Fearing Drama, Mozilla Opens Public Consultation Before Worldwide Firefox DoH Rollout (zdnet.com) 79
Mozilla has opened today a public comment and consultation period about the ways it could enable support for the controversial privacy-centric DNS-over-HTTPS (DoH) protocol inside Firefox. From a report: The browser maker's decision to open a rare public consultation period comes after the organization faced criticism last year in the UK for its plans to support DoH inside Firefox. UK government officials, law enforcement agencies, and local internet service providers criticized Mozilla for developing and wanting to roll out DoH, a feature they said could have helped suspects bypass enterprise firewalls and parental controls blocklists -- even earning the browser maker a nomination for an "Internet Villain" award from a local ISP. All last year's hoopla was caused by DoH, a web protocol developed as an alternative to the classic DNS (Domain Name System). DoH works by encrypting DNS queries (which are normally sent out in clear text) and hiding them inside normal-looking HTTPS web traffic.
Re: (Score:3)
How about a consultation on xul and pocket
XUL as an extension mechanism had reached the end of its useful life. It was designed long ago when multi-threaded performance wasn't a consideration (dual CPU was rare then, and aimed at high end compute, not low end desktop use) and the security landscape was different. If they kept XUL, firefox would be slow and you'd be whinging bitterly about "how about a consultation on being SLOW".
And as for pocket, well, I like pocket.
What you mean by "How about a consulta
Re: (Score:2)
I'm happily still using XUL within Waterfox and have features and customizability options that standard Firefox users don't get. And no, it's not slow, not even on an 8 year old CPU. But I block all the privacy invading junk so perhaps that's why my browser isn't slow.
What I'd like to know is what ISP called Firefox and "Internet Villain" because they'll not be able to spy on users as much as before. Of course I'd expect most Slashdotters to have set DNS servers manually for speed or privacy or both.
Re: (Score:2)
Re: (Score:1)
> If they kept XUL, firefox would be slow
Why, they're still slow and slower.
Mozilla was always horribly slow, but older versions are much faster than current versions. Even older versions still capable to render most current html + css.
> why didn't they ask me and do what I wanted
The idiots at mozilla with their groupthink feedback loop are despicable, but their clueless fanbois are even worse
Re: How about a consultation on xul and pocket (Score:3)
Re: (Score:3)
Exactly what I was thinking. When have they ever paid attention to their users?
They are going to go ahead with DoH regardless of what anyone has to say about it.
As long as they continue to support a setting to disable [slashdot.org] it, does it really matter? (Can be set in "user.js" or via Network Connections Settings GUI checkbox.)
Re: How about a consultation on xul and pocket (Score:4, Informative)
You can also trivially stop DoH by returning NXDOMAIN to queries for use-application-dns.net. See https://support.mozilla.org/en... [mozilla.org]
Re: (Score:2)
there have been instances(fixed) where that hasn't worked. The browser still bypassed local DNS to find local hosts and did that.
There are also other things, where the ISP can do that. Nothing stopping them, thereby making the whole feature a useless pile of steamy crap.
It's also very slow, very very slow. With each webpage having nearly a dozen domains besides itself, and sure 3 of them used all the time, and another 6 should be in local cache, but doing multiple slow queries halfway across the internet f
Would you pay for DoH or XUL or Pocket? (Score:3)
Interesting FP, but maybe that just means it feels like a setup for the financial aspect I was thinking about?
It's the money. Follow the money. That's how things tend to flow.
The big-pockets big-donor model that Firefox is using does not work well. There are two basic paths there. One path involves a donor who dictates how the donation is used, which may be okay until the big donor makes a few sufficiently bad decisions. The other path is the "loose" donation, which may then get frittered away without real
Re: (Score:1)
In this instance, fuck Firefox (Score:1, Troll)
Circumventing the system DNS resolver with a vendor-selected resolver is simply wrong. I fully support the privacy initiatives and wish a pox on ISPs who abuse DNS, but this is not the way the network stack is supposed to work. I am real fucking excited about NOT supporting this. It's gonna be too damn easy to just tell people to use a different browser.
Re: (Score:2)
If your network security relies on a configured DNS to work you're network is broken.
DOH is a good thing.
Re: (Score:2)
If your network security relies on a configured DNS to work you're network is broken.
Not really, you can have local domains on the local network. But then again, Firefox will attempt to resolve those properly so it won't break.
