it into advanced mode (one time setting), where you get prompts about stuff like this. But now we've made the software more complicated and more expensive to develop, test, and maintain. So that's not a clear win either.
In September 2003, VeriSign introduced a service called Site Finder, which redirected Web browsers to a search service when users attempted to go to nonexistent .com or .net domain names. It was subsequently shut down after controversy.
The notion that the root server operators are altruistic trustworthy operators is unsupportable. Cloudflare is no different, but the policy in place is transparent and reasonable, and if they are found to be in violation of it, I'm pretty optimistic that will be sufficiently scandalous to at least dissuade them; especially given that it operates under the auspices of a 'privacy feature'.
(Score: 2) by The Shire on Monday September 09 2019, @06:33PM (5 children)
The only time you see code that ignores your network settings and intentionally bypasses any filters and firewall rules you may have setup is with malware. Commercial code does not do this. DNS is NOT the purview of the browser. For Mozilla to surreptitiously assume that role in Firefox is beyond the pale IMO. If they want to help people protect their DNS queries then they should have written a standalone app to do so, or at worst create a compartmentalized browser extension for it. This is akin to MS Word silently moving all your documents to onedrive without notice or approval because MS has decided that your desktop hard drive isn't secure enough and that they're doing so is for your own good. A browser has a very specific function - pull content from the web. It's not the role of the browser to ignore your network settings in favor of their own. And it sure as hell shouldn't be doing it silently, without notice or approval, and without having an in app option to turn it off. When a company makes a major change to their software and intentionally hides it, that's not an indication they're doing it for your benefit.
Which is why this should be opt in. You don't override the end users network without permission. If the user wants to take advantage of this DoH option then you make it available in the options menu. You don't make it mandatory. The gall of Mozilla to assume everyone using FireFox knows or wants this "feature" is beyond belief. DNS is not something minor you just take over. DNS is a major function of networking and it's WAY outside the realm of what a browser should be handling. And at the corporate level Mozilla is basically telling all IT dept's to make changes to their operation to accommodate this new browser functionality or risk employees bypassing their filters and firewall. The hubris of Mozilla... it's mind boggling.
Verizon violated the ICANN rules regarding operation of root servers. They were severely maligned and proper root server operations was quickly restored. No operator in the subsequent decade and a half has strayed from those rules. I never said they were altruistically trustworth, I said they were safe because their operations are heavily monitored and regulated and are not operated commercially. Meanwhile Cloudflare, a major for profit corporation, is already delisting domains it deems offensive. When you start seeing those "server not found" errors for the sites you used to get your news from, you think the end user will realize it's Cloudflare censors or will they assume it's the news site that has gone offline. Commercial dns providers have already shown they are willing to censor, now it's a matter of how far they will push it before people start to notice.
I'll say it again - only a fool uses a for profit corporation for their DNS. You're handing them the means to filter what you see and hear, and we already have enough of that bias in the media. Mozilla is feeding the beast and if you thing THEY have altruistic intent then you haven't been watching.
(Score: 2) by vux984 on Monday September 09 2019, @09:48PM (4 children)
"The only time you see code that ignores your network settings and intentionally bypasses any filters and firewall rules you may have setup is with malware. "
Don't be so dramatic This also applies to pretty much all mainstream anti-virus/anti-malware. Take a look at what kaspersky, mcafee, symantec, etc products do.
Firefox also isn't the first browser to contemplate this: Tor browser does it too; so that it doesn't generate DNS lookups from the client.
Given that browsers run in a sandbox, steadily approaching a full virtual machine, in an ongoing effort to secure the browser; is it any surprise or even that surprising that this is happening. I wouldn't be surprised if Google follows suit, but points everyone to their own name servers by default.
Lots of other software I've seen runs all its network traffic through its own proxy services. This is HARDLY revolutionary.
So... "never in the history of the internet" to... "oh yeah Verisign did it, but we got really mad so its ok NOW". That's not the first time we've gotten mad at Verisign, nor the most recent. There was that time in 2010 they got breached and tried to hide it -- I guess that's ok from critical trusted internet infrastructure right? Or that time they siezed 82 domains after a court told them to... paragons of virtue.
