On 4/13/20, Reco wrote: > Hi. Hi
> On Sun, Apr 12, 2020 at 07:46:38PM -0400, Lee wrote: >> > The questionable idea behind DOH is that the browser makers do not >> > trust >> > your local resolver. >> >> Mozilla claims it's a privacy issue: >> https://support.mozilla.org/en-US/kb/firefox-dns-over-https > > It's a privacy issue along with the other things. > With the default settings the Firefox user is handing all DNS resolution > to Cloudflare. Not an equivalent to complete browsing history, but close > enough. Right. The ISP can't see what names the user is looking up but Cloudflare sees every single one. On the other hand, take a look at https://wiki.mozilla.org/Security/DOH-resolver-policy Not that I understand my ISP's privacy policy, but I don't see anything like [will not] sell, license, sublicense, or grant any rights to user data to any other person or entity. in my ISP's privacy policy. So at least in that sense, handing my data to Cloudflare is better than letting my ISP have it. >> > 1) One can use a local resolver with the ability *not* to resolve >> > certain DNS queries, which refer to the sites which just happen to >> > contain advertisements, fingerprinting, tracking, cryptomining etc. >> > Since all two major browser makers (Google and Mozilla) happen to rely >> > on revenue generated by advertising *and* users' browsing habits this >> > obviously can not be tolerated. >> >> Wasn't there a fairly recent kerfluffle about an upcoming change to >> chrome that would break things like the uMatrix addon? > > There was, indeed. > > >> If firefox wasn't a viable alternative to chrome, what are the chances >> that change would have been implemented? > > It is implemented already, it's just there are alternatives to > declarativeNetRequest that are working - so far. Ahh. I thought Google backed down on the change.. I don't use chrome, so I don't follow what they're doing other than reading the occasional news article. >> > 3) Bad guys and gals can hijack DNS too, to the usual hilarious >> > results. >> >> And the bad guys and gals can use DOH to "hide" their traffic and >> circumvent things like pihole. > > There is tor or i2p for *that* already. Right. Again :) >> I just did a quick search and couldn't find anything for smart TVs >> using DOH. > > Probably because they aren't there yet. A typical smart TV is based on > the Android, and Google haven't said their word about DOH so far. > > >> > With the advent of HTTPS all this may be seen as moot points (if you're >> > redirected elsewhere the certificate validation should fail), but >> > nevertheless DOH is forced upon the collective throat of Firefox users >> > as we speak (and Chrome users are likely to follow them Soon™). >> > Currently a Firefox user is supposed to trust Cloudflare to do DNS >> > queries for them, and HTTPS is used for this purpose because Security™. >> >> For some values of "security", DOH _is_ more secure. > > As far as the "last mile" is concerned - maybe. How about as far as the "end user" is concerned? (which is what I thought we were talking about -- clueless end-users having doh forced on them) > As far as the whole > Internet goes - not so much as overall security of DNS queries depends > of DNSSEC implemented in every zone (and it ain't there yet). Unfortunately, yes. DNSSEC adoption is way below where I was hoping it'd be. >> How many people use a dnssec validating resolver? > > See above. Besides, DNSSEC is for integrity of zones, not privacy. > You need DNS-over-TLS if you need last one. "integrity of zones" is part of "security" - yes? DoT or DoH - either one gets you privacy from your ISP DoT is easy to block, DoH is harder to block, so somewhat censorship resistant? >> At least Cloudflare resolvers have dnssec enabled. > > *And* the ability to see users' DNS queries. Neat, right? Yup, and probably a net win for people that don't have a clue about dns .. or at least people in the US. Do people in the EU have to worry about their ISP selling their usage data? Regards, Lee
