Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

On Sat, Sep 28, 2019 at 01:17:14AM -0400, Nicholas D Steeves wrote: > Florian Weimer writes: > > Cloudflare only promises to “never sell your data”. That doesn't > > exclude sharing it for free with interested parties. > > > > So a metadata leak (by design) to an unbounded number of entities, >

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

On Sat, Sep 28, 2019 at 11:02:30AM +0200, Philipp Kern wrote: > > > https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/firefox/ Those two have one critical difference in

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

* Philipp Kern: > It is probably worth pointing out that Firefox's use of Cloudflare's DoH > endpoint is governed by a different policy outlined here: > > https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/firefox/ Thanks. > Per that policy, other third parties can

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

On 9/27/2019 12:23 PM, Florian Weimer wrote: [...]>> So currently DoH is strictly worse. > > Furthermore, you don't have a paid contract with Cloudflare, but you > usually have one with the ISP that runs the recursive DNS resolver. > > If you look at > >

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

Wouter Verhelst writes: > On Sun, Sep 08, 2019 at 11:17:13PM +0200, Marco d'Itri wrote: >> On Sep 08, Ondřej Surý wrote: >> >> > I would rather see an explicit statement. I would be very surprised >> > with Debian’s usual stance regarding the users’ privacy that we would >> > not consider

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

Robert Edmonds writes: > The entire DNS root zone is only 1 MB compressed and is updated about > once a day. It would be even better for privacy if the whole root zone > were distributed via HTTPS, as the initiator would not reveal to the > server any information about what TLD is being looked

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

* Robert Edmonds: > The entire DNS root zone is only 1 MB compressed and is updated about > once a day. It would be even better for privacy if the whole root zone > were distributed via HTTPS, as the initiator would not reveal to the > server any information about what TLD is being looked up. > >

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

* Adam Borowski: > Let's compare; by "ISP" I mean every hop on the network path. > > With local DNS: > * the target server knows about you (duh!) > * the ISP can read the destination of every connection > [reading the DNS packets, reading the IP header, reading SNI header] > * the ISP can block

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

Debian doesn't add ESNI Record into it's Name Server. Check here (ONLINE dig): https://toolbox.googleapps.com/apps/dig/#TXT/ Check these two domains: _esni.debian.org _esni.cloudflare.com On Sun, Sep 15, 2019 at 5:31 AM Paul Wise wrote: > > On Sun, Sep 15, 2019 at 5:48 AM Anthony DeRobertis

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

On Sun, Sep 15, 2019 at 5:48 AM Anthony DeRobertis wrote: > On 9/13/19 7:05 AM, Simon Richter wrote: > > > > Mandatory Encrypted SNI with no fallback option -- everything else can be > > circumvented easily. > > > > This is a game that we should not play, really. It raises the cost of > > running

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

On 9/13/19 7:05 AM, Simon Richter wrote: Mandatory Encrypted SNI with no fallback option -- everything else can be circumvented easily. This is a game that we should not play, really. It raises the cost of running a service on the Internet so only big players can afford to do so. Does it? I

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

Becuase the best privacy solution would be to embed DNS resolver into mozilla and they query root servers (which manage by ICANN) to find IPs of TLDs server! I mean the "users’ privacy" is a opaque general definition, rather there are the spectrum of techniques which protect us against mass

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

On Sat, Sep 14, 2019 at 12:25 PM Shengjing Zhu wrote: > It's too native have such thoughts. It's never "too big to block". s/native/naive/ -- Shengjing Zhu

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

On Fri, Sep 13, 2019 at 7:05 PM Simon Richter wrote: > > Hi, > > On Fri, Sep 13, 2019 at 12:28:23PM +0200, Marco d'Itri wrote: > > > > Note that by way of counterargument, Google and its services have > > > been blocked in mainland China by the Great Firewall for nearly a > > > decade now, so I

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

On 09/09/19 14:40, Bjørn Mork wrote: Ondřej Surý writes: Otherwise it doesn’t make any sense to remove external links to logos and JavaScript from the documentation and then send everything to one single US-based provider. Exactly. I'd be worried if anything in Debian came preconfigured with

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

> "Holger" == Holger Levsen writes: >> Mozilla really missed the ball on this one. OpenBSD already made >> the necessary changes to Firefox. I think we should, too. Holger> agreed. OK, so, it seems like the way we do things, that's going to be the firefox maintainer's decision.