Mozilla is assuming joe sixpack DOESN'T know anything about this feature, or how DNS works at all for that matter. And they'd be correct.
It's not mandatory.
It would be overriding the network if it affected anyhting OUTSIDE of the browser. It doesn't.
Hey I agree. P2P distributed DNS for the win. But that's a solution for tomorrow maybe. This is a solution for today.
Most people aren't setup to query the root servers directly via encryption. (Assuming you want to trust the root servers). Most people are querying ISPs and/or Google. THIS is better than THAT.
(Score: 2) by The Shire on Monday September 09 2019, @10:24PM (3 children)
Antivirus software does not override your network settings.
Tor is a product designed to circumvent filters, that's it's purpose. Firefox is not. If Mozilla wants Firefox to behave like Tor them perhaps they should retire Firefox and start promoting Tor as their mainstream browser.
It is mandatory. When the new release arrives it will be on by default and cannot be turned off without doing some fancy footwork on the network, and even then you can't be entirely sure it's turned off. If it's voluntary then it should have an on/off switch in the options dialog but they have already indicated it will not. This is a hidden "feature" designed such that people will be unaware their queries are being redirected. IMO it's behavior is that of malware.
Browser functionality is an integral part of enterprise and personal interaction on the internet. Until now, browsers have behaved like all internet enabled apps - they use the system networking configuration. To silently override it is going to cause all manner of confusion when intranets cease to function because the browser isn't using the local dns. And when you choose to telecommute but your browser isn't working with the company network even though you have your dns pointed at it because the browser is quietly ignoring your preferences.
Look, a browser is a network application. By design it should use your networks configuration not go rogue. And this "solution" doesn't even fix the problem. It's of no consequence if your ISP is collecting your DNS query data or Cloudflare is. Don't forget that all HTTPS connections can already be monitored by your ISP by extracting the plain text SNI connection information - so they already know the domain you're going to hit. All Mozilla is doing is handing than same data to yet another 3rd party, Cloudflare. It doesn't benefit the end user it harms them by spreading their data to yet another profit motivated data miner. This only benefits Mozilla and Cloudflare. There is no helping hand here - there's only forced data mining.
(Score: 2) by vux984 on Tuesday September 10 2019, @01:11AM (2 children)
Many Antivirus packages include full on VPN services that route all your traffic through the A/V providers site; under the guise of 'network security features' to protect you when on wifi and so forth. Then they install certificates and proxy the sites you visit so that they can scan the pages for malware content before your browser gets them. Your browser doesn't even see the certificates the site hosts if you click the certificate information you'll see the a/v vendor certificates. This is also under the auspices of protection.
That's overriding your network settings in my books.
Are you sure? My reading is that it will be switched on by default, and the fancy footwork on the network is to allow you signal to firefox with it turned on to not use it there WHILE its still enabled. But that the user can still turn it off manually. Where did you read that it would not be something that you could turn off? I am willing to concede that point if you can cite it; and it would even go a long way to convincing me that mozilla is in the wrong here.
Encrypted SNI is a thing; and that is a component this endeavour...
https://blog.mozilla.org/security/2018/10/18/encrypted-sni-comes-to-firefox-nightly/ [mozilla.org]
Depends who you trust; and where you are; and who that ISP is. Some are are substituteable with cloudflare but most are worse.
A data miner scrubbing your data after 24 hours as part of this service. If you want to refuse to beleive they are doing it because you don't like cloudflare, or something that's fine. But if they are doing what they publicly commit to doing, what exactly is the problem? Oh, and you can ALSO select a different DOH provider it doesn't have to be cloudflare. That's not forced either.
(Score: 2) by The Shire on Tuesday September 10 2019, @01:32AM (1 child)
You must admit this discussion is getting a little tedious. I think we understand each others positions.
I don't believe for a moment that Mozilla or Cloudflare's motivations are any more than finding ways to improve their market share, data mine as much of the nets traffic as possible, and of course make money.
You seem to believe that both companies believe they can save end users from themselves and it's all about helping the little guy.
One of us is wrong.
