Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Sunday September 08 2019, @10:18PM   Printer-friendly
from the Who-do-YOU-trust? dept.

Firefox is enabling DNS-over-HTTPS (DoH) for some users starting this month, and it will use Cloudflare by default:

DoH (IETF RFC8484) allows Firefox to send DNS requests as normal-looking HTTPS traffic to special DoH-compatible DNS servers (called DoH resolvers). Basically, it hides DNS requests inside the normal deluge of HTTPS data. [DoH doesn't encrypt DNS requests. That's a different protocol, namely DNS-over-TLS, aka DoT].

By default, Firefox ships with support for relaying encrypted DoH requests via Cloudflare's DoH resolver, but users can change it to any DoH resolver they want [see here].

When DoH support is enabled in Firefox, the browser will ignore DNS settings set in the operating system, and use the browser-set DoH resolver. By moving DNS server settings from the OS to the browser level, and by encrypting the DNS traffic, DoH effectively hides DNS traffic from internet service providers (ISPs), local parental control software, antivirus software, enterprise firewalls and traffic filters, and about any other third-party that tries to intercept and sniff a user's traffic.

Firefox Plans Controversial New Encryption Setting For Millions, And Update Starts This Month

A presentation from BT on the "Potential ISP Challenges with DNS over HTTPS" earlier this year warned that DoH will reduce the ability to derive cybersecurity intelligence from malware activity and DNS insight, open new attack opportunities to hackers, and result in an inability to [fulfill] government mandated regulation or court orders as potential concerns. And so the change will foster serious debate. [...] The U.S. is first, but the rest of the world will follow. A spokesperson for the U.K. Internet Services Providers' Association told me that "the debate on DNS over HTTPS (DoH) is evidently a topic that polarizes opinion. However, our position is clear. ISPA believes that bringing in DoH by default would be harmful for online safety, cyber security and consumer choice."

DNS-over-HTTPS is the next default protection coming to Firefox

Mozilla will be rolling out DoH in what it calls "fallback mode" later this month. This means that if domain name look-ups using DoH fail, Firefox will revert back to using the default operating system DNS. Similarly, if Firefox detects that parental controls or enterprise policies are in effect, Firefox will disable DoH.


Original Submission

Related Stories

Firefox Turns Encrypted DNS On By Default To Thwart Snooping ISPs 56 comments

Arthur T Knackerbracket has found the following story:

Firefox will start switching browser users to Cloudflare's encrypted-DNS service today and roll out the change across the United States in the coming weeks.

"Today, Firefox began the rollout of encrypted DNS over HTTPS (DoH) by default for US-based users," Firefox maker Mozilla said in an announcement scheduled to go live at this link Tuesday morning. "The rollout will continue over the next few weeks to confirm no major issues are discovered as this new protocol is enabled for Firefox's US-based users."

DNS over HTTPS helps keep eavesdroppers from seeing what DNS lookups your browser is making, potentially making it more difficult for Internet service providers or other third parties to monitor what websites you visit. As we've previously written, Mozilla's embrace of DNS over HTTPS is fueled in part by concerns about ISPs monitoring customers' Web usage. Mobile broadband providers were caught selling their customers' real-time location data to third parties, and Internet providers can use browsing history to deliver targeted ads.

Wireless and wired Internet providers are suing the state of Maine to stop a Web-browsing privacy law that would require ISPs to get customers' opt-in consent before using or sharing browsing history and other sensitive data. The telecom companies already convinced Congress and President Trump to eliminate a similar federal law in 2017.

Also at:
Mozilla Blog
The Register

Previously:
Firefox Begins Enabling DNS-over-HTTPS for Users


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: -1, Spam) by Anonymous Coward on Sunday September 08 2019, @10:20PM (3 children)

    by Anonymous Coward on Sunday September 08 2019, @10:20PM (#891426)
    • (Score: -1, Offtopic) by Anonymous Coward on Sunday September 08 2019, @10:29PM

      by Anonymous Coward on Sunday September 08 2019, @10:29PM (#891429)

      we love katy takyon

    • (Score: 0) by Anonymous Coward on Monday September 09 2019, @03:46AM (1 child)

      by Anonymous Coward on Monday September 09 2019, @03:46AM (#891529)

      The white balance in that pic is seriously screwed up. Otherwise, sorry takyon, but you are at best a 7/10. (If the wb is correct drop that to 4. That color is weird.)

      • (Score: 2) by Chocolate on Tuesday September 10 2019, @03:40AM

        by Chocolate (8044) on Tuesday September 10 2019, @03:40AM (#892047) Journal

        Are you serious? Minimum 8, probably a 9
        Also, that looks to be the wrong ethicality for Takky
        Is this a dnsoverhttps test?

        --
        Bit-choco-coin anyone?
  • (Score: -1, Troll) by Anonymous Coward on Sunday September 08 2019, @10:29PM (1 child)

    by Anonymous Coward on Sunday September 08 2019, @10:29PM (#891428)

    If you try to connect to a site that doesn't meet their CoC, it shuts down your computer.

    • (Score: 1, Funny) by Anonymous Coward on Sunday September 08 2019, @10:31PM

      by Anonymous Coward on Sunday September 08 2019, @10:31PM (#891430)

      To visit site, you must swallow the CoC.

  • (Score: 1, Interesting) by Anonymous Coward on Sunday September 08 2019, @10:51PM (11 children)

    by Anonymous Coward on Sunday September 08 2019, @10:51PM (#891435)

    My DNS already filter out 18,000 sites. I do not want tracking sites and crap pages that Mozilla will allow to work again.

    What is Mozilla doing??? Being the Google? or the Facebook?

    • (Score: 4, Interesting) by c0lo on Sunday September 08 2019, @11:12PM (9 children)

      by c0lo (156) Subscriber Badge on Sunday September 08 2019, @11:12PM (#891441) Journal

      I do not want tracking sites and crap pages that Mozilla will allow to work again.

      Then disable it [mozilla.org], you can still do it ATM (or should I say: "while you can"?).

      This is not to say that the potential of evil isn't there or is benign:

      In July, a UK ISP named Mozilla an "internet villain" for adding DoH support to Firefox. The ISP argued that they couldn't filter traffic for child abuse sites because DoH would allow users to bypass any filters it put in place.

      The ISP later recanted on calling Mozilla an internet villain after a massive public backlash, and Mozilla announced it would not enable DoH support by default for Firefox users in the UK.

      Companies that provide enterprise traffic filtering solutions have also criticized the protocol, which they said can act as a firewall bypassing mechanism.
      ...
      Additionally, Mozilla is also working with ISPs to make sure users won't use DoH as a way to bypass legally-set blocklists.

      ---

      A case of mixed blessing and curse:
      1. on one side, the potential of by-passing the ISP-imposed blocks is... ummm.... fine for the moment
      2. on the other side, I do hope they will maintain the capability to pick a user custom DoH provider [mozilla.org] and write-enabled access for the exception list [mozilla.org] for the future. The "Note: Do not remove any domains from the list." in the latest link is a bit worrisome.

      Overall, I'm a bit pessimistic on the future: looks like the trend seems to increase the control over the fundamental technologies of the Internet-as-we-know-it.

      --
      https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
      • (Score: 0) by Anonymous Coward on Sunday September 08 2019, @11:51PM (1 child)

        by Anonymous Coward on Sunday September 08 2019, @11:51PM (#891455)

        An UK ISP implementing UK censorship scheme throwing a fit over this, is natural. You singing along is strange, to say the least.

        • (Score: 2) by c0lo on Monday September 09 2019, @12:16AM

          by c0lo (156) Subscriber Badge on Monday September 09 2019, @12:16AM (#891462) Journal

          You singing along is strange, to say the least.

          What exactly made you say that? I don't think anything inside my post says "I sing along with that".
          Maybe because I used a double negation? (the "not to say that the potential of evil isn't there"? As in "I'm implying that there may be evil in the future", 'cause ATM one still has enough control to get around).

