Mozilla Firefox DoH to CloudFlare by default (for US users)?

classic Classic list List threaded Threaded
50 messages Options
123
Reply | Threaded
Open this post in threaded view
|

Mozilla Firefox DoH to CloudFlare by default (for US users)?

Ondřej Surý-4
Hi,

I haven’t found any discussion on the topic (although I haven’t searched very hard and only looked for DoH and DNS keywords in the BTS), but since Mozilla plans to enable DoH to CloudFlare by default to US based users: https://blog.mozilla.org/futurereleases/2019/09/06/whats-next-in-making-dns-over-https-the-default/ I would rather see an explicit statement. I would be very surprised with Debian’s usual stance regarding the users’ privacy that we would not consider this as a privacy violation, but again I am not Firefox maintainer in Debian and I would rather hear from them than speculate on my own.

Thanks,
Ondřej
--
Ondřej Surý <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

Marco d'Itri
On Sep 08, Ondřej Surý <[hidden email]> wrote:

> I would rather see an explicit statement. I would be very surprised
> with Debian’s usual stance regarding the users’ privacy that we would
> not consider this as a privacy violation, but again I am not Firefox
> maintainer in Debian and I would rather hear from them than speculate
> on my own.
I think that this is a privacy enhancement, since it prevents some major
ISPs from spying on users DNS queries. When it will be enabled in other
countries it will prevent government-mandated (or "encouraged")
censorship.
It would be a terrible signal if Debian decided to disable an
anti-censoship feature provided by an upstream vendor.

--
ciao,
Marco

signature.asc (673 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

Jeremy Stanley
On 2019-09-08 23:17:13 +0200 (+0200), Marco d'Itri wrote:
[...]
> I think that this is a privacy enhancement, since it prevents some
> major ISPs from spying on users DNS queries.
[...]

While at the same time legitimizing Cloudflare spying on users' DNS
queries, right? How is one necessarily better than the other? My ISP
can spy on far fewer users than Cloudflare can, so on balance this
seems like a net loss for privacy.
--
Jeremy Stanley

signature.asc (981 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

Adam Borowski-3
In reply to this post by Marco d'Itri
On Sun, Sep 08, 2019 at 11:17:13PM +0200, Marco d'Itri wrote:

> On Sep 08, Ondřej Surý <[hidden email]> wrote:
>
> > I would rather see an explicit statement. I would be very surprised
> > with Debian’s usual stance regarding the users’ privacy that we would
> > not consider this as a privacy violation, but again I am not Firefox
> > maintainer in Debian and I would rather hear from them than speculate
> > on my own.
> I think that this is a privacy enhancement, since it prevents some major
> ISPs from spying on users DNS queries. When it will be enabled in other
> countries it will prevent government-mandated (or "encouraged")
> censorship.

DoH doesn't stop ISP-based spying nor censorship.  On the other hand, it
allows a new third party (Cloudflare in Mozilla's default) to do both such
spying and censorship -- something it couldn't do before.

Let's compare; by "ISP" I mean every hop on the network path.

With local DNS:
* the target server knows about you (duh!)
* the ISP can read the destination of every connection
  [reading the DNS packets, reading the IP header, reading SNI header]
* the ISP can block such connections
  [blocking DNS packets, blocking actual connection]
* DNSSEC forbids falsifying DNS

With DoH:
* the target server knows about you (duh!)
* the ISP can read the destination of every connection
  [reading the IP header, reading SNI header]
* the ISP can block such connections
  [blocking actual connection]
* Cloudflare can read the destination of every connection
  [they serve the DNS...]
* Cloudflare can falsify DNS¹
* Cloudflare can block connections
  [blocking or falsifying DNS response]

So currently DoH is strictly worse.

In the future, once ESNI is implemented and deployed, the ISP will lose the
possibility of distinguishing sites served from the same IP, but that helps
with some random blogs while most sensitive sites can't trust a shared
hoster.  Thus, ESNI hardly helps.
       
> It would be a terrible signal if Debian decided to disable an
> anti-censoship feature provided by an upstream vendor.

If that feature worked, that'd would indeed be terrible.  But in the current
proposal, it's a privacy violation with no clear upside.  I'd thus recommend
to _not_ enable DoH in our packages.


Meow!