Re: (Score:2)
Attempt.
Sorry, what?
You think I'll let those nutjobs decide what I want for DNS and what not?
Name resolution is a OS service!
Software should NEVER deal with it directly!
That is called a trojan! A deliberate MITM-enabling backdoor.
I will submit Firefox's backdoor code to anti-virus databases, you can bet on that! (Chrome's too.)
Re:In this instance, fuck Firefox (Score:4, Insightful)
Attempt.
Sorry, what?
Nothing can guarantee an attempt to communicate over a network will succeed. So "attempt" is the correct term.
You think I'll let those nutjobs decide what I want for DNS and what not?
FFS man you're claiming to be technically competent. Go into the settings and SWITCH IT OFF if you don't want it.
Name resolution is a OS service!
Why?
Software should NEVER deal with it directly!
Why?
That is called a trojan! A deliberate MITM-enabling backdoor.
Stop being foolish, it's neither of those things. You HAVE to trust firefox already. If they wanted to MITM you, then they could fuck with SSL since that's compiled into the browser. It's laughable that they'd not bother with the most obvious attack vector then do something really perverse with DNS because REASONS. Be rational.
I will submit Firefox's backdoor code to anti-virus databases, you can bet on that! (Chrome's too.)
Great just what they need, legions of neckbeards spamming them.
Comment removed (Score:4, Insightful)
Re: (Score:3, Insightful)
DOH is a good thing.
Perhaps, if your browser and OS and other apps also use it. Otherwise, you're getting DNS information from different sources -- DNS server and DoH server. Theoretically, this shouldn't be an issue, but theory and practice don't always agree.
A man with one watch knows the time, a man with two is never sure.
Re: (Score:2)
You are missing the point - if the browser do DoH then it can actually cause intranet functionality to fail and that's a real bugger.
On my home network I have an "override" of my local server so that it's using the internal IP address instead of the public because the public IP address would be causing a request to go out in public before coming back.
Re:In this instance, fuck Firefox (Score:5, Interesting)
Circumventing the system DNS resolver with a vendor-selected resolver is simply wrong.
Firstly, why? You state this as a fact, but provide no reasons.
Secondly, if you're on your own network, then just add a canary domain and Firefox won't use DoH, or, add the canary to your resolver, or configure it to not use DoH. If you're on an enterprise system, the enterprise management stuff can turn it off.
It's 100% your choice whether to use it or not.
I fully support the privacy initiatives and wish a pox on ISPs who abuse DNS, but this is not the way the network stack is supposed to work.
Well this is currently the only practical way to sidestep evil ISPs and currently the evil of the ISPs far outweighs the evil of a second DNS system. In my opinion of course. I think you're letting perfect be the enemy of good. It's good to avoid Theresa May's snoopathon or the ISPs farming you for advertising. Waiting for hypothetical perfect future solutions mean this will continue for the forseeable future.
I am real fucking excited about NOT supporting this.
Supporting this? It just works.
It's gonna be too damn easy to just tell people to use a different browser.
This sounds like a rant along the lines of "Firefox sux because of X so I'll switch to chrome which does X more and first!".
Re: (Score:1)
Why?
What if I want to use a separate DNS for an application? Suddenly it isn't my choice any more... because.... reasons?
Re: (Score:2)
Then do it. It's okay to override the user's choice of DNS resolver if the user asks for it, but it must not happen without asking them and getting their permission. The only way it might be acceptable is if the software looks up your configured DNS server and only talks to that one, but even that fails because DNS is only one of the sources of data for hostname resolution (on Linux you can configure lookup sources other than DNS in /etc/nsswitch.conf.).
Re: (Score:2)
Academic: We need to maintain strict layers people!
Microsoft: Meh
Google: Meh
Apple: Meh
Oracle: uh wha?
Dana: there is no layer there is only XUL
Re: (Score:2)
Shrek: Onions have layers. Ogres have layers.
Donkey: Cake! Cake has layers.
Re: (Score:2)
Re: (Score:2)
Secondly, if you're on your own network, then just add a canary domain and Firefox won't use DoH, or, add the canary to your resolver, or configure it to not use DoH. If you're on an enterprise system, the enterprise management stuff can turn it off.
So all this trouble for nothing? Someone smart enough to spy on your DNS queries is too stupid to use the canary domain to disable it? What a waste of energy to accomplish absolutely no benefit for user privacy but an amazing opportunity to spy on users.