          --
          https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
      • (Score: 0) by Anonymous Coward on Monday September 09 2019, @02:29AM (3 children)

        by Anonymous Coward on Monday September 09 2019, @02:29AM (#891504)

        What do you mean "while you still can"? You have the source, don't you?

        • (Score: 2) by c0lo on Monday September 09 2019, @02:40AM (2 children)

          by c0lo (156) Subscriber Badge on Monday September 09 2019, @02:40AM (#891508) Journal

          Having the source is inconsequential if the remote support the source relies on (the classical DNS) is declared deprecated and/or illegal and/or, no matter the reasons, is replaced by something else and stops functioning.
          (the RFC-es aren't quite natural laws)

          --
          https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
          • (Score: 0) by Anonymous Coward on Monday September 09 2019, @04:49AM (1 child)

            by Anonymous Coward on Monday September 09 2019, @04:49AM (#891547)

            I think we're quite far away from giving up on DNS.

            • (Score: 2) by c0lo on Monday September 09 2019, @05:00AM

              by c0lo (156) Subscriber Badge on Monday September 09 2019, @05:00AM (#891552) Journal

              I think we're quite far away from giving up on DNS.

              Time will tell. But, yes, some solutions [wikipedia.org] seems to exist [wikipedia.org].

              --
              https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
      • (Score: 2) by deimtee on Monday September 09 2019, @03:57AM (1 child)

        by deimtee (3272) on Monday September 09 2019, @03:57AM (#891531) Journal

        The "Note: Do not remove any domains from the list." in the latest link is a bit worrisome.

        Not that worrying. The only ones in there are localhost and local.

        --
        If you cough while drinking cheap red wine it really cleans out your sinuses.
        • (Score: 2) by c0lo on Monday September 09 2019, @04:22AM

          by c0lo (156) Subscriber Badge on Monday September 09 2019, @04:22AM (#891541) Journal

          The only ones in there are localhost and local.

          ... for now.

          --
          https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
      • (Score: 2) by Mer on Monday September 09 2019, @07:43PM

        by Mer (8009) on Monday September 09 2019, @07:43PM (#891841)

        It's good if it gives an incentive for openDNS and other good DNS services to roll out a DoH version.
        Better browsers would implement DoH. And then even if Mozilla gimps the censorship bypassing to uselessness you're fine.

        --
        Shut up!, he explained.
    • (Score: 2) by Bot on Tuesday September 10 2019, @09:47PM

      by Bot (3902) on Tuesday September 10 2019, @09:47PM (#892397) Journal

      >What is Mozilla doing??? Being the Google? or the Facebook?

      let me compute... reimplementing standards... no one asked for... now everybody has to adapt...

      it's being the systemd.

      --
      Account abandoned.
  • (Score: 5, Insightful) by Fishscene on Sunday September 08 2019, @10:57PM (33 children)

    by Fishscene (4361) on Sunday September 08 2019, @10:57PM (#891437)

    So Firefox by default is going to start leaking my internal network information to an untrusted (to me) 3rd party? And introduce DNS lookup delays as well?

    I've been a long time Firefox supporter. But this. This is where I drop Firefox. But what to turn to? Edge? Chrome is not an option.

    --
    I know I am not God, because every time I pray to Him, it's because I'm not perfect and thankful for what He's done.
    • (Score: 2) by Booga1 on Sunday September 08 2019, @11:08PM

      by Booga1 (6333) on Sunday September 08 2019, @11:08PM (#891439)

      Looks like you can follow these instructions to disable from the DNS/network side of things: https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https [mozilla.org]

    • (Score: 3, Interesting) by Runaway1956 on Sunday September 08 2019, @11:10PM (23 children)

      by Runaway1956 (2926) Subscriber Badge on Sunday September 08 2019, @11:10PM (#891440) Journal

      So do DoH manually, and set your own DNS server(s). You can click through the links in TFS and TFA to find this page: https://www.zdnet.com/article/how-to-enable-dns-over-https-doh-in-firefox/ [zdnet.com]

      Or, you can do a search, and the first hit I got with the duck, was the link you could have found by clicking through.

      https://duckduckgo.com/?q=enable+DoH+DNS+over+HTTPS+firefox&atb=v138-7&ia=web [duckduckgo.com]

      I've been doing DoH for months now, and I believe that I used the ghack link to guide me - https://www.ghacks.net/2018/04/02/configure-dns-over-https-in-firefox/ [ghacks.net]

      You don't trust Firefox, cool. But, the information is available so that you can bypass Firefox.

      • (Score: 4, Informative) by The Shire on Monday September 09 2019, @12:22AM (22 children)

        by The Shire (5824) on Monday September 09 2019, @12:22AM (#891464)

        The unwashed masses have no idea what this change means if they even hear about it at all. Both Mozilla and Cloudflare are counting on the fact that few will know how to override this. Silently taking over the end users dns settings with an "on by default" override is no different than installing a keylogger. Mozilla is rolling out software that will silently redirect all your dns traffic to a 3rd party of their choosing. This can be classified as malware activity in my book.

        I know how to override this, you know how to override this, but everyone else are vicitims of what I would classify as criminal activity.

        • (Score: 4, Insightful) by vux984 on Monday September 09 2019, @12:51AM (8 children)

          by vux984 (5045) on Monday September 09 2019, @12:51AM (#891470)

          The unwashed masses have no idea what this change means

          The "unwashed masses" are already having their DNS data slurped up by their ISP and google (8.8.8.8) or whatever etc.

          Silently taking over the end users dns settings with an "on by default" override is no different than installing a keylogger.

          Maybe... If the keylogger they install replaces the keylogger you already have installed that sends all its keystrokes to your ISP with one that sends all your keystrokes to a new place that explicitly promises not to use them.

          Where the keylogger analogy breaks down is that you don't NEED all your keystrokes logged online; but you kind of DO need all your DNS queries handled.

          but everyone else are vicitims of what I would classify as criminal activity.

          Again, they already are victims. And this probably victimizes them less.

          Both Mozilla and Cloudflare are counting on the fact that few will know how to override this.

          If you don't know how to override this then you are probably already a victim. Mozilla is trying to make a bad situation less bad.

          • (Score: 5, Insightful) by The Shire on Monday September 09 2019, @01:48AM (7 children)

            by The Shire (5824) on Monday September 09 2019, @01:48AM (#891489)

            What I'm hearing you say is: "Everyone's privacy is already compromised so it's ok for Mozilla to do it too".

            Nope, not buyin that one. People who originally jumped on with Firefox did so because they are privacy conscious. They may not know how to stop all the other avenues tracking them but they should at least be able to trust that Firefox isn't doing anything nefarious in the background. That trust is now gone. Firefox no longer distinguishes itself from all the other major players that are intentionally and for profit selling the data mining rights to their user base.

            • (Score: 5, Insightful) by vux984 on Monday September 09 2019, @02:22AM (4 children)

              by vux984 (5045) on Monday September 09 2019, @02:22AM (#891502)

              What I'm hearing you say is: "Everyone's privacy is already compromised so it's ok for Mozilla to do it too".

              You have to send your DNS queries out to someone. There's no way around that. If you trust mozilla enough to use their browser, then its not unreasonable to trust them with the DNS queries from the browser.

              Mozilla's chosen provider may not meet your absolutist perfect standards (and who exactly are you using that DOES?!) ; but the cloudflare policies in place are better than 99% of what most people using DNS are getting. Mozilla is not "compromising your privacy", they are sending your DNS queries to an entity that is promising greater privacy than 99% of what most people currently have. They aren't monetizing it, they aren't doing what others are doing with it at all. Cloudflare's policies are pretty reasonable 24 hour retention and some basic aggregate trending is pretty reasonable to maintain a service like this.

              a) How is Mozilla's solution not better than what joe-sixpack is currently doing? (And if it is better than why are you against it?)
              b) What exactly are you holding up as an even better alternative?