[1]. It would be possible to, instead of sending just the answer, to pass
the entire chain of DNSSEC signatures over the DoH link.  This has been
suggested in RFC8484, but doesn't seem to be implemented by Firefox.
--
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Snowflakes?  Socks drawer!
⢿⡄⠘⠷⠚⠋⠀
⠈⠳⣄⠀⠀⠀⠀

Reply | Threaded
Open this post in threaded view
|

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

Paul Wise via nm
In reply to this post by Ondřej Surý-4
On Mon, Sep 9, 2019 at 2:31 AM Ondřej Surý wrote:

> Mozilla plans to enable DoH to CloudFlare by default to US based users

Does anyone know if there is any plan for the DNS root servers to
enable any of the DNS privacy options? AFAIK the available options are
DNSCurve, DoT or DoH.

--
bye,
pabs

https://wiki.debian.org/PaulWise

Reply | Threaded
Open this post in threaded view
|

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

Ondřej Surý-4
DNSCurve - probably never

DoT - the current profiles are stub to resolver, when they are profiles for resolver to authoritative and a solid support in the software, the RSSAC will surely talk about this. The deployment will have impact (switching all traffics to TCP? Yay?)

DoH - I am not sure what would be the benefit for resolver to authoritative, but same as with DoT.

DNSoQUIC - not yet there, but it might be better option for resolver to authoritative...

Ondřej
--
Ondřej Surý <[hidden email]>

> On 9 Sep 2019, at 03:17, Paul Wise <[hidden email]> wrote:
>
> On Mon, Sep 9, 2019 at 2:31 AM Ondřej Surý wrote:
>
>> Mozilla plans to enable DoH to CloudFlare by default to US based users
>
> Does anyone know if there is any plan for the DNS root servers to
> enable any of the DNS privacy options? AFAIK the available options are
> DNSCurve, DoT or DoH.
>
> --
> bye,
> pabs
>
> https://wiki.debian.org/PaulWise
>

Reply | Threaded
Open this post in threaded view
|

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

Ondřej Surý-4
In reply to this post by Marco d'Itri
On the privacy topic...

Slides: https://irtf.org/anrw/2019/slides-anrw19-final44.pdf

And you can get to the video recording from the ANRW 2019 pages: https://irtf.org/anrw/2019/program.html

We can discuss (and it has been discussed) ad nauseam, but the point is that nobody (certainly I am not) is asking for crippling DoH, but I just strongly believe it’s in the line with other Debian work that we should not send data to 3rd party DNS service without explicit user consent.

Otherwise it doesn’t make any sense to remove external links to logos and JavaScript from the documentation and then send everything to one single US-based provider.

Ondrej
--
Ondřej Surý <[hidden email]>

On 8 Sep 2019, at 23:29, Marco d'Itri <[hidden email]> wrote:

On Sep 08, Ondřej Surý <[hidden email]> wrote:

I would rather see an explicit statement. I would be very surprised
with Debian’s usual stance regarding the users’ privacy that we would
not consider this as a privacy violation, but again I am not Firefox
maintainer in Debian and I would rather hear from them than speculate
on my own.
I think that this is a privacy enhancement, since it prevents some major
ISPs from spying on users DNS queries. When it will be enabled in other
countries it will prevent government-mandated (or "encouraged")
censorship.
It would be a terrible signal if Debian decided to disable an
anti-censoship feature provided by an upstream vendor.

--
ciao,
Marco
Reply | Threaded
Open this post in threaded view
|

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

Robert Edmonds-4
In reply to this post by Ondřej Surý-4
The entire DNS root zone is only 1 MB compressed and is updated about
once a day. It would be even better for privacy if the whole root zone
were distributed via HTTPS, as the initiator would not reveal to the
server any information about what TLD is being looked up.

There are currently ~1500 TLDs in the root zone. Dividing 1 MB by the
number of TLDs, this is ~700 bytes per TLD, which is roughly the amount
of bandwidth required by a query/response pair of UDP DNS packets to
obtain the delegation for a TLD.

The size of the DNS root zone could also be reduced if it were signed by
an ECC algorithm rather than RSA.

If the ZONEMD resource record (draft-ietf-dnsop-dns-zone-digest) were
standardized and deployed in the root zone, it would allow for
cryptographic verification of the entire contents of the root zone
regardless of the source. So it would not even be necessary to obtain
the root zone from the "official" root name server infrastructure.

That moves the problem down a level to the TLDs, where it is
impracticable to distribute copies of all TLD zone files. So a better
question to ask would be whether any of the DNS TLD servers plan to
implement any of the DNS transport privacy options. That moves the
problem down another level, etc.

The benefit of encrypting the resolver to authoritative side of the DNS
protocol is that it makes it possible to deploy "non stub" caching DNS
resolvers to individual hosts without exposing the plaintext lookup
traffic to either network observers or a centralized resolver operator
such as an ISP or cloud provider.

