These DoH hit pieces make absolutely no sense. They argue against the use of it, and cite reasons that have literally nothing to do with the underlying technology whatsoever. Their cause for...
These DoH hit pieces make absolutely no sense. They argue against the use of it, and cite reasons that have literally nothing to do with the underlying technology whatsoever.
Their cause for concern is that Firefox is beginning to use Cloudflare over DoH by Default for US based users, and that Cloudflare is a US based company subject to US laws. Now I'm no rocket scientist, but any DNS provided by affected users ISPs are going to be subject to those same laws causing the concern, while not encrypting the requests or making a promise not to divulge your request history to third parties. Everything about this is a net win in terms of privacy, for the people actually affected by Mozilla's change.
The prevalence of these takedowns of DoH have me feeling a little tinfoil-hatty. It seems like someone doesn't want use of DoH to become widespread.
I don't think there's any reason to assume conspiracy. For some people, decentralized is good and centralized is bad, and that's all there is to it. (Consider the cryptocurrency true believers.)...
I don't think there's any reason to assume conspiracy. For some people, decentralized is good and centralized is bad, and that's all there is to it. (Consider the cryptocurrency true believers.)
As a programmer, I find decentralized technology is often just as worrisome. Why would you want to launch a process that no organization can change or stop? We all make mistakes and being able to deploy ad-hoc fixes is often essential.
There's still no real benefit to involving Cloudflare. The user's ISP is generally going to know which sites they're visiting regardless of whether they use a different DNS server or not. If...
There's still no real benefit to involving Cloudflare.
The user's ISP is generally going to know which sites they're visiting regardless of whether they use a different DNS server or not. If someone visits Tildes, they'll send a DNS request, get back a response of 54.39.48.216, and then start sending HTTPS traffic to that IP. There aren't any other sites on that IP address, so it's still obvious from the ISP's perspective that they're using Tildes, even without being able to see the DNS request for it. How does also telling Cloudflare that the user is going to Tildes improve anything in this situation?
I'm not certain about this, but I believe there are different laws or privacy provisions between users and their ISPs that don't apply in the same way to third parties, which Cloudflare would be considered.
Also, a lot of the paranoia is because Mozilla has been keeping quiet about their plans for non-US users. They could easily shut a lot of it down by just saying they aren't going to use Cloudflare for anyone outside the US, or maybe aren't even going to enable DoH by default for non-US users, but they're not doing that. It doesn't necessarily mean that they are planning to, but the silence isn't helping and makes it seem like they at least want to keep it as a possibility.
You say "also" as if there's a party involved that wasn't involved before. Rather than use <other DNS>, now you're using Cloudflare. It's replacing one party with a different party. If Google were...
How does also telling Cloudflare that the user is going to Tildes improve anything in this situation?
You say "also" as if there's a party involved that wasn't involved before. Rather than use <other DNS>, now you're using Cloudflare. It's replacing one party with a different party. If Google were to default to 8.8.8.8 for Chrome, you wouldn't "also" be telling Google your DNS requests, you'd be telling Google instead of your OS's default DNS server.
There aren't any other sites on that IP address, so it's still obvious from the ISP's perspective that they're using Tildes, even without being able to see the DNS request for it.
I'm not certain about this, but I believe there are different laws or privacy provisions between users and their ISPs that don't apply in the same way to third parties, which Cloudflare would be considered.
First, the state of DNS servers provided by ISPs is...bad, to put it lightly. When I switched my mom from CenturyLink DNS to Google DNS, my mom asked what I did to make it faster before I had even told her I had changed anything (the initial connection times were noticeably better). When I had to change my DNS to Spectrum's for modem registration (but didn't remember to change it back), I found intermittent problems related to some non-CC TLDs randomly not returning A records. Verizon's DNS is also terrible, with some NOAA domains simply being unreachable, or they'll only return an A record 1 in 10 tries. Cloudflare DNS (1.1.1.1, not even DoH) never has any problems for obscure NOAA domains or weird TLDs. Using ISP provided DNS servers is simply a bad idea, and even Google fails to measure up to Cloudflare with regards to speed.
Second, it's perfectly legal (in the US) for ISPs to sell all the data they can gather on you. Why give them exact knowledge of which domains on Fastly, Cloudfront, Akamai, etc. you're visiting? Being able to say "this user visited <websites> on <dates/times>" is much more valuable than "this user visits <CDN IPs> all day, which could be for one of several thousand domains". Cloudflare also claims they won't sell your data, which could be an outright lie, but they have more at risk if they get caught lying than American ISPs (what are you gonna do, switch to dial up?).
There's still no real benefit to involving Cloudflare.
What's the alternative at the moment? Personally, I see this as a win - ISPs can't earn as much money from selling our traffic, it's faster, more secure, and more reliable.
They could easily shut a lot of it down by just saying they have no intention to use Cloudflare for anyone outside the US, but they're not doing that. It doesn't necessarily mean that they are planning to, but the silence isn't helping and makes it seem like they at least want to keep it as a possibility.
(Disclaimer, personal opinion, I have nothing to do with DoH decisions or engineering at Mozilla, etc, etc). Lost me at the "before and after" section. Most of the FUD about this has been the...