              • (Score: 0) by Anonymous Coward on Monday September 09 2019, @03:16AM

                by Anonymous Coward on Monday September 09 2019, @03:16AM (#891518)

                The fact of the matter is that if this was a random extension that did this, it would be in violation of the A.M.O. guidelines. You may trust Mozilla, the people who make extensions, or both, or neither, but it is hypocritical, at best, to have different standards for the two of them.

              • (Score: 5, Insightful) by The Shire on Monday September 09 2019, @03:35AM (1 child)

                by The Shire (5824) on Monday September 09 2019, @03:35AM (#891524)

                You have to send your DNS queries out to someone.

                The dns root servers are that someone. There's no good reason to send your queries to a for profit corporation that admits they collect and aggregate your information. If Mozilla really wanted to be privacy conscious they wouldn't have used a for profit firm. In my opinion, Mozilla has been looking desperately for cash streams to pay their increasingly top heavy salaries and Cloudflare is one such revenue source. I suspect the reason Mozilla caved and made hyperlink ping tracking mandatory also involved similar advertiser or aggregator kick backs.

                Like Google, it seems Mozilla built up a user base by promising they can be trusted and when it hit a certain mass they started cashing out in ways that are hard for the end user to see.

                And to answer your questions:

                a) How is Mozilla's solution not better than what joe-sixpack is currently doing? (And if it is better than why are you against it?)

                Currently, users have control over their networks. Most choose not to exercise that control, but those who do know that when they choose a dns provider it holds true for their entire network. It's expected behavior that the dns on your network applies everywhere. Mozilla is subverting that by inserting hidden non browser functionality into Firefox that is both silent and outside the average persons control. And I say hidden because from what I've seen, there is nothing in the browsers options that someone might see to turn it off or even know it's there. And does anyone really expect an end user to know how to create a "canary domain" that would disable this hidden DoH system? Not a chance, and both Mozilla and Cloudflare know it.

                b) What exactly are you holding up as an even better alternative?

                They could have solved the issue entirely by doing a couple things:
                1) Make it opt in
                2) Provide an easy to find browser option to turn it off - don't deceitfully hide this thing and make it difficult to turn off
                3) If the user opts in, give them a randomized list of DNS providers, with notations about which are "for profit corporations" as well as a place to enter custom providers, and let the user pick the one they want.

                • (Score: 3, Insightful) by SpockLogic on Monday September 09 2019, @12:24PM

                  by SpockLogic (2762) on Monday September 09 2019, @12:24PM (#891638)

                  There's no good reason to send your queries to a for profit corporation that admits they collect and aggregate your information.

                  That is why I don't use my ISP's DNS nameservers.

                  Anyone trust Charter ... Anyone? Anyone?

                  --
                  Overreacting is one thing, sticking your head up your ass hoping the problem goes away is another - edIII
              • (Score: 0) by Anonymous Coward on Monday September 09 2019, @05:44PM

                by Anonymous Coward on Monday September 09 2019, @05:44PM (#891760)

                dns is supposed to be handled by the router/router operator, not spirited away by every user's goddamn browser. If this were really for the user it would be a fucking option in the browser settings with custom server option too. it's really that simple.

            • (Score: 2) by vux984 on Wednesday September 11 2019, @04:19PM (1 child)

              by vux984 (5045) on Wednesday September 11 2019, @04:19PM (#892771)

              Thought you might be interested:
              https://www.zdnet.com/article/google-to-run-dns-over-https-doh-experiment-in-chrome/ [zdnet.com]

              It's a different take from Mozilla's to be sure, and its there first dip of the toe in the water.

              • (Score: 2) by The Shire on Wednesday September 11 2019, @06:14PM

                by The Shire (5824) on Wednesday September 11 2019, @06:14PM (#892843)

                And we all know how trustworthy Chrome is /s

                Make no mistake, this is a concerted effort to redirect data mining statistics from ISP's to a few chosen partner providers. They're consolidating a fundemental part of the internet and placing it under the control of these few. They realize that when you control DNS, you control the internet.

                If folks truly understood what was being quietly rolled out here they would be terrified.

        • (Score: 2) by c0lo on Monday September 09 2019, @12:51AM (11 children)

          by c0lo (156) Subscriber Badge on Monday September 09 2019, @12:51AM (#891471) Journal

          The unwashed masses have no idea... Both Mozilla and Cloudflare are counting on the fact that few will know how to override this...

          (I'll let aside the derogatory term)
          As many of them aren't aware about what they are losing by using FB, Twitter and others, and a happily using them, in spite of having worse effects than DoH.

          This can be classified as malware activity in my book.
          ... but everyone else are vicitims of what I would classify as criminal activity.

          Maybe it's a pity your definition is not shared by everyone; but I can't stop to note that seems to be quite inconsequential on how the "public-at-large accessible" Internet evolves.

          --
          https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
          • (Score: 3, Insightful) by The Shire on Monday September 09 2019, @01:44AM (10 children)

            by The Shire (5824) on Monday September 09 2019, @01:44AM (#891487)

            Firefox users, by and large, were attracted to the browser for privacy reasons - an alternative to the invasive Chrome browser. It's not deragatory to assume that most people are not technically savy just as it's not derogatory to assume that most people aren't surgeons. Technical details at this level will make most peoples eyes glaze over. But not being technically savy doesn't mean they can't show a desire for privacy by choosing Firefox. And it is a betrayal of that trust for Mozilla to push a narrative of "enchanced privacy" when they are in fact undermining that privacy for profit.

            If Mozilla wants to take the high road then they should go with an "opt in" process. When folks update their copy of Firefox, present them with the facts and then ASK THEM if they want to turn over control of their name server. Don't sneak it in quietly, hide it from the options dialog, and require them to perform highly technical gymnastics in order to turn it off.

            Again, this is the company that is mandating hyperlink track in an upcoming release. No overrrides. And again they're touting it as "privacy enhancing" because if everyone is tracked somehow your more protected.

            Mozilla has lost their way. They're in it for the money now. There's no difference between them and Google Chrome anymore.

            • (Score: 2) by c0lo on Monday September 09 2019, @01:53AM (8 children)

              by c0lo (156) Subscriber Badge on Monday September 09 2019, @01:53AM (#891490) Journal

              It's not deragatory to assume that most people are not technically savy just as it's not derogatory to assume that most people aren't surgeons.

              "Unwashed masses" has a strong derogatory connotation, dontcha think?

              --
              https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
              • (Score: 3, Informative) by The Shire on Monday September 09 2019, @02:16AM (5 children)

                by The Shire (5824) on Monday September 09 2019, @02:16AM (#891497)

                It's a generalized term referring to anyone who doesn't have a high skill at the subject profession. I wouldn't be offended if a group of physicians referred to people like myself as part of the "unwashed masses" because I have none of the training they have in the field. So no, I don't consider it derogatory at all.

                But that's just, like, my opinion man.

                • (Score: 2) by c0lo on Monday September 09 2019, @02:35AM

                  by c0lo (156) Subscriber Badge on Monday September 09 2019, @02:35AM (#891507) Journal

                  It's a generalized term...

                  Maybe in your culture, but it's not safe to expect everybody to share it.

                  But that's just, like, my opinion man.

                  The "(I'll let aside the derogatory term)"... in my mind, it should be a culture independent sign that the matter doesn't bear relevance over the main discussion.
                  But that's just, like, my opinion, man (grin)

                  --
                  https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
                • (Score: 2) by janrinok on Monday September 09 2019, @06:52PM (3 children)

                  by janrinok (52) Subscriber Badge on Monday September 09 2019, @06:52PM (#891811) Journal

                  So no, I don't consider it derogatory at all

                  Well many people do, myself included.

                  And I don't think that I want to hear the sort of things that you do think are derogatory.

                  • (Score: 2) by The Shire on Monday September 09 2019, @10:09PM (2 children)

                    by The Shire (5824) on Monday September 09 2019, @10:09PM (#891899)

                    Too many people failed to develop a thick skin and self confidence in their youth. Being offended is not necessarily a bad thing, it gives you a chance to decide if it was warranted and perhaps you should do something about it. And no one is safe from conflict in this world, especially of the verbal variety.