Ondřej Surý wrote:

> DNSCurve - probably never
>
> DoT - the current profiles are stub to resolver, when they are profiles for resolver to authoritative and a solid support in the software, the RSSAC will surely talk about this. The deployment will have impact (switching all traffics to TCP? Yay?)
>
> DoH - I am not sure what would be the benefit for resolver to authoritative, but same as with DoT.
>
> DNSoQUIC - not yet there, but it might be better option for resolver to authoritative...
>
> Ondřej
> --
> Ondřej Surý <[hidden email]>
>
> > On 9 Sep 2019, at 03:17, Paul Wise <[hidden email]> wrote:
> >
> > On Mon, Sep 9, 2019 at 2:31 AM Ondřej Surý wrote:
> >
> >> Mozilla plans to enable DoH to CloudFlare by default to US based users
> >
> > Does anyone know if there is any plan for the DNS root servers to
> > enable any of the DNS privacy options? AFAIK the available options are
> > DNSCurve, DoT or DoH.
> >
> > --
> > bye,
> > pabs
> >
> > https://wiki.debian.org/PaulWise
> >
>

--
Robert Edmonds
[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

Bjørn Mork
In reply to this post by Ondřej Surý-4
Ondřej Surý <[hidden email]> writes:

> On the privacy topic...
>
> Slides: https://irtf.org/anrw/2019/slides-anrw19-final44.pdf
> Paper: https://dl.acm.org/authorize.cfm?key=N687437

And also section 8 of
https://tools.ietf.org/html/draft-reid-doh-operator-00


> And you can get to the video recording from the ANRW 2019 pages: https://irtf.org/anrw/2019/program.html
>
> We can discuss (and it has been discussed) ad nauseam, but the point
> is that nobody (certainly I am not) is asking for crippling DoH, but I
> just strongly believe it’s in the line with other Debian work that we
> should not send data to 3rd party DNS service without explicit user
> consent.

I agree, FWIW. User consent is required.

I for one, do trust my ISPs a lot more than I trust Cloudflare or
Google, simply based on the jurisdiction.

> Otherwise it doesn’t make any sense to remove external links to logos
>and JavaScript from the documentation and then send everything to one
>single US-based provider.

Exactly. I'd be worried if anything in Debian came preconfigured with
DNS servers of any kind.


Bjørn

Reply | Threaded
Open this post in threaded view
|

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

Florian Lohoff-2
On Mon, Sep 09, 2019 at 03:31:37PM +0200, Bjørn Mork wrote:
> I for one, do trust my ISPs a lot more than I trust Cloudflare or
> Google, simply based on the jurisdiction.

There are tons of setups which are fine tuned for latency because they
are behind sat links etc or low bandwidth landlines. They have dns
caches with prefetching to reduce typical resolve latency down to sub
milliseconds although your RTT to google/cloudflare is >1000ms.

Switching from your systems resolver fed by DHCP to DoH in Firefox will
make the resolve latency go from sub ms to multiple seconds as the
HTTP/TLS handshake will take multiple RTT. This will effectively break
ANY setup behind Sat links e.g. for example all cruise ships at
sea.

Flo
--
Florian Lohoff                                                 [hidden email]
        UTF-8 Test: The 🐈 ran after a 🐁, but the 🐁 ran away

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

Ondřej Surý-4
In reply to this post by Bjørn Mork
> On 9 Sep 2019, at 15:31, Bjørn Mork <[hidden email]> wrote:
>
> I for one, do trust my ISPs a lot more than I trust Cloudflare or
> Google, simply based on the jurisdiction.

While I still strongly agree with you on this one (even though I think all
major ISPs here are scumbags, especially the incumbent), I still strongly
think we should not have this debate here, and we should turn this around
the usual Debian policy - to not send data to 3rd party without explicit user
content and defaulting to not doing so.

Ondrej
--
Ondřej Surý
[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

"Yao Wei (魏銘廷)"-2
On Tue, Sep 10, 2019 at 08:24:03AM +0200, Ondřej Surý wrote:
> While I still strongly agree with you on this one (even though I think all
> major ISPs here are scumbags, especially the incumbent), I still strongly
> think we should not have this debate here, and we should turn this around
> the usual Debian policy - to not send data to 3rd party without explicit user
> content and defaulting to not doing so.

Should we propagate our concerns to Mozilla?

