On Mon, Aug 06, 2018 at 05:53:53PM +0100, Stuart Henderson wrote: > On 2018/08/05 20:53, Landry Breuil wrote: > > On Sun, Aug 05, 2018 at 11:22:07AM -0500, Ax0n wrote: > > > It looks like Mozilla is enabling these features by default for Firefox 62 > > > after a controversial Shield Study earlier this year. These override one's > > > system DNS preferences by default, relying on 3rd parties (currently > > > CloudFlare) for DNS. These features seem like they could do more harm than > > > good for all but the most casual of browser users. > > > * Adds complexity to troubleshooting browser issues > > > * Creates a single point of failure > > > * Sends private data from browsing to a third party without consent > > > > If you don't back your claims by actual trusted links about the matter > > (and not 'someone told it to me on IRC), this is pure FUD. > > > > The 'Shield Study earlier this year' is > > https://bugzilla.mozilla.org/show_bug.cgi?id=1446404, which is over, and > > there will be a new Shield Study for another TRR mode, but that only > > targets nightly users: > > https://bugzilla.mozilla.org/show_bug.cgi?id=1475321 > > > > And by the way, Shield Studies are disabled for new profiles on OpenBSD > > since last december (unless the pref has changed in the meantime..),cf > > https://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/www/mozilla-firefox/files/all-openbsd.js?rev=1.4&content-type=text/x-cvsweb-markup > > > > To make sure, check that app.normandy.enabled is false in your profile. > > > > The TRR code *will* be complete on 62 for users to test it, but i'm not > > aware of any intention to turn it on by default, and i have my > > close-to-mozilla sources. > > > > More links on the matter: > > https://wiki.mozilla.org/Trusted_Recursive_Resolver > > https://blog.nightly.mozilla.org/2018/06/01/improving-dns-privacy-in-firefox/ > > https://www.ghacks.net/2018/03/20/firefox-dns-over-https-and-a-worrying-shield-study/ > > > > Right now, in beta (which will become 62) afaict TRR defaults to false: > > https://dxr.mozilla.org/mozilla-beta/source/modules/libpref/init/all.js#5260 > > > > > The "casual browser user" demographic likely has a very narrow if > > > nonexistent overlap with OpenBSD desktop/laptop users. Are there plans to > > > have these configuration settings disabled for the packaged versions of > > > Firefox in ports? If not, I would suggest at least adding a blurb about > > > these features to the install-message. > > > > The 'OpenBSD power user' knows there are plenty of knobs to frob. > > There's no point in adding a blurb to the README (that actually *noone* > > reads) for each and every setting in the world... > > > > Nothing to see yet. But as it's a serious privacy compromise *if* > mozilla do eventually decide to send DNS data to a (US-based) third > party by default and it's left on in the package, that damn well should > be listed, and I think in MESSAGE not just README ;-)
I never said i had plans to let it on by default if mozilla was going to do so. What ppl easily miss (because spreading FUD is easier) is that Cloudflare is used *for the experiment* *because they partnered with mozilla on the subject*, *with a specific privacy policy*, cf https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Public+Resolvers#DNSPrivacyPublicResolvers-DNS-over-HTTPS(DOH) Everybody's going crazy about it, but it has never been said that CloudFlare was going to be the default for everyone. The current URL is empty, cf https://dxr.mozilla.org/mozilla-beta/source/modules/libpref/init/all.js#5263 There are other servers per https://github.com/curl/curl/wiki/DNS-over-HTTPS and you can selfhost your own with https://github.com/jedisct1/rust-doh So no, im not planning to add a MESSAGE (that nobody reads) or a section to the README (that nobody reads). If the defaults for network.trr.mode changes, i'll reset it to 0 or 5 in the default prefs so that it stays disabled. Landry