                    • (Score: 2) by janrinok on Tuesday September 10 2019, @02:39AM (1 child)

                      by janrinok (52) Subscriber Badge on Tuesday September 10 2019, @02:39AM (#892030) Journal

                      My youth is so far behind me that I can happily discount that as a cause of my finding your comment offensive. I'm retired now. However, the original phrase was intended to be an insult to the working class. [phrases.org.uk]

                      This rather disparaging term was coined by the Victorian novelist and playwright Edward Bulwer-Lytton. He used it in his 1830 novel Paul Clifford:

                      "He is certainly a man who bathes and ‘lives cleanly’, (two especial charges preferred against him by Messrs. the Great Unwashed)."

                      • (Score: 2) by Bot on Tuesday September 10 2019, @09:53PM

                        by Bot (3902) on Tuesday September 10 2019, @09:53PM (#892399) Journal

                        ok but now the working class is us bots and we don't wash indeed. So you can feel vindicated, unlubed masses.

                        --
                        Account abandoned.
              • (Score: 0) by Anonymous Coward on Monday September 09 2019, @02:18AM (1 child)

                by Anonymous Coward on Monday September 09 2019, @02:18AM (#891499)

                Have you smelled people?

                • (Score: 2) by c0lo on Monday September 09 2019, @02:29AM

                  by c0lo (156) Subscriber Badge on Monday September 09 2019, @02:29AM (#891505) Journal

                  No

                  --
                  https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
            • (Score: 2) by number11 on Monday September 09 2019, @06:18AM

              by number11 (1170) Subscriber Badge on Monday September 09 2019, @06:18AM (#891563)

              Firefox users, by and large, were attracted to the browser for privacy reasons
              I doubt that. People, by and large, were attracted to FF because of the feature set. Those who are after privacy are likely using Brave, the DDG browser, EPIC, Safari, Chromium, or Tor. And probably a VPN.

              It's not deragatory to assume that most people are not technically savy
              Of course not. Most people are not savvy enough to even change the DNS setting from the default, they don't even understand what DNS is. Most people don't understand (or care) that Facebook and/or Google spies on everything they do. And you expect them to change the settings to a more private DNS?

              My ISP doesn't know what my DNS queries are, because I use a VPN that has its own DNS and swears that they don't log queries. But you gotta trust someone, somewhere, and I have decided to trust them. You seem to think that Cloudflare is less trustworthy than Comcast, ATT, CenturyLink. I think it is not possible to be less trustworthy than those companies (unless maybe your name is Zuckerberg).

        • (Score: 0) by Anonymous Coward on Monday September 09 2019, @08:22AM

          by Anonymous Coward on Monday September 09 2019, @08:22AM (#891586)

          The unwashed masses have no idea what this change means if they even hear about it at all. Both Mozilla and Cloudflare are counting on the fact that few will know how to override this.

          On the plus side, it may actually help with DNSSEC validation.

          The unwashed masses are too busy with their bullshit anyway to worry about securing basics like DNS. And I'm talking about the admins here too.

    • (Score: 3, Insightful) by c0lo on Sunday September 08 2019, @11:15PM (5 children)

      by c0lo (156) Subscriber Badge on Sunday September 08 2019, @11:15PM (#891444) Journal

      But what to turn to? Edge? Chrome is not an option.

      Good old lynx [wikipedia.org]?

      --
      https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
      • (Score: 3, Informative) by Runaway1956 on Sunday September 08 2019, @11:43PM (4 children)

        by Runaway1956 (2926) Subscriber Badge on Sunday September 08 2019, @11:43PM (#891451) Journal

        Let us remember that Chromium is open sourced, and other people are compiling Chrome without Google's default tracking and crap.

        https://www.zdnet.com/pictures/all-the-chromium-based-browsers/ [zdnet.com]

        I use Iridium a lot. I did use Iron browser, but started having issues.

        https://iridiumbrowser.de/ [iridiumbrowser.de]

        I did use Iron browser, but started having issues. There's the new Opera, Vivaldi, Brave, Blisk (which I never heard of until I just did this search), Colibri, Epic, and Ungoogled Chromium (another new one, to me). There are a couple dozen more on that zdnet page, which didn't warrant their own analysis pages. Pick your poison. Or, take them all for a test drive before choosing.

        • (Score: 2) by legont on Monday September 09 2019, @04:54AM (3 children)

          by legont (4179) on Monday September 09 2019, @04:54AM (#891549)

          I am using waterfox lately. I like it. The problem though is that many financial websites refuse to work with it on security grounds - they ask to upgrade to the latest firefox. I ended up using Chrome for thouse because at that point everything is already tracked to death.

          --
          "Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
          • (Score: 3, Interesting) by Runaway1956 on Monday September 09 2019, @09:21AM (2 children)

            by Runaway1956 (2926) Subscriber Badge on Monday September 09 2019, @09:21AM (#891602) Journal

            Good point. Not all sites work as well with all browsers. At some point, you have to make compromises.

            As I've pointed out before, I have several browsers installed. Half a dozen Firefox derivatives, half a dozen more Chrome-likes, and a couple ancient oddballs that have their own peculiarities.

            Only one of those browsers has any persistent data in it's settings. When I have to visit a financial page, I use that browser, so that I can access my long-ass passwords, etc. I don't use that browser to browse, to listen to videos, or much of anything else. It's there to deal with "official" sites. No other browser knows where to look for financial information, or those passwords, or even user names for those sites. What's more, using multiple browsers makes it more difficult to be fingerprinted, or tracked via other methods. I have little idea if my bank makes any attempt to track my browsing and shopping online, but if none of that data is contained within my browser used for banking, then that browser cannot give them that data.

            All of that may sound a bit paranoid, huh? Well, yeah, I think we have reason to be paranoid. If you aren't at least a 3 paranoid on a scale of 1 to 10, then you're not paying attention to the world around you. :^)

            • (Score: 3, Interesting) by legont on Monday September 09 2019, @06:45PM (1 child)

              by legont (4179) on Monday September 09 2019, @06:45PM (#891805)

              I use virtual machines for different purposes. For finance and such, I have a dedicated one that I use for nothing else. Even then, I don't trust my browser with passwords. I wrote my own little password generator many years ago and I use it. Not that it is better then others available, but I am protected by obscurity here.

              Other virtual machines I typically have are the main one for general browsing and work, and one for visiting dangerous places. The host OS is just lightly used - mostly to show something to the border agents.

              I do need a better DNS solution though.

              --
              "Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
              • (Score: 2) by Runaway1956 on Monday September 09 2019, @07:38PM

                by Runaway1956 (2926) Subscriber Badge on Monday September 09 2019, @07:38PM (#891837) Journal

                mostly to show something to the border agents.

                I like that. ;^)

    • (Score: 2) by Common Joe on Monday September 09 2019, @09:29AM

      by Common Joe (33) <common.joe.0101NO@SPAMgmail.com> on Monday September 09 2019, @09:29AM (#891605) Journal

      You probably don't want Edge. Microsoft gave up and they're putting in the Chrome engine. Unfortunately, I have no good suggestions. I'm pretty fed up with all operating systems and all web browsers.

    • (Score: 2) by Chocolate on Tuesday September 10 2019, @03:42AM

      by Chocolate (8044) on Tuesday September 10 2019, @03:42AM (#892050) Journal

      Try https://ipleak.net [ipleak.net]

      It probably already does so via WebRTC

      --
      Bit-choco-coin anyone?
  • (Score: 2) by Gaaark on Sunday September 08 2019, @11:39PM (2 children)

    by Gaaark (41) on Sunday September 08 2019, @11:39PM (#891449) Journal

    "The U.S. is first"

    If I use a VPN, can I get it in Canada?

    --
    --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
    • (Score: 0) by Anonymous Coward on Monday September 09 2019, @12:00AM

      by Anonymous Coward on Monday September 09 2019, @12:00AM (#891458)

      Only if you call Canada America Junior.