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

On dv., set. 13 2019, Simon Richter wrote: Hi, On Fri, Sep 13, 2019 at 12:28:23PM +0200, Marco d'Itri wrote: > Note that by way of counterargument, Google and its services > have > been blocked in mainland China by the Great Firewall for > nearly a > decade now, so I question whether there

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

On Thu, Sep 12, 2019 at 11:02:22PM +0200, Wouter Verhelst wrote: > Except DoH is *not* an anti-censorship feature. It is a feature that > provides a net reduction in privacy. agreed. > CloudFlare says that it won't read your DNS requests -- scout's honour! > -- but even if that's true and we can

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

On Sep 13, Ondřej Surý wrote: > > We are talking about preventing large scale censorship (I do not think > > that this is really about privacy) for *general users*: obviously *we* > > already know about countless workarounds. > That’s a false statement. Right now, we are talking about sending

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

Hi, On Fri, Sep 13, 2019 at 12:28:23PM +0200, Marco d'Itri wrote: > > Note that by way of counterargument, Google and its services have > > been blocked in mainland China by the Great Firewall for nearly a > > decade now, so I question whether there is really such a thing as > > "too big to

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

> On 13 Sep 2019, at 12:25, Marco d'Itri wrote: > > We are talking about preventing large scale censorship (I do not think > that this is really about privacy) for *general users*: obviously *we* > already know about countless workarounds. That’s a false statement. Right now, we are talking

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

On Sep 13, Jeremy Stanley wrote: > Note that by way of counterargument, Google and its services have > been blocked in mainland China by the Great Firewall for nearly a > decade now, so I question whether there is really such a thing as > "too big to block." This is a false dichotomy: not all

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

On Sep 13, Thomas Goirand wrote: > You shouldn't insist on always writing "their ISP", as if it was the > only choice. It isn't. One can setup his own recursive DNS locally, for > example. I've done this for years, as I didn't trust my ISP (first, in Sure, me too: but it does not matter, because

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

On 9/10/19 7:46 PM, Marco d'Itri wrote: > You obviously consider Mozilla's choices of trusted resolvers (currently > Cloudflare, hopefully others too in the future) a bigger privacy risk > for generic users (the one who use the browser defaults) than their ISP, > I disagree. You shouldn't

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

// send from my mobile device Jeremy Stanley 于 2019年9月13日周五 06:51写道： > On 2019-09-12 22:27:39 +0200 (+0200), Simon Richter wrote: > [...] > > The idea for resilience is "too big to block". > > > > When Domain Fronting still worked with Google, people used this to > > circumvent censorship

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

On 2019-09-12 22:27:39 +0200 (+0200), Simon Richter wrote: [...] > The idea for resilience is "too big to block". > > When Domain Fronting still worked with Google, people used this to > circumvent censorship because blocking it would have required > blocking Google, so cooperation from Google

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

On Thu, Sep 12, 2019 at 11:43:33PM +0200, Marco d'Itri wrote: > On Sep 12, Wouter Verhelst wrote: > > > Except all they need to do is return NXDOMAIN on the > > "use-application-dns.net" domain, and Presto! they can spy on their > > users again. > They need to have a government to compel then to

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

On Sep 12, Wouter Verhelst wrote: > Except all they need to do is return NXDOMAIN on the > "use-application-dns.net" domain, and Presto! they can spy on their > users again. They need to have a government to compel then to do it, which is not obvious. And then Mozilla will disable that (you can

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

On Tue, Sep 10, 2019 at 07:56:48PM +0200, Julien Cristau wrote: > On Tue, Sep 10, 2019 at 08:24:03 +0200, Ondřej Surý wrote: > > > > On 9 Sep 2019, at 15:31, Bjørn Mork wrote: > > > > > > I for one, do trust my ISPs a lot more than I trust Cloudflare or > > > Google, simply based on the

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

On Sun, Sep 08, 2019 at 11:17:13PM +0200, Marco d'Itri wrote: > On Sep 08, Ondřej Surý wrote: > > > I would rather see an explicit statement. I would be very surprised > > with Debian’s usual stance regarding the users’ privacy that we would > > not consider this as a privacy violation, but