(Score: 2) by vux984 on Tuesday September 10 2019, @03:49PM
I don't think it is quite as either-or as you put it though, but sure, I'm good to agree to disagree. And see how it plays out.
I am also still very curious where you saw that Mozilla said they wouldn't let you turn it off via a setting?!
(Score: 0) by Anonymous Coward on Monday September 09 2019, @08:13AM (3 children)
Like 8chan, which has more censorship than here?
In 2019, it's the job of every part of the infrastructure to deny a platform to evviiiiiillll.
(Score: 2) by tangomargarine on Monday September 09 2019, @04:17PM (2 children)
LOL. More than zero censorship?!? No way!
Downmodding someone is not censoring them, because you can still see all the comments. Censorship would be removing the posts in question.
Your fingers aren't broken. Just click the "expand" link.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 0) by Anonymous Coward on Monday September 09 2019, @11:24PM (1 child)
You don't get it. 4chan, 8chan, etc remove posts. SoylentNews doesn't.
(Score: 2) by tangomargarine on Tuesday September 10 2019, @03:50PM
I don't see why you're bringing Soylent into this conversation at all. It's like saying people who own over 7 guns per capita commit more shooting crimes than people who own 0 guns. I mean, sure, but...duh?
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 0) by Anonymous Coward on Tuesday September 10 2019, @03:45AM
I can't access whirlpool.net.au anymore due to cloudfarce
Assholes.
(Score: 1, Flamebait) by NateMich on Monday September 09 2019, @12:52AM (2 children)
I already can't use Firefox at work anymore (too much custom garbage only works on Chrome). When I want to work from home I now end up having to fire up Chrome here also.
Pretty soon Firefox can announce that they are disabling images or JavaScript by default and it won't affect anyone.
(Score: 1, Insightful) by Anonymous Coward on Monday September 09 2019, @02:09AM (1 child)
Yep, Google Chrome is the only web browser that matters. Remember when Google promised not to make their own web browser? Those were the days. Remember when Google promised not to be evil? Those were the days.
(Score: 3, Insightful) by PiMuNu on Monday September 09 2019, @09:37AM
> Google Chrome is the only web browser that matters.
No, alternatives to Chrome and derivatives matter *more* as they become more sparse.
(Score: 2) by deimtee on Monday September 09 2019, @04:15AM
Anybody using this to access 'illegal' sites or content is going to occasionally end up dropped in the shit when cloudflare can't find the site and sends firefox back to your system DNS.
If you cough while drinking cheap red wine it really cleans out your sinuses.
(Score: 0) by Anonymous Coward on Monday September 09 2019, @04:50AM
did they shove to database from dns lookup return?
Is that why U.K. Internet Services Providers' Association is bitching?
wil they need to hire someone to reverse lookup now?
Oh the agony.
(Score: 0) by Anonymous Coward on Monday September 09 2019, @12:07PM
DNS over USA
or:
DNS over CloudFlare.
Generally we're dealing with country which has government trojans, controls hardware and has been caught numerous times on just acting illegally on the international level. We're speaking about country whose citizens got externally infuriated by propaganda when shown what Mozilla's CEO is doing after work. Sorry, if he was doing his work well, it's not my arse to know does he like fishing, camping, fursuiting, worshiping Comrade Stalin or reconstructing Wehrmacht marches in his cellar :). We are speaking about country which violates most laws "because terrorism" and people just like it. This insecurity of breaking any law any time is called "security", even "national" one.
We're speaking about country who developed one of the worst surveillance mechanisms on a social level, and the only difference between it and Chinese is that the Chinese is "bad" while USA is "good".
I just don't buy it. This is not for a security. This is not for a privacy. This is just a data acquisition mechanism. They could choose any other solution. Popularize encryption standard to make everyone pick their poison of choice. Or develop a distributed namesystems like OpenNIC from a decade ago. But no, they got Cloudflare, the company which tracks customers, installs malicious scripts and cookies on their devices, fights with TOR users. This is not a privacy at all.
And one more thing: If someone sees that ISP is snooping and messing with traffic, how about using this "so much working" capitalism and just choosing another ISP? ;).