Yao Wei

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

Ondřej Surý-4
> On 10 Sep 2019, at 09:38, Yao Wei <[hidden email]> wrote:
>
> On Tue, Sep 10, 2019 at 08:24:03AM +0200, Ondřej Surý wrote:
>> While I still strongly agree with you on this one (even though I think all
>> major ISPs here are scumbags, especially the incumbent), I still strongly
>> think we should not have this debate here, and we should turn this around
>> the usual Debian policy - to not send data to 3rd party without explicit user
>> content and defaulting to not doing so.
>
> Should we propagate our concerns to Mozilla?

These concerns has been voiced to them multiple times by multiple people
and they won’t budge as they already made their minds.

Ondrej
--
Ondřej Surý
[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

Marco d'Itri
In reply to this post by Adam Borowski-3
On Sep 09, Adam Borowski <[hidden email]> wrote:

> With DoH:
> * the target server knows about you (duh!)
> * the ISP can read the destination of every connection
>   [reading the IP header, reading SNI header]
> * the ISP can block such connections
>   [blocking actual connection]
Well, no. They cannot without significantly more expensive hardware to
do DPI and a *totally different* legislative framework.
(Source: I have been dealing with government-mandated censorship in
Italy for ~15 years, both at technical and policy levels.)

> * Cloudflare can falsify DNS¹
You can use DNSSEC over DoH.

You obviously consider Mozilla's choices of trusted resolvers (currently
Cloudflare, hopefully others too in the future) a bigger privacy risk
for generic users (the one who use the browser defaults) than their ISP,
I disagree.

I still believe that generic users are better served by deploying more
censorship-resistant protocols than by worrying that Cloudflare (or
whoever else) would violate the privacy requirements mandated by
Mozilla.

--
ciao,
Marco

signature.asc (673 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

Julien Cristau-6
In reply to this post by Ondřej Surý-4
On Tue, Sep 10, 2019 at 08:24:03 +0200, Ondřej Surý wrote:

> > On 9 Sep 2019, at 15:31, Bjørn Mork <[hidden email]> wrote:
> >
> > I for one, do trust my ISPs a lot more than I trust Cloudflare or
> > Google, simply based on the jurisdiction.
>
> While I still strongly agree with you on this one (even though I think all
> major ISPs here are scumbags, especially the incumbent), I still strongly
> think we should not have this debate here, and we should turn this around
> the usual Debian policy - to not send data to 3rd party without explicit user
> content and defaulting to not doing so.
>
How is this worse than what we're already doing by default, namely
sending the same data to whoever happens to be on the network, in
addition to whoever happened to be listed in an unauthenticated dhcp
response?  (Which, if you're lucky, is your ISP, aka a 3rd party.)

Cheers,
Julien

Reply | Threaded
Open this post in threaded view
|

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

Jeremy Stanley
On 2019-09-10 19:56:48 +0200 (+0200), Julien Cristau wrote:
[...]
> How is this worse than what we're already doing by default, namely
> sending the same data to whoever happens to be on the network, in
> addition to whoever happened to be listed in an unauthenticated
> dhcp response? (Which, if you're lucky, is your ISP, aka a 3rd
> party.)

It still significantly distributes the work of recording your DNS
queries/Web browsing activity. Cloudflare and their competitors are
already well-placed to see a significant proportion of general Web
traffic due to their CDN businesses, which makes them a much more
attractive target for mass surveillance (either mandated by some
governments, for sale to the highest bidders, or simply as the
victims of a stealthy criminal incursion). That status increases if
they're also the de facto DNS resolver for a majority of Firefox
users. I think it comes down to whether you consider the biggest
privacy risk to come from focused/local attacks (in which case the
new default is a benefit) or from global dragnet trawling by "big
brother" (in which case nearly everyone in the World trusting the
same small number of companies is a problem).
--
Jeremy Stanley

signature.asc (981 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

Anthony DeRobertis
In reply to this post by Adam Borowski-3


On September 8, 2019 10:38:03 PM UTC, Adam Borowski <[hidden email]> wrote:

>DoH doesn't stop ISP-based spying nor censorship.

Firefox, I believe, already supports encrypted SNI (in nightly at least). Cloudflare does too.

So fully deployed, your ISP can only tell that you're connecting to Cloudflare, Cloudfront, Akamai, Fastly, etc. At least when you're browsing sites using those CDNs.

Trusting those parties is a huge can of worms, of course, but Mozilla has at least contractually limited what Cloudflare can collect and keep[1]. And the alternative for a lot of us is Verizon or Comcast.

