On Sun, Sep 08, 2019 at 11:17:13PM +0200, Marco d'Itri wrote: > On Sep 08, Ondřej Surý <ond...@sury.org> wrote: > > > I would rather see an explicit statement. I would be very surprised > > with Debian’s usual stance regarding the users’ privacy that we would > > not consider this as a privacy violation, but again I am not Firefox > > maintainer in Debian and I would rather hear from them than speculate > > on my own. > I think that this is a privacy enhancement, since it prevents some major > ISPs from spying on users DNS queries.
Except all they need to do is return NXDOMAIN on the "use-application-dns.net" domain, and Presto! they can spy on their users again. https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https So no, DoH defeats people who run wireshark, but it does not "prevent some major ISPs from spying". If a "major ISP" wants to spy, it just needs to tell Firefox "hey, that DoH feature? Please just disable it," and it's back in business. Meanwhile, Firefox' default sends everything to the other side of the Internet without the user's consent. How does that improve privacy? > When it will be enabled in other countries it will prevent > government-mandated (or "encouraged") censorship. Nope. See above. > It would be a terrible signal if Debian decided to disable an > anti-censoship feature provided by an upstream vendor. Except DoH is *not* an anti-censorship feature. It is a feature that provides a net reduction in privacy. CloudFlare says that it won't read your DNS requests -- scout's honour! -- but even if that's true and we can believe it, there's no reason to assume it will continue to do so forever, past any potential future acquisitions or CEO changes. Mozilla really missed the ball on this one. OpenBSD already made the necessary changes to Firefox. I think we should, too. -- To the thief who stole my anti-depressants: I hope you're happy -- seen somewhere on the Internet on a photo of a billboard
signature.asc
Description: PGP signature