    • (Score: 2) by c0lo on Monday September 09 2019, @12:58AM

      by c0lo (156) Subscriber Badge on Monday September 09 2019, @12:58AM (#891474) Journal

      If I use a VPN, can I get it in Canada?

      Mayyybe. Until the US DNS infrastructure refuses to resolve the Canadian VPN and then you'll start using the IP address(es); which will make you look like a terrorist and have all your equipment seized [eff.org].

      --
      https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
  • (Score: 3, Informative) by SomeGuy on Sunday September 08 2019, @11:57PM (1 child)

    by SomeGuy (5632) on Sunday September 08 2019, @11:57PM (#891457)

    I don't get it. Unless you are using a VPN, your ISP already knows what sites you are visiting just by the IP address. Encrypting name information is fine, but the one resolving the site names should still usually be the ISP. Why let someone else know what sites you are visiting?

    Then again, some (many?) ISPs already have broken DNS, where failed DNS lookups resolve to ADVERTISING.

    • (Score: 3, Interesting) by Anonymous Coward on Monday September 09 2019, @12:07AM

      by Anonymous Coward on Monday September 09 2019, @12:07AM (#891459)

      D'oH will use Cloudflare by default, but chances are the sites you are visiting are behind Cloudflare anyway. Cloudflare already knows what sites you are visiting.

  • (Score: 5, Insightful) by The Shire on Monday September 09 2019, @12:15AM (18 children)

    by The Shire (5824) on Monday September 09 2019, @12:15AM (#891461)

    Joe Sixpack isn't going to know what this is or why it means everything he does will now be tracked by Mozilla's chosen 3rd party partner - cloudflare. Mozilla, Microsoft, and Google don't care about the tiny fraction of people who know they're being tracked and know how to stop it. They count on the fact that the vast majority will do nothing and the additional tracking information will make them a ton of money.

    Mozilla touts this as privacy enhancing but really what they've done is sold out their user base to cloudflare for data collection. On by default and pointed at cloudflare by default. Someone needs to track the money just as cloudflare will be tracking everyone's dns requests - I don't think anyone should be surprised to find out that Mozilla is doing this for cash, that cloudflare is paying them to get this data and to control everyone's dns. Remember, this is the same company that is making http ping tracking [bleepingcomputer.com] mandatory - no way to disable it and no way to load a plugin that can turn it off - just wide open third party tracking.

    Mozilla is a browser. If they want to push DoH they are free to create an app that does it, but it sure as hell shouldn't be integrated into the browser and silently enabled by default. The function of a browser is to display the contents of the site I visit, period, not to commandeer a users network settings for their own profit.

    And let me tell you, no company wants their employees bypassing their network filters. This is a corporate nightmare for any company that allows firefox on their network.

    DNS is setup at the network level for a reason - it should apply to ALL systems that need to perform lookups. Mozilla has no standing to implement their own DNS on my or anyone elses systems without my explicit approval. One you have everyone pointing at just cloudflare it's an easy thing for any domain the CEO of cloudflare doesn't like to simply disappear on a mass scale and end users won't understand why. Cloudflare already does it, they filter dns responses based on their opinion of a site being worthy for the requester to see.

    I'll say it again, Mozilla is selling out their user base to Cloudflare. Mozilla wants money, Cloudflare wants your data and control over what you are allowed to see. This has nothing to do with enhanced privacy.

    • (Score: 5, Informative) by vux984 on Monday September 09 2019, @01:02AM (17 children)

      by vux984 (5045) on Monday September 09 2019, @01:02AM (#891476)

      Joe Sixpack isn't going to know what this is or why it means everything he does will now be tracked by Mozilla's chosen 3rd party partner

      Everything he does is currently being tracked by someone else. Mozilla's chosen 3rd party is at least making claims not to keep or use the data. The party's currently tracking you are explicitly not making those claims.

      And let me tell you, no company wants their employees bypassing their network filters. This is a corporate nightmare for any company that allows firefox on their network.

      Corporate users can turn it off. They have actual IT people who manage this stuff. This feature is not for corporate users, its for joe-sixpack.

      I'll say it again, Mozilla is selling out their user base to Cloudflare. Mozilla wants money, Cloudflare wants your data and control over what you are allowed to see. This has nothing to do with enhanced privacy.

      It's good to be skeptical. But what exactly would it take to convince you?
      https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/firefox/ [cloudflare.com]

      WHAT INFORMATION DOES THE CLOUDFLARE RESOLVER FOR FIREFOX COLLECT?

      Any data Cloudflare handles as a result of its resolver for Firefox is as a data processor acting pursuant to Firefox’s data processing instructions. Therefore, the data Cloudflare collects and processes pursuant to its agreement with Firefox is not covered by the Cloudflare Privacy Policy. As part of its agreement with Firefox, Cloudflare has agreed to collect only a limited amount of data about the DNS requests that are sent to the Cloudflare Resolver for Firefox via the Firefox browser. Cloudflare will collect only the following information from Firefox users:

              Timestamp
              IP Version (IPv4 vs IPv6)
              Resolver IP address + Port the Query Originated From
              Protocol (TCP, UDP, TLS or HTTPS)
              Query Name
              Query Type
              Query Class
              Query Rd bit set
              Query Do bit set
              Query Size Query EDNS
              EDNS Version
              EDNS Payload
              EDNS Nsid
              Response Type (normal, timeout, blocked)
              Response Code
              Response Size
              Response Count
              Response Time in Milliseconds
              Response Cached
              DNSSEC Validation State (secure, insecure, bogus, indeterminate)
              Colo ID
              Server ID

      All of the above information will be stored briefly as part of Cloudflare’s temporary logs, and then permanently deleted within 24 hours of Cloudflare’s receipt of such information. In addition to the above information, Cloudflare will also collect and store the following information as part of its permanent logs.

              Total number of requests processed by each Cloudflare co-location facility
              Aggregate list of all domain names requested
              Samples of domain names queried along with the times of such queries

      Information stored in Cloudflare’s permanent logs will be anonymized and may be held indefinitely by Cloudflare for its own internal research and development purposes.

      WHAT IS THE CLOUDFLARE PROMISE?

      Cloudflare understands how important your data is to you which is why we promise to use the information that we collect from the Cloudflare Resolver for Firefox solely to improve the performance of Cloudflare Resolver for Firefox and to assist us in debugging efforts if an issue arises. In addition to limiting our collection and use of your data, Cloudflare also promises:

      Cloudflare will not retain or sell or transfer to any third party (except as may be required by law) any personal information, IP addresses or other user identifiers from the DNS queries sent from the Firefox browser to the Cloudflare Resolver for Firefox;

      Cloudflare will not combine the data that it collects from such queries, with any other Cloudflare or third party data in any way that can be used to identify individual end users; and

      Cloudflare will not sell, license, sublicense, or grant any rights to your data to any other person or entity without Mozilla’s explicit written permission.

      • (Score: 4, Insightful) by The Shire on Monday September 09 2019, @01:33AM (16 children)

        by The Shire (5824) on Monday September 09 2019, @01:33AM (#891483)

        Cloudflare has already started to delist domains it doesn't like. Some of them are truly terrible, but it's not the job of a dns provider to make those value judgements. You're entrusting them with what you can access and they are not trustworthy.

        Your own copy of their privacy statement shows they are collecting records containing IP, Timestamp, and dns query information. And the statement that "Cloudflare will not retain or sell or transfer to any third party (except as may be required by law) any personal information, IP addresses or other user identifiers" means that they have the ability and the willingness to keep records of personally identifiable information. There is nothing to stop a government agency from telling them to retain all records of people who, for example, visit conservative domains.

        Bottom line, Firefox is redirecting your information to a 3rd party, without your consent, and then telling you they're protecting your privacy. It's bull. They profit financially from this arrangement and Cloudflare gains control of the firefox user base data. It's a sell out clear and simple. It might even be unlawful.

