[conspire] More about Firefox: upcoming default to DNS-over-HTTPS

Rick Moen rick at linuxmafia.com
Sun Sep 15 16:30:25 PDT 2019 

There's a classic Far Side cartoon
(https://beforenine.blogspot.com/2011/01/vocabulary-of-dog.html):

  Panel 1: 'What we say to dogs'.  Human speech-bubble says:
  'Okay, Ginger.  I've had it!  You stay out of the garbage.
  Understand, Ginger?  Stay out of the garbage, or else.'

  Panel 2: 'What they hear' (same image, speech bubble has different text):
  'blah blah GINGER blah blah blah blah blah blah blah GINGER blah blah
  blah blah blah.'


A lot of the time when I discuss security with Linux users, I'm pretty
sure all they hear is 'blah blah LINUX blah blah SECURITY blah blah
YOU blah blah SECURITY blah blah' -- because (only) either nothing or
non-sequitur responses tend to follow.

And that's just the _users_:  Thing is, when you work in IT, you learn
that professional coders tend to be Dunning-Kruger Syndrome[1] poster
children, any time they bloviate on the subject of security:  They tend
to make ghastly errors in total confidence that they're doing the right
thing.  Because they're _experts_, and God forbid they'd consult people
who actually live and breathe the subjet, like sysadmins.

As if the two recent Firefox apocalypses I've posted about weren't bad
enough, late this month, Firefox is rolling out another (minor) example:
New browser releases will default to re-routing all outbound DNS queries
over HTTPS to USA Internet-capacity firm Cloudfare.

Say what?

You read that right:  Web users from all over the world including users
making a concerted effort to stay out of the grasping hands of USA
official spooks, will able to be subjected to comprehensive traffic
analysis by any US spy agency that has hooks into Cloudfare -- and by
Cloudfare itself, by any non-state interests that have hooks into
Cloudfare, etc.  Because shipping all your query data to some remote
bunch of strangers in a single juicy basket is such a great idea.  What
could possibly go wrong?

Blog post (from a friend in Switzerland) explaining in detail why this
is an extremely dumb move:
https://ungleich.ch/en-us/cms/blog/2019/09/11/turn-off-doh-firefox/
(It includes how a user can overcome this stupid default.)

When that blog post was mentioned on IRC, one reader's comment was 'the
DNSCrypt thingy is a better approach'.  

Well, sort of -- in much the same way that putting lemon juice into a
finger cut is a better approach than pouring it into a limb amputation.


What's DNSCrypt?

The OpenDNS people with all good intentions framed the problem to be
solved thus:  Problem:  People need to resolve their recursive DNS
against ISP nameservers, but have insecure connections to them.
Solution:  a piece of lightweight software that wraps all DNS traffic 
between the user and a remote endpoint through a cryptographic tunnel.'

As my idol Jamie Zawinski said in a slightly different context[2]: 'Very
usability much crypto wow.'

OK, well done -- except, where is it written that people have no choice
but to outsource recursive DNS to their ISPs?  

There are a number of good, simple, highly reliable recursive nameserver
packages that can run on any *ix machine and even in many cases on
MS-Windows.  My personal favourite is Unbound.  Thus, a novel solution
to problems of outsourcing that apparently never occurred to the OpenDNS
people:  'Hey, here's an idea:  How about just not outsourcing?'

Meanwhile, evidently we can expect Mozilla, Inc. to keep coming up with
dazzlingly stupid solutions to wrong problems, and falling flat on its
figurative face.



[1] https://en.m.wikipedia.org/wiki/Dunning–Kruger_effect
[2] https://www.jwz.org/blog/2018/07/two-factor-auth-and-sms-hijacking/

More information about the conspire mailing list