And before anyone bemoans the whole Cloudflare thing:

"But this doesn’t mean you have to use Cloudflare. Users can configure Firefox to use whichever DoH-supporting recursive resolver they want. As more offerings crop up, we plan to make it easy to discover and switch to them."

@ScottMortimer Which, sadly, is only another way of saying: "we made an arbitrary and hasty decision of selling our users to a US for-profit company which will have an unfair advantage over its competitors, and will have the NSA tap into their logs every 24h just before deletion, but you can't complain because we have 'plans', you know, just in case we screw up this PR exercise".

I can't say I completely agree with your judgement regarding Cloudflare, but it doesn't really matter in the long run as Firefox, Chrome, and Android will all have the ability to work with whichever DoT/DoH resolvers you choose to use. I am happily using NextDNS to help communicate this reply.

@ScottMortimer I am not sure I was judging Cloudflare (I actually like the company, and even applied for a job there, only to cancel the application halfway through the procedure).

Not supporting EDNS client-subnet (ECS) is a privacy bonus for the user but having a CDN as a default resolver and having that CDN not supporting ECS means that CDN will have info others won't. Hence that CDN will be much faster than its competitors. That's a serious issue for a default config.

@ScottMortimer The concern about the US State (which is pretty much an enemy of the Internet from an European standpoint) and the NSA may of course vary, depending of our nationality and sensibility on the subject :)
We cannot argue on that topic ;)

No arguments from me. :-)
I just feel that it's an oversimplification to say that the NSA, or any other Western Intelligence Agency only target American network providers, especially in light of the Snowden revelations.

@ScottMortimer You are correct, although not all States are equal, regarding skills, infrastructure and fundings (NSA is ~50k employees + CIA 20k) while the French counterparts are roughly 6k. I mean... 😅 (US population is roughly 6 times that of France).

But anyway, you are correct: the issue IS centralization. I feel Mozilla should have waited for at least a second CDN DoH provider to meet their criteria and leave the choice to the users/sysadmins (DHCP)

Now that I totally agree with you about. Mozilla did themselves a diservice by appearing to favor one provider over all others. I think it may have of been a matter of them desperately trying to beat Chrome by releasing DoH support first.

@ScottMortimer @x_cli
I have used for about a year, now I use with Firefox. Once you understand what DoH is good for, it gives you yet another fine tool in protecting your privacy.

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.