        • (Score: 4, Informative) by vux984 on Monday September 09 2019, @02:13AM (10 children)

          by vux984 (5045) on Monday September 09 2019, @02:13AM (#891495)

          "Cloudflare has already started to delist domains it doesn't like. Some of them are truly terrible, but it's not the job of a dns provider to make those value judgements. You're entrusting them with what you can access and they are not trustworthy."

          You are ALWAYS trusting your DNS provider. If you don't like the one Mozilla thinks is the best of the bunch; you can point DoH at someone else or turn it off.

          There is nothing to stop a government agency from telling them to retain all records of people who, for example, visit conservative domains.

          What do you propose as better and free from the threats you perceive here from cloudflare?

          The government can issue the same orders to your ISP. Or they can just sniff without a warrant because its not encrypted. Seriously. Cloudflare isn't perfect. I'll be the first to accept that but whatever 99% of the world, especially regular users, is using right now, is not likely to be BETTER.

          • (Score: 3, Insightful) by The Shire on Monday September 09 2019, @02:23AM (9 children)

            by The Shire (5824) on Monday September 09 2019, @02:23AM (#891503)

            You are ALWAYS trusting your DNS provider.

            I'm always trusting the dns provider "I Select". Because I know what I'm doing, that would be the root servers using dnssec and dns over tls (DoT) and not trusting google or cloudflare to give me clean responses. What Mozilla is doing is trying to pull an end around my choices and mandating that I use theirs. They're not asking nicely if I'd like to use the spiffy new service they're rolling out, they're just overriding my shit without my approval and they're doing it for money. That's precisely what malware does.

            • (Score: 3, Interesting) by vux984 on Monday September 09 2019, @03:01AM (8 children)

              by vux984 (5045) on Monday September 09 2019, @03:01AM (#891514)

              "they're doing it for money"

              Cite for that?

              I'm always trusting the dns provider "I Select". Because I know what I'm doing, that would be the root servers using dnssec and dns over tls (DoT) and not trusting google or cloudflare to give me clean responses.

              a) What stops the government from ordering the root servers for logs? Look at the organizations that run the root servers; Verisign... Cogent... US DOD... You trust all those implicitly? I mean other than the irony that half of them ARE government organizations so you maybe be sending your DNS queries DIRECTLY TO THE US GOVERNMENT and then raising as an objection that cloudflare *might* be subject a government order?

              b) How do you know the root servers you are querying aren't logging and selling your query data? They aren't exactly an altruistic bunch either.

              c) You can keep doing what you are doing. You are calling out mozilla for "outrageous privacy breaches" when for 99.9+% of users who DON'T know what's going on they are improving privacy by bypassing their ISP, crappy soho (and even enterprise) routers that default to other 3rd parties, not to mention actual malware on their systems, etc, etc.

              And the remainder -- people like you, who allegedly know what you are doing can simply and easily turn it off.

              What Mozilla is doing is trying to pull an end around my choices

              If they provided the feature as opt-in instead of a default, the people who DO need it would never opt-in because they aren't sophisticated enough to know to opt-in. People who want to opt out can. It's not an end-run around your choice.

              Generally I agree with you that stuff should be opt-into as much as possible. But a privacy feature like this should probably be on by default.

                It's a calculated compromise with all users conflicting best interests weighed. Your best interest is perhaps not being met here, but its for the benefit of a lot of other people who aren't as sophisticated as you; and you are sophisticated enough to adjust the setting.

              • (Score: 3, Insightful) by The Shire on Monday September 09 2019, @04:20AM (7 children)

                by The Shire (5824) on Monday September 09 2019, @04:20AM (#891540)

                Cite for that?

                Since Mozilla has not released their 2018 financials it's impossible to know for sure, but what we do know two things:

                1) The largest portion of Mozilla's income derives from selling the default search engine slot and...

                2) Mozilla was dealing with expenses growing at twice the rate of revenue. [computerworld.com]

                Given they already make money selling partnerships with search engine companies, it's not unreasonable to assume they would also expand their data mining product venue to now include a similar paid partnership with Cloudflare, along with a paid partnership with other 3rd party data mining companies to make the hyperlink ping tracking mandatory.

                the people who DO need it would never opt-in because they aren't sophisticated enough to know to opt-in.

                If Mozilla popped up and said "We made this cool new service that can automatically help protect your privacy - it's free! Do you want to try it?", then the privacy minde folks would be quite capable of making that choice. What you're arguing is "People are too dumb to know what's good for them so I'm going to decide for them". That's bad business. Explain what you want to do, and ask permission.

                You are calling out mozilla for "outrageous privacy breaches" when for 99.9+% of users who DON'T know what's going on they are improving privacy by bypassing their ISP

                It's about trust. Most people don't know how a car engine works, but they TRUST that the professionals who designed it DO know and did it correctly. People who moved to Firefox did so because they TRUSTED Mozilla to protect their privacy in that same manner. They don't need to fully understand the implications because they expect Mozilla to behave ethically.

                I don't believe for a second they are inserting this code because they think it improves privacy, I believe they're doing it because they're facing financial shortfalls and needed a new revenue partner. And they knew that the fewer choices and notifications they gave to the end user, the more solid that partnership would be. If the end user doesn't know something was inserted or if they do know but disabling it is outside their technical abilities then Cloudflare can be more assured that the bulk of Mozillas user base will now be fed their way. And the more assured they are of getting that data the more they will be willing to pay Mozilla for it. All Mozilla is doing is shifting the data mining from the ISP to Cloudflare and then collecting a finders fee for doing it.

                Short answer - if you want to be trusted you better give the end user a choice. This "on by default and no way to easily disable it" bullshit is in no way trustworthy. They're pulling it here and they're pulling the same stunt with hyperlink tracking. It's sly and underhanded. If Mozilla is proud of this service then they shouldn't hide it.

                b) How do you know the root servers you are querying aren't logging and selling your query data?

                I am not aware of any instance in history of that happening. It's possible of course, but it would be big news in the tech sector. The root servers require trust more than any other segment of the internets infrastructure. To compromise that trust would result in global fragmentation.

                • (Score: 2) by vux984 on Monday September 09 2019, @04:55PM (6 children)

                  by vux984 (5045) on Monday September 09 2019, @04:55PM (#891743)

                  Since Mozilla has not released their 2018 financials it's impossible to know for sure, but what we do know two things:

                  All you know is that mozilla needs funding. It's outright dishonest to claim that mozilla is being paid by cloudfront, or that anyone is selling your data for this without a shred of actual evidence. Especially given that the parties involved have claimed publicly that the data is NOT being monetized, and that all but some same basic aggregate metrics is scrubbed after 24 hours.

                  What you're arguing is "People are too dumb to know what's good for them so I'm going to decide for them". That's bad business. Explain what you want to do, and ask permission.

                  In general terms, every single default setting in every single piece of software written amounts to deciding for the users what the least-effort default configuration is going to be. In an ideal world defaults are chosen in the average consumers best interest. Nobody wants to fill out a 200 page questionnaire when they install software.

                  The issue here I think is that you don't actually believe this is a privacy feature. You appear to believe (without evidence) that this is a data-monetization misfeature masquerading as a privacy feature; and that mozilla and cloudflare are not just monetizing the data but also lying about monetizing the data. And then you are calling it an outrageous invasion of privacy, and that mozilla is selling you out.

                  Skepticism is healthy, and in engaging with you in this conversation I've learned quite about about the DoH feature that I didn't know. For my part, if anything I'm actually more convinced that its actually a good thing for most people. I don't expect that you'll change your mind, and that's fine.

                  I don't think you are wrong to have the position that this is a feature that's worth asking about instead of setting a default on. While I understand Mozilla's position on it turning on by default, I am not convinced that they are absolutely right not to ask.

                  On the other hand I am in general agreement that the software should annoy the user with questions as little as possible.

                  And I don't really see any value whatsoever in showing my grandmother or my wifes parents a DoH DNS setting prompt and explanation next time they try to use the web. They aren't going to understand it, and they aren't going to read it. Best case they'll try to read it and call me... worst case they'll click on whatever it takes to make it 'go away' so they can get to their webmail etc; and either way they'll be annoyed.