It doesn't just work it breaks local networks.
Re: (Score:2)
Yeah I'm not the user who is gonna be calling up when I cant get to my printer's webpage or all my web pages are running slow as shit because Firefox is resolving to CDN endpoints on the other side of the Earth.
> Well this is currently the only practical way to sidestep evil ISPs
Not even close, sorry.
> This sounds like a rant along the lines of "Firefox sux because of X so I'll switch to chrome which does X more and first!".
This isn't a problem for me or you because we know about this. 99% of people d
Re: (Score:3)
Yeah I'm not the user who is gonna be calling up when I cant get to my printer's webpage or all my web pages are running slow as shit because Firefox is resolving to CDN endpoints on the other side of the Earth.
They've already tried large rollouts and it hasn't caused all the problem the peanut gallery seems to think are terminal. It's almost like they have thought of this stuff. It' in the FAQ.
Re: (Score:3)
Second reply because the lameness filter has gone mad.
How about Apple's recent policy of allowing their own apps to bypass local network policy, routing, and vpn layers. Do you think that is OK too? Because it's eerily close to being the same fucking thing.
Sounds a bit different to me for a variety of reasons, but I don't know for sure. Why are they doing this?
In Firefox's (and Chrome, and Opera and Brave and...) they're doing it because bad actors have thoroughly Trojaned DNS turning it into a fantastic wa
Re: (Score:2)
Re: (Score:2)
Bypass them all. Don't use names.
Re:In this instance, fuck Firefox (Score:4, Informative)
Maybe read up on it before the angry rant?
You can use whoever you want for DoH. That's the opposite of a vendor-selected resolver, like you claim. Sure, they offer Cloudflare as an option if you don't have a preference, but it's not like you're locked into them. There's a damn drop-down menu of choices, one of which is 'Custom'.
I'm more than happy to have Cloudflare handle my DNS queries privately instead of my ISP or Google. I'm even happier that my ISP isn't snooping on my DNS queries. I fail to see what all the anger is about.
If you don't want DoH, there's a checkbox under network settings for that. How DARE they give us choices!!!!
Re: (Score:2)
Circumventing the system DNS resolver with a vendor-selected resolver is simply wrong. I fully support the privacy initiatives and wish a pox on ISPs who abuse DNS, but this is not the way the network stack is supposed to work. I am real fucking excited about NOT supporting this. It's gonna be too damn easy to just tell people to use a different browser.
Advice like this makes me wonder how many starving people you've educated about how to cure world hunger without actually fucking helping at all.
If you fully support privacy initiatives, I sure as shit don't see you offering anything but resistance.
Re: (Score:2)
Let's also remember that every HOSTS.TXT file in every modern OS still works just as it did half a century ago.
Nope [slashdot.org], not in Windows. [slashdot.org]
Re: (Score:2)
Let's also remember that every HOSTS.TXT file in every modern OS still works just as it did half a century ago.
Nope [slashdot.org], not in Windows. [slashdot.org]
If you're intelligent and skilled enough to modify and use a HOSTS.TXT file in the 21st Century, then you should be smart enough to know how to whitelist that file in Windows Defender, or simply choose another A/V.
And ironically my point stands in concrete now. The HOSTS.TXT function apparently works so well today that it needs to be watched closely by that marketing engine Microsoft calls an OS.
Re: (Score:2)
Re: (Score:2)
This kind of thing reminds me of how Skype connects pairs of user without an intermediate server, even when both endpoints are behind NAT firewalls. This involves using standard TCP/IP features, but in a way they were never intended to be used. Nonetheless it works as long as the TCP/IP implementation adheres to standards.
Here Mozilla is trying to accomplish something similar: provide a feature that is useful to its users that uses standard network features, but in a way not originally intended. As long
Re: (Score:1)
Re: (Score:3)
Keep this up and they [browsers] will be the Internet for most people.
That ship sailed probably 20 years ago.
Re: (Score:2)
No it hasn't. So stop pushing it.
Most people use WhatsApp every day, and it isn't in the browser.
Neither is any other app. Or their Office software on their PC.
All they usually do on the web is e-mail (stupidly), reading websites, cat pictures and YouTube-likes.
Re: (Score:1)
There is a step they can take. Replace DNS altogether with actual name based internet IP address look up and kick DNS right on out of that internet. A localised internet new age yellow pages, link people from company name direct to IP address, DNS not needed all of the time.