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

Hi, On Thu, Sep 12, 2019 at 06:52:47PM +0200, Adam Borowski wrote: > > I still believe that generic users are better served by deploying more > > censorship-resistant protocols than by worrying that Cloudflare (or > > whoever else) would violate the privacy requirements mandated by > >

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

Le September 12, 2019 4:52:47 PM UTC, Adam Borowski a écrit : >On Tue, Sep 10, 2019 at 07:46:57PM +0200, Marco d'Itri wrote: >> On Sep 09, Adam Borowski wrote: >> >> > With DoH: >> > * the target server knows about you (duh!) >> > * the ISP can read the destination of every connection >> >

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

What? How did you manage to go from me suggesting disabling DoH by default to CloudFlare in Firefox without explicit user consent to an attack on ICANN? But I guess that this alternative DNS root nonsense will just never die, so I should not be really surprised. -- Ondřej Surý > On 12 Sep

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

Then you should ask why we have ICANN in the first place! PS: https://en.wikipedia.org/wiki/OpenNIC On Sun, Sep 8, 2019 at 11:01 PM Ondřej Surý wrote: > > Hi, > > I haven’t found any discussion on the topic (although I haven’t searched very > hard and only looked for DoH and DNS keywords in

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

On Thu, Sep 12, 2019 at 06:26:34PM +0200, Marc Haber wrote: > Will DOH break corporate web apps that are accessed over a VPN (and > thus only resolvable via the local resolver)? Or has Mozilla catered > for that? Please see https://wiki.mozilla.org/Trusted_Recursive_Resolver. network.trr.mode=2

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

Adam Borowski writes: > On Tue, Sep 10, 2019 at 07:46:57PM +0200, Marco d'Itri wrote: >> Well, no. They cannot without significantly more expensive hardware to >> do DPI and a *totally different* legislative framework. >> (Source: I have been dealing with government-mandated censorship in >>

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

On Tue, Sep 10, 2019 at 07:46:57PM +0200, Marco d'Itri wrote: > On Sep 09, Adam Borowski wrote: > > > With DoH: > > * the target server knows about you (duh!) > > * the ISP can read the destination of every connection > > [reading the IP header, reading SNI header] > > * the ISP can block such

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

On Mon, 9 Sep 2019 00:38:03 +0200, Adam Borowski wrote: >With local DNS: >* the target server knows about you (duh!) >* the ISP can read the destination of every connection > [reading the DNS packets, reading the IP header, reading SNI header] >* the ISP can block such connections > [blocking

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

Hi! Thank you for raising this topic! On 09.09.19 07:56, Ondřej Surý wrote: > We can discuss (and it has been discussed) ad nauseam, but the point is that > nobody (certainly I am not) is asking for crippling DoH, but I just strongly > believe it’s in the line with other Debian work that we

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

On 11/09/2019 06:16, Ingo Jürgensmann wrote: Am 10.09.2019 um 07:50 schrieb Florian Lohoff : On Mon, Sep 09, 2019 at 03:31:37PM +0200, Bjørn Mork wrote: I for one, do trust my ISPs a lot more than I trust Cloudflare or Google, simply based on the jurisdiction. There are tons of setups

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

Am 10.09.2019 um 07:50 schrieb Florian Lohoff : > On Mon, Sep 09, 2019 at 03:31:37PM +0200, Bjørn Mork wrote: >> I for one, do trust my ISPs a lot more than I trust Cloudflare or >> Google, simply based on the jurisdiction. > There are tons of setups which are fine tuned for latency because they

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

On September 8, 2019 10:38:03 PM UTC, Adam Borowski wrote: >DoH doesn't stop ISP-based spying nor censorship. Firefox, I believe, already supports encrypted SNI (in nightly at least). Cloudflare does too. So fully deployed, your ISP can only tell that you're connecting to Cloudflare,

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

On 2019-09-10 19:56:48 +0200 (+0200), Julien Cristau wrote: [...] > How is this worse than what we're already doing by default, namely > sending the same data to whoever happens to be on the network, in > addition to whoever happened to be listed in an unauthenticated > dhcp response? (Which, if