(Disclaimer, personal opinion, I have nothing to do with DoH decisions or engineering at Mozilla, etc, etc).
Lost me at the "before and after" section. Most of the FUD about this has been the suggestion that all global DoH traffic is going to be sent to some provider who will be under Uncle Sam's thumb.
Could someone please explain why Cloudflare is apparently the only option (at least so far)? It seems to be the focus of the arguments against DoH. I'm a layman so I don't know why Cloudflare is...
Could someone please explain why Cloudflare is apparently the only option (at least so far)? It seems to be the focus of the arguments against DoH. I'm a layman so I don't know why Cloudflare is so unique here. Why couldn't say a trusted VPN provider provide DoH service too? (Assuming you can't use VPN in that instance which I understand negates the need for DoH?).
These DoH hit pieces make absolutely no sense. They argue against the use of it, and cite reasons that have literally nothing to do with the underlying technology whatsoever.
Their cause for concern is that Firefox is beginning to use Cloudflare over DoH by Default for US based users, and that Cloudflare is a US based company subject to US laws. Now I'm no rocket scientist, but any DNS provided by affected users ISPs are going to be subject to those same laws causing the concern, while not encrypting the requests or making a promise not to divulge your request history to third parties. Everything about this is a net win in terms of privacy, for the people actually affected by Mozilla's change.
The prevalence of these takedowns of DoH have me feeling a little tinfoil-hatty. It seems like someone doesn't want use of DoH to become widespread.
I don't think there's any reason to assume conspiracy. For some people, decentralized is good and centralized is bad, and that's all there is to it. (Consider the cryptocurrency true believers.)
As a programmer, I find decentralized technology is often just as worrisome. Why would you want to launch a process that no organization can change or stop? We all make mistakes and being able to deploy ad-hoc fixes is often essential.
There's still no real benefit to involving Cloudflare.
The user's ISP is generally going to know which sites they're visiting regardless of whether they use a different DNS server or not. If someone visits Tildes, they'll send a DNS request, get back a response of
54.39.48.216, and then start sending HTTPS traffic to that IP. There aren't any other sites on that IP address, so it's still obvious from the ISP's perspective that they're using Tildes, even without being able to see the DNS request for it. How does also telling Cloudflare that the user is going to Tildes improve anything in this situation?I'm not certain about this, but I believe there are different laws or privacy provisions between users and their ISPs that don't apply in the same way to third parties, which Cloudflare would be considered.
Also, a lot of the paranoia is because Mozilla has been keeping quiet about their plans for non-US users. They could easily shut a lot of it down by just saying they aren't going to use Cloudflare for anyone outside the US, or maybe aren't even going to enable DoH by default for non-US users, but they're not doing that. It doesn't necessarily mean that they are planning to, but the silence isn't helping and makes it seem like they at least want to keep it as a possibility.
You say "also" as if there's a party involved that wasn't involved before. Rather than use <other DNS>, now you're using Cloudflare. It's replacing one party with a different party. If Google were to default to 8.8.8.8 for Chrome, you wouldn't "also" be telling Google your DNS requests, you'd be telling Google instead of your OS's default DNS server.
First, the state of DNS servers provided by ISPs is...bad, to put it lightly. When I switched my mom from CenturyLink DNS to Google DNS, my mom asked what I did to make it faster before I had even told her I had changed anything (the initial connection times were noticeably better). When I had to change my DNS to Spectrum's for modem registration (but didn't remember to change it back), I found intermittent problems related to some non-CC TLDs randomly not returning A records. Verizon's DNS is also terrible, with some NOAA domains simply being unreachable, or they'll only return an A record 1 in 10 tries. Cloudflare DNS (1.1.1.1, not even DoH) never has any problems for obscure NOAA domains or weird TLDs. Using ISP provided DNS servers is simply a bad idea, and even Google fails to measure up to Cloudflare with regards to speed.
Second, it's perfectly legal (in the US) for ISPs to sell all the data they can gather on you. Why give them exact knowledge of which domains on Fastly, Cloudfront, Akamai, etc. you're visiting? Being able to say "this user visited <websites> on <dates/times>" is much more valuable than "this user visits <CDN IPs> all day, which could be for one of several thousand domains". Cloudflare also claims they won't sell your data, which could be an outright lie, but they have more at risk if they get caught lying than American ISPs (what are you gonna do, switch to dial up?).
What's the alternative at the moment? Personally, I see this as a win - ISPs can't earn as much money from selling our traffic, it's faster, more secure, and more reliable.
I agree!
(Disclaimer, personal opinion, I have nothing to do with DoH decisions or engineering at Mozilla, etc, etc).
Lost me at the "before and after" section. Most of the FUD about this has been the suggestion that all global DoH traffic is going to be sent to some provider who will be under Uncle Sam's thumb.
This where I'm confused, too. Why aren't there other "trusted" providers?
Has Mozilla announced anything about their plans for DoH outside the USA yet?
Not that I know of.
Could someone please explain why Cloudflare is apparently the only option (at least so far)? It seems to be the focus of the arguments against DoH. I'm a layman so I don't know why Cloudflare is so unique here. Why couldn't say a trusted VPN provider provide DoH service too? (Assuming you can't use VPN in that instance which I understand negates the need for DoH?).