Re: (Score:2)
I think most people already think Facebook = Internet.
There's slightly smarter people who think Web = Internet.
And there's the ignorant people who used to think "Blue E = Internet", but Microsoft took their "Blue E" away and they were forced to learn a bit how things work.
Re:Why DNSSEC (Score:5, Interesting)
Re: (Score:2)
And yet that same ISP can disable your DoH faster than you can activate it. DoH changes nothing as far as your ISP is concerned. If you don't trust your ISP your ONLY option is a VPN through a trusted provider.
Re: (Score:2)
One word: Idiocracy.
Though there's more to it: Somehow those people have their polarities reversed. I saw it start with hipsters, that intentionally had "bad = good". Along the bad/good axis of batshit insanity.
I mean just look at the whole webification mess... How does any of that even remotely make sense? EVERY single part of Firefox or Chrome can be replaced by an existing older lower level function/service/protocol/... WebSOCKETS?? ...
It's insanity! Pure unadulterated insanity! And we need to finally ta
Re: (Score:2)
Browser vendors have too much power and control as it is.
Which is relevant why? Don't use their DoH servers and move on with your life. Hell Firefox doesn't default to any browser vendor's DoH server.
Re: (Score:1)
Not yet, they don't. When FireFox v100 will be out, there won't be a choice anymore. Google's Chrome will have taken away that choice too.
Have you not been paying attention lately? All browsers introduce things as a choice, until they don't. DoH won't be any different.
Also, this is much more a U.S.-only thing. ISP's spy on DNS. In other countries ISP's don't spy on their users. So DoH doesn't bring any benefit. As in at all.
Why ISP's do not spy on users? Not allowed by law. And those are uphold by organizat
Re: (Score:2)
Not yet, they don't. When FireFox v100 will be out, there won't be a choice anymore.
Holy shit your conspiracy bullshit is getting tiring. You nutjobs have been saying shit like that for years. Remember how in 2020 Linux wouldn't be able to work on computers anymore due to UEFI.
I'm genuinely curious, do you guys just troll or do you actually believe your own bullshit?
Re: (Score:1)
What was unclear about taking away configuration options? Which has been done again and again?
I'm genuinely curious, are you willfully that blind, or do you enjoy being naked and bound over a barrel, ready to take it for your masters?
Only a little bit too much enjoyment, maybe? Or is it more an "all in"-kind of deal? Well...whatever rocks your boat.
DoH = backdoor. There is no way out. (Score:1)
DoH means a backdoor and MITM for every corporate and VPN user. It circumvents my own DNS server, and puts in Mozilla to spy on me instead.
This is completely unacceptable.
And given the availability of sane non-webified DoT, it is just as pointless as it is stupid. (Given that reasoning, one could just as well argue, that adding even more useless layers like HTTP, would improve it too.)
I guess after boycotting Chrome-likes, I have to just uninstall Firefox too, and create some semantic HTML parser that gives
Re: (Score:3)
DoH means a backdoor and MITM for every corporate and VPN user. It circumvents my own DNS server, and puts in Mozilla to spy on me instead.
This is completely unacceptable.
Well perhaps your corporate IT staff should get a clue and configure it correctly so firefox won't make DoH requests. You're not corporate IT are you?
I have to just uninstall Firefox too, and create some semantic HTML parser that gives me a Gopher-like directory structure that is actually optimized for getting freaking stuff done!
Go nuts!
Re: (Score:2)
What kind of stupid argument is that?
How about you can uncheck that "I own your firstborn, and your anus, and you have to send me all your money" box too, in that next piece of software. (Hinthint: hyperbole. for clarity.)
So I can come with that argument too, when you complain that that is wrong. Boohoo, you didn't know? It was clearly designed as a trap? Yeah, that was my point! Should have accepted that before it was too late.
It IS literally a backdoor and a MITM on your DNS!
And made so you most easily fa
Re: (Score:2)
OK, it's clear you're not only a moron but an angry moron.
Censoring it, like a good drone
This literally cannot be the case because I'm posting in the thread. See point 1.
Ergo: It is malware.
Using words like "ergo" dose not make your non-arguments sound. Yelling even louder that it's a MITM and malware does not make it so. So tell me, once they've MITM'd your DNS and returned a fake address, they then do what precisely becasue it's all verified by TLS anyway which you apparently trusted completely right up u
Re:Firefox/Chrome have become a trojan. (Score:5, Insightful)
An intentional built-in backdoor to their MITM service.