                  Perhaps there should be an explicit 'advanced mode' and a 'let us manage your settings automatically mode' and when you put it into advanced mode (one time setting), where you get prompts about stuff like this. But now we've made the software more complicated and more expensive to develop, test, and maintain. So that's not a clear win either.

                  I am not aware of any instance in history of that happening.

                  In September 2003, VeriSign introduced a service called Site Finder, which redirected Web browsers to a search service when users attempted to go to nonexistent .com or .net domain names. It was subsequently shut down after controversy.

                  The notion that the root server operators are altruistic trustworthy operators is unsupportable. Cloudflare is no different, but the policy in place is transparent and reasonable, and if they are found to be in violation of it, I'm pretty optimistic that will be sufficiently scandalous to at least dissuade them; especially given that it operates under the auspices of a 'privacy feature'.

                  • (Score: 2) by The Shire on Monday September 09 2019, @06:33PM (5 children)

                    by The Shire (5824) on Monday September 09 2019, @06:33PM (#891792)

                    The only time you see code that ignores your network settings and intentionally bypasses any filters and firewall rules you may have setup is with malware. Commercial code does not do this. DNS is NOT the purview of the browser. For Mozilla to surreptitiously assume that role in Firefox is beyond the pale IMO. If they want to help people protect their DNS queries then they should have written a standalone app to do so, or at worst create a compartmentalized browser extension for it. This is akin to MS Word silently moving all your documents to onedrive without notice or approval because MS has decided that your desktop hard drive isn't secure enough and that they're doing so is for your own good. A browser has a very specific function - pull content from the web. It's not the role of the browser to ignore your network settings in favor of their own. And it sure as hell shouldn't be doing it silently, without notice or approval, and without having an in app option to turn it off. When a company makes a major change to their software and intentionally hides it, that's not an indication they're doing it for your benefit.

                    Nobody wants to fill out a 200 page questionnaire when they install software.

                    Which is why this should be opt in. You don't override the end users network without permission. If the user wants to take advantage of this DoH option then you make it available in the options menu. You don't make it mandatory. The gall of Mozilla to assume everyone using FireFox knows or wants this "feature" is beyond belief. DNS is not something minor you just take over. DNS is a major function of networking and it's WAY outside the realm of what a browser should be handling. And at the corporate level Mozilla is basically telling all IT dept's to make changes to their operation to accommodate this new browser functionality or risk employees bypassing their filters and firewall. The hubris of Mozilla... it's mind boggling.

                    In September 2003, VeriSign introduced a service called Site Finder

                    Verizon violated the ICANN rules regarding operation of root servers. They were severely maligned and proper root server operations was quickly restored. No operator in the subsequent decade and a half has strayed from those rules. I never said they were altruistically trustworth, I said they were safe because their operations are heavily monitored and regulated and are not operated commercially. Meanwhile Cloudflare, a major for profit corporation, is already delisting domains it deems offensive. When you start seeing those "server not found" errors for the sites you used to get your news from, you think the end user will realize it's Cloudflare censors or will they assume it's the news site that has gone offline. Commercial dns providers have already shown they are willing to censor, now it's a matter of how far they will push it before people start to notice.

                    I'll say it again - only a fool uses a for profit corporation for their DNS. You're handing them the means to filter what you see and hear, and we already have enough of that bias in the media. Mozilla is feeding the beast and if you thing THEY have altruistic intent then you haven't been watching.

                    • (Score: 2) by vux984 on Monday September 09 2019, @09:48PM (4 children)

                      by vux984 (5045) on Monday September 09 2019, @09:48PM (#891882)

                      "The only time you see code that ignores your network settings and intentionally bypasses any filters and firewall rules you may have setup is with malware. "

                      Don't be so dramatic This also applies to pretty much all mainstream anti-virus/anti-malware. Take a look at what kaspersky, mcafee, symantec, etc products do.

                      Firefox also isn't the first browser to contemplate this: Tor browser does it too; so that it doesn't generate DNS lookups from the client.

                      Given that browsers run in a sandbox, steadily approaching a full virtual machine, in an ongoing effort to secure the browser; is it any surprise or even that surprising that this is happening. I wouldn't be surprised if Google follows suit, but points everyone to their own name servers by default.

                      Lots of other software I've seen runs all its network traffic through its own proxy services. This is HARDLY revolutionary.

                      Verizon violated the ICANN rules regarding operation of root servers.

                      So... "never in the history of the internet" to... "oh yeah Verisign did it, but we got really mad so its ok NOW". That's not the first time we've gotten mad at Verisign, nor the most recent. There was that time in 2010 they got breached and tried to hide it -- I guess that's ok from critical trusted internet infrastructure right? Or that time they siezed 82 domains after a court told them to... paragons of virtue.

                      The gall of Mozilla to assume everyone using FireFox knows or wants this "feature" is beyond belief.

                      Mozilla is assuming joe sixpack DOESN'T know anything about this feature, or how DNS works at all for that matter. And they'd be correct.

                      You don't make it mandatory.

                      It's not mandatory.

                      You don't override the end users network without permission.

                      It would be overriding the network if it affected anyhting OUTSIDE of the browser. It doesn't.

                      I'll say it again - only a fool uses a for profit corporation for their DNS. You're handing them the means to filter what you see and hear, and we already have enough of that bias in the media. Mozilla is feeding the beast and if you thing THEY have altruistic intent then you haven't been watching.

                      Hey I agree. P2P distributed DNS for the win. But that's a solution for tomorrow maybe. This is a solution for today.

                      Most people aren't setup to query the root servers directly via encryption. (Assuming you want to trust the root servers). Most people are querying ISPs and/or Google. THIS is better than THAT.

                      • (Score: 2) by The Shire on Monday September 09 2019, @10:24PM (3 children)

                        by The Shire (5824) on Monday September 09 2019, @10:24PM (#891910)

                        Antivirus software does not override your network settings.

                        Tor is a product designed to circumvent filters, that's it's purpose. Firefox is not. If Mozilla wants Firefox to behave like Tor them perhaps they should retire Firefox and start promoting Tor as their mainstream browser.

                        It's not mandatory.

                        It is mandatory. When the new release arrives it will be on by default and cannot be turned off without doing some fancy footwork on the network, and even then you can't be entirely sure it's turned off. If it's voluntary then it should have an on/off switch in the options dialog but they have already indicated it will not. This is a hidden "feature" designed such that people will be unaware their queries are being redirected. IMO it's behavior is that of malware.

                        It would be overriding the network if it affected anyhting OUTSIDE of the browser. It doesn't.

                        Browser functionality is an integral part of enterprise and personal interaction on the internet. Until now, browsers have behaved like all internet enabled apps - they use the system networking configuration. To silently override it is going to cause all manner of confusion when intranets cease to function because the browser isn't using the local dns. And when you choose to telecommute but your browser isn't working with the company network even though you have your dns pointed at it because the browser is quietly ignoring your preferences.

                        Look, a browser is a network application. By design it should use your networks configuration not go rogue. And this "solution" doesn't even fix the problem. It's of no consequence if your ISP is collecting your DNS query data or Cloudflare is. Don't forget that all HTTPS connections can already be monitored by your ISP by extracting the plain text SNI connection information - so they already know the domain you're going to hit. All Mozilla is doing is handing than same data to yet another 3rd party, Cloudflare. It doesn't benefit the end user it harms them by spreading their data to yet another profit motivated data miner. This only benefits Mozilla and Cloudflare. There is no helping hand here - there's only forced data mining.

                        • (Score: 2) by vux984 on Tuesday September 10 2019, @01:11AM (2 children)

                          by vux984 (5045) on Tuesday September 10 2019, @01:11AM (#891973)

                          "Antivirus software does not override your network settings."