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

On Tue, Sep 10, 2019 at 08:24:03 +0200, Ondřej Surý wrote: > > On 9 Sep 2019, at 15:31, Bjørn Mork wrote: > > > > I for one, do trust my ISPs a lot more than I trust Cloudflare or > > Google, simply based on the jurisdiction. > > While I still strongly agree with you on this one (even though I

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

On Sep 09, Adam Borowski wrote: > With DoH: > * the target server knows about you (duh!) > * the ISP can read the destination of every connection > [reading the IP header, reading SNI header] > * the ISP can block such connections > [blocking actual connection] Well, no. They cannot without

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

> On 10 Sep 2019, at 09:38, Yao Wei wrote: > > On Tue, Sep 10, 2019 at 08:24:03AM +0200, Ondřej Surý wrote: >> While I still strongly agree with you on this one (even though I think all >> major ISPs here are scumbags, especially the incumbent), I still strongly >> think we should not have this

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

On Tue, Sep 10, 2019 at 08:24:03AM +0200, Ondřej Surý wrote: > While I still strongly agree with you on this one (even though I think all > major ISPs here are scumbags, especially the incumbent), I still strongly > think we should not have this debate here, and we should turn this around > the

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

> On 9 Sep 2019, at 15:31, Bjørn Mork wrote: > > I for one, do trust my ISPs a lot more than I trust Cloudflare or > Google, simply based on the jurisdiction. While I still strongly agree with you on this one (even though I think all major ISPs here are scumbags, especially the incumbent), I

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

On Mon, Sep 09, 2019 at 03:31:37PM +0200, Bjørn Mork wrote: > I for one, do trust my ISPs a lot more than I trust Cloudflare or > Google, simply based on the jurisdiction. There are tons of setups which are fine tuned for latency because they are behind sat links etc or low bandwidth landlines.

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

Ondřej Surý writes: > On the privacy topic... > > Slides: https://irtf.org/anrw/2019/slides-anrw19-final44.pdf > Paper: https://dl.acm.org/authorize.cfm?key=N687437 And also section 8 of https://tools.ietf.org/html/draft-reid-doh-operator-00 > And you can get to the video recording from the

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

The entire DNS root zone is only 1 MB compressed and is updated about once a day. It would be even better for privacy if the whole root zone were distributed via HTTPS, as the initiator would not reveal to the server any information about what TLD is being looked up. There are currently ~1500

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

On the privacy topic... Slides: https://irtf.org/anrw/2019/slides-anrw19-final44.pdf Paper: https://dl.acm.org/authorize.cfm?key=N687437 And you can get to the video recording from the ANRW 2019 pages: https://irtf.org/anrw/2019/program.html We can discuss (and it has been discussed) ad

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

DNSCurve - probably never DoT - the current profiles are stub to resolver, when they are profiles for resolver to authoritative and a solid support in the software, the RSSAC will surely talk about this. The deployment will have impact (switching all traffics to TCP? Yay?) DoH - I am not sure

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

On Mon, Sep 9, 2019 at 2:31 AM Ondřej Surý wrote: > Mozilla plans to enable DoH to CloudFlare by default to US based users Does anyone know if there is any plan for the DNS root servers to enable any of the DNS privacy options? AFAIK the available options are DNSCurve, DoT or DoH. -- bye, pabs

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

On Sun, Sep 08, 2019 at 11:17:13PM +0200, Marco d'Itri wrote: > On Sep 08, Ondřej Surý wrote: > > > I would rather see an explicit statement. I would be very surprised > > with Debian’s usual stance regarding the users’ privacy that we would > > not consider this as a privacy violation, but

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

On 2019-09-08 23:17:13 +0200 (+0200), Marco d'Itri wrote: [...] > I think that this is a privacy enhancement, since it prevents some > major ISPs from spying on users DNS queries. [...] While at the same time legitimizing Cloudflare spying on users' DNS queries, right? How is one necessarily

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

On Sep 08, Ondřej Surý wrote: > I would rather see an explicit statement. I would be very surprised > with Debian’s usual stance regarding the users’ privacy that we would > not consider this as a privacy violation, but again I am not Firefox > maintainer in Debian and I would rather hear