They're the browser. They could fake certificate checking in TLS and MITM there. That would be much, much easier. You haven't really explained how a DNS hijack would even successfully MITM with TLS.
Re: (Score:3)
An intentional built-in backdoor to their MITM service.
This will get funny in court.
By funny, you mean the lawyers face rapidly changing from a shit-eating grin to sheer horror, as the junior legal admin Mozilla sent over quietly explains that their client agreed to all of this shit in the EULA?
Sure. That'll be fucking hilarious. All 45 seconds of it.
Don't do it! (Score:1)
How absurd for the^H^H^Ha web browser to be the one exception in your system, which uses different DNS than everything else. Can't wait until the day I can ssh or curl an intranet host, but Firefox can't access it because it can't figure out the address. (Or worse: it "works" but talks to a different host.)
Heh, remember back in the day when some people wanted alternative DNS roots, and critics worried about DNS balkanizing, where we don't all see the same internet? Now suddenly everyone's ok with their own
Re: (Score:2)
How absurd for the^H^H^Ha web browser to be the one exception in your system, which uses different DNS than everything else. Can't wait until the day I can ssh or curl an intranet host, but Firefox can't access it because it can't figure out the address. (Or worse: it "works" but talks to a different host.)
If you know enough to know what ssh and curl are, then you know enough to switch off DoH in firefox.
The Objections Mean: DO IT (Score:2, Insightful)
That the entities who benefit from privacy exploits are up in arms is all the more reason to implement DoH. Period. When you look at the massive surveillance we are under, including the gov't PRISM program, this is but one small step in the way of taking our privacy back.
They almost always use "what about the pedos!?" [sic] argument to defend their otherwise weak positions. It's tiring.
Re: (Score:2)
Implementing DoH is just fine. But do it in one place, not separately in each application.
Re: (Score:2)
Yeah, it should be done in the OS. You should be able to hack it into an existing OS by running your own DNS server. I wonder if such a thing exists?
What drama? (Score:1, Troll)
DoH does not really enhance your privacy - it merely shifts your lack thereof. In addition, those who get now access to your DNS data are the likes of Google, Cloudflare, IBM, etc. What makes you think that they will be more gentle with your data than your ISP? Because they say so? Finally, DoH is opens a data highway for those keen on disseminating malware.
Well done, Mozilla people!
Enterprise firewalls... are fine with this right? (Score:3)
Most or all enterprise firewalls will block sites based on category or the site name. So while DNS queries will be hidden in general, you still won't get to the website unless it is some new unknown site. All the https websites like facebook and whatever are blocked in all the offices I have seen. How does this hurt enterprises again?
Re: (Score:2)
How does this hurt enterprises again?
It doesn't. Better still they can add this question on their interview process which weeds out the Slashdot armchair engineers who have no idea how to manage a network.
Re: (Score:2)
So your solution to the enterprise is to allow users to configure their systems willy nilly as they please? You are right it would weed out the clueless. You would be the first. DoH adds nothing positive to the enterprise environment except more work.
DoH, due to the canary domain, is useless for the purpose that is claimed. On the other hand, it is a great opportunity to monetize the user base.
Re: (Score:2)
So your solution to the enterprise is to allow users to configure their systems willy nilly as they please?
Good work proving my point. My solution to the enterprise is to hire qualified IT people and not Slashdot users who seem to think that DoH isn't a thing that can be expressly disabled from user control through Firefox's enterprise policies and as the GP has already pointed out enterprise security doesn't depend on DNS control.
You are right it would weed out the clueless. You would be the first.
The big difference between you and me is you seem to know little but think you know a lot. I actually know a lot but yet realise it's little enough that I wouldn't even apply for said
What is the pref. to disable it? (Score:2)
I set my DNS the way I want, and don't want FF to hijack my OS settings.
So I just want to know what do I need to add to my prefs.js or user.js files to disable it completely.
user_pref("?.doh.?", false);
System resolver (Score:2)
Why cant firefox just ship with an optional install that allows users to install a DoH resolver for the entire system? This would be the right approach.
Now they do public consultation to their users? (Score:1)
I don't remember any public consultation before they removed ALSA support from the browser.
Yes, I know you can use apulse wrapper, and that is whaty I do nowdays.
I just needed to vent.