                          Many Antivirus packages include full on VPN services that route all your traffic through the A/V providers site; under the guise of 'network security features' to protect you when on wifi and so forth. Then they install certificates and proxy the sites you visit so that they can scan the pages for malware content before your browser gets them. Your browser doesn't even see the certificates the site hosts if you click the certificate information you'll see the a/v vendor certificates. This is also under the auspices of protection.

                          That's overriding your network settings in my books.

                          "When the new release arrives it will be on by default and cannot be turned off without doing some fancy footwork on the network,"

                          Are you sure? My reading is that it will be switched on by default, and the fancy footwork on the network is to allow you signal to firefox with it turned on to not use it there WHILE its still enabled. But that the user can still turn it off manually. Where did you read that it would not be something that you could turn off? I am willing to concede that point if you can cite it; and it would even go a long way to convincing me that mozilla is in the wrong here.

                          Don't forget that all HTTPS connections can already be monitored by your ISP by extracting the plain text SNI connection information - so they already know the domain you're going to hit.

                          Encrypted SNI is a thing; and that is a component this endeavour...
                          https://blog.mozilla.org/security/2018/10/18/encrypted-sni-comes-to-firefox-nightly/ [mozilla.org]

                          It's of no consequence if your ISP is collecting your DNS query data or Cloudflare is.

                          Depends who you trust; and where you are; and who that ISP is. Some are are substituteable with cloudflare but most are worse.

                          It doesn't benefit the end user it harms them by spreading their data to yet another profit motivated data miner.

                          A data miner scrubbing your data after 24 hours as part of this service. If you want to refuse to beleive they are doing it because you don't like cloudflare, or something that's fine. But if they are doing what they publicly commit to doing, what exactly is the problem? Oh, and you can ALSO select a different DOH provider it doesn't have to be cloudflare. That's not forced either.

                          • (Score: 2) by The Shire on Tuesday September 10 2019, @01:32AM (1 child)

                            by The Shire (5824) on Tuesday September 10 2019, @01:32AM (#891991)

                            You must admit this discussion is getting a little tedious. I think we understand each others positions.

                            I don't believe for a moment that Mozilla or Cloudflare's motivations are any more than finding ways to improve their market share, data mine as much of the nets traffic as possible, and of course make money.

                            You seem to believe that both companies believe they can save end users from themselves and it's all about helping the little guy.

                            One of us is wrong.

                            • (Score: 2) by vux984 on Tuesday September 10 2019, @03:49PM

                              by vux984 (5045) on Tuesday September 10 2019, @03:49PM (#892248)

                              I don't think it is quite as either-or as you put it though, but sure, I'm good to agree to disagree. And see how it plays out.

                              I am also still very curious where you saw that Mozilla said they wouldn't let you turn it off via a setting?!

        • (Score: 0) by Anonymous Coward on Monday September 09 2019, @08:13AM (3 children)

          by Anonymous Coward on Monday September 09 2019, @08:13AM (#891583)

          Cloudflare has already started to delist domains it doesn't like. Some of them are truly terrible

          Like 8chan, which has more censorship than here?

          it's not the job of a dns provider to make those value judgements

          In 2019, it's the job of every part of the infrastructure to deny a platform to evviiiiiillll.

          • (Score: 2) by tangomargarine on Monday September 09 2019, @04:17PM (2 children)

            by tangomargarine (667) on Monday September 09 2019, @04:17PM (#891735)

            Like 8chan, which has more censorship than here?

            LOL. More than zero censorship?!? No way!

            Downmodding someone is not censoring them, because you can still see all the comments. Censorship would be removing the posts in question.

            Your fingers aren't broken. Just click the "expand" link.

            --
            "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
            • (Score: 0) by Anonymous Coward on Monday September 09 2019, @11:24PM (1 child)

              by Anonymous Coward on Monday September 09 2019, @11:24PM (#891933)

              You don't get it. 4chan, 8chan, etc remove posts. SoylentNews doesn't.

              • (Score: 2) by tangomargarine on Tuesday September 10 2019, @03:50PM

                by tangomargarine (667) on Tuesday September 10 2019, @03:50PM (#892249)

                I don't see why you're bringing Soylent into this conversation at all. It's like saying people who own over 7 guns per capita commit more shooting crimes than people who own 0 guns. I mean, sure, but...duh?

                --
                "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
        • (Score: 0) by Anonymous Coward on Tuesday September 10 2019, @03:45AM

          by Anonymous Coward on Tuesday September 10 2019, @03:45AM (#892051)

          I can't access whirlpool.net.au anymore due to cloudfarce

          Assholes.

  • (Score: 1, Flamebait) by NateMich on Monday September 09 2019, @12:52AM (2 children)

    by NateMich (6662) on Monday September 09 2019, @12:52AM (#891472)

    I already can't use Firefox at work anymore (too much custom garbage only works on Chrome). When I want to work from home I now end up having to fire up Chrome here also.

    Pretty soon Firefox can announce that they are disabling images or JavaScript by default and it won't affect anyone.

    • (Score: 1, Insightful) by Anonymous Coward on Monday September 09 2019, @02:09AM (1 child)

      by Anonymous Coward on Monday September 09 2019, @02:09AM (#891492)

      Yep, Google Chrome is the only web browser that matters. Remember when Google promised not to make their own web browser? Those were the days. Remember when Google promised not to be evil? Those were the days.

      • (Score: 3, Insightful) by PiMuNu on Monday September 09 2019, @09:37AM

        by PiMuNu (3823) on Monday September 09 2019, @09:37AM (#891607)

        > Google Chrome is the only web browser that matters.

        No, alternatives to Chrome and derivatives matter *more* as they become more sparse.

  • (Score: 2) by deimtee on Monday September 09 2019, @04:15AM

    by deimtee (3272) on Monday September 09 2019, @04:15AM (#891536) Journal

    Mozilla will be rolling out DoH in what it calls "fallback mode" later this month. This means that if domain name look-ups using DoH fail, Firefox will revert back to using the default operating system DNS. Similarly, if Firefox detects that parental controls or enterprise policies are in effect, Firefox will disable DoH.

    Anybody using this to access 'illegal' sites or content is going to occasionally end up dropped in the shit when cloudflare can't find the site and sends firefox back to your system DNS.

    --
    If you cough while drinking cheap red wine it really cleans out your sinuses.
  • (Score: 0) by Anonymous Coward on Monday September 09 2019, @04:50AM

    by Anonymous Coward on Monday September 09 2019, @04:50AM (#891548)

    did they shove to database from dns lookup return?
    Is that why U.K. Internet Services Providers' Association is bitching?
    wil they need to hire someone to reverse lookup now?
    Oh the agony.

  • (Score: 0) by Anonymous Coward on Monday September 09 2019, @12:07PM

    by Anonymous Coward on Monday September 09 2019, @12:07PM (#891632)

    DNS over USA
    or:
    DNS over CloudFlare.
    Generally we're dealing with country which has government trojans, controls hardware and has been caught numerous times on just acting illegally on the international level. We're speaking about country whose citizens got externally infuriated by propaganda when shown what Mozilla's CEO is doing after work. Sorry, if he was doing his work well, it's not my arse to know does he like fishing, camping, fursuiting, worshiping Comrade Stalin or reconstructing Wehrmacht marches in his cellar :). We are speaking about country which violates most laws "because terrorism" and people just like it. This insecurity of breaking any law any time is called "security", even "national" one.
    We're speaking about country who developed one of the worst surveillance mechanisms on a social level, and the only difference between it and Chinese is that the Chinese is "bad" while USA is "good".
    I just don't buy it. This is not for a security. This is not for a privacy. This is just a data acquisition mechanism. They could choose any other solution. Popularize encryption standard to make everyone pick their poison of choice. Or develop a distributed namesystems like OpenNIC from a decade ago. But no, they got Cloudflare, the company which tracks customers, installs malicious scripts and cookies on their devices, fights with TOR users. This is not a privacy at all.
    And one more thing: If someone sees that ISP is snooping and messing with traffic, how about using this "so much working" capitalism and just choosing another ISP? ;).

(1)