That said, ideally it'd be something that each user would be prompted about on first run, being given a clear description and asked if he/she wants it or not. But since upstream hasn't AFAIK coded that, it's not going to happen.


[1] https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/firefox/

Reply | Threaded
Open this post in threaded view
|

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

Ingo Jürgensmann-11
In reply to this post by Florian Lohoff-2
Am 10.09.2019 um 07:50 schrieb Florian Lohoff <[hidden email]>:

> On Mon, Sep 09, 2019 at 03:31:37PM +0200, Bjørn Mork wrote:
>> I for one, do trust my ISPs a lot more than I trust Cloudflare or
>> Google, simply based on the jurisdiction.
> There are tons of setups which are fine tuned for latency because they
> are behind sat links etc or low bandwidth landlines. They have dns
> caches with prefetching to reduce typical resolve latency down to sub
> milliseconds although your RTT to google/cloudflare is >1000ms.
>
> Switching from your systems resolver fed by DHCP to DoH in Firefox will
> make the resolve latency go from sub ms to multiple seconds as the
> HTTP/TLS handshake will take multiple RTT. This will effectively break
> ANY setup behind Sat links e.g. for example all cruise ships at
> sea.

I can confirm (based on experiences on my day job) that this can be a real problem and affecting thousands and hundredthousands of users.

Having the *option* to use DoH is maybe a good idea, but making it the default is not.

--
Ciao...          //        http://blog.windfluechter.net
      Ingo     \X/     XMPP: [hidden email]
       
gpg pubkey:  http://www.juergensmann.de/ij_public_key.asc



Reply | Threaded
Open this post in threaded view
|

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

Andy Simpkins-5


On 11/09/2019 06:16, Ingo Jürgensmann wrote:

> Am 10.09.2019 um 07:50 schrieb Florian Lohoff <[hidden email]>:
>
>> On Mon, Sep 09, 2019 at 03:31:37PM +0200, Bjørn Mork wrote:
>>> I for one, do trust my ISPs a lot more than I trust Cloudflare or
>>> Google, simply based on the jurisdiction.
>> There are tons of setups which are fine tuned for latency because they
>> are behind sat links etc or low bandwidth landlines. They have dns
>> caches with prefetching to reduce typical resolve latency down to sub
>> milliseconds although your RTT to google/cloudflare is >1000ms.
>>
>> Switching from your systems resolver fed by DHCP to DoH in Firefox will
>> make the resolve latency go from sub ms to multiple seconds as the
>> HTTP/TLS handshake will take multiple RTT. This will effectively break
>> ANY setup behind Sat links e.g. for example all cruise ships at
>> sea.
>
> I can confirm (based on experiences on my day job) that this can be a real problem and affecting thousands and hundredthousands of users.
>
> Having the *option* to use DoH is maybe a good idea, but making it the default is not.
>


I appreciate that Mozilla are trying to enhance privacy by introducing
DoH as an option (but clearly not for children! [0][1]), but are we not
missing the major point here?  DNS does not belong in the browser....

If we wish to deploy DoH (I think it would get my vote) then it should
be system wide and transparent to applications, using the same methods
already available.  If every application were to deploy its own resolver
service then total chaos will ensue.

Yes I know browsers offer alternative resolve / and proxy methods
already, unfortunately that ship has already sailed. Providing that they
are turned OFF by default then that is acceptable.  With in-browser DoH
again, as long as it is OFF by default I don't see an issue.

/Andy

[0] "Respect user choice for opt-in parental controls and disable DoH if
we detect them"
https://blog.mozilla.org/futurereleases/2019/09/06/whats-next-in-making-dns-over-https-the-default/

[1] In browser DoH will break a lot of 'parental control / supervisor'
applications that block traffic based on black & white lists.  IMO this
is another reason why DoH shouldn't be inside the browser - already
Mozilla are deploying work arounds for certain use cases...

Reply | Threaded
Open this post in threaded view
|

Re: Mozilla Firefox DoH to CloudFlare by default (for US users)?

Ulrike Uhlig
In reply to this post by Ondřej Surý-4
Hi!

Thank you for raising this topic!

On 09.09.19 07:56, Ondřej Surý wrote:

> We can discuss (and it has been discussed) ad nauseam, but the point is that nobody (certainly I am not) is asking for crippling DoH, but I just strongly believe it’s in the line with other Debian work that we should not send data to 3rd party DNS service without explicit user consent.

I have a question besides the DOH discussion: How is this technically
done to target "only" US users?

Note: I have not looked up any documentation provided by Mozilla, I was
just wondering.

Cheers!
Ulrike

123