[conspire] More about Firefox: upcoming default to DNS-over-HTTPS

Michael Paoli Michael.Paoli at cal.berkeley.edu
Tue Sep 17 05:08:57 PDT 2019 

Yes, I'm quite inclined to agree - for both different - and overlapping -
reasons.  DNS over https?  8-O  Perhaps quite well intentioned,
but a *bad* idea.  Well, at least they let you disable that nastiness,
but egad, its enabled by default (and yes, defaults matter - as most
users won't bother to change from defaults).

Some (mostly additional) reasons I think DNS over https is a
bad/stupid idea:
o Solves the "problem"/issue at the wrong place.  What next, have every
   single bloody application/thing/whatever that uses DNS switch to
   having its very own special snowflake implementation of DNS over https
   to use - or lets do DNS some other way or over some other transport?
   What could *possibly go wrong*?  Egad!
o WTF, how will one reliably diagnose, isolate, and fix any DNS or even
   *potential* DNS issues with, e.g. browser, if now it's doing its own
   internal DNS over https?  Egad.  How will one be able to check/verify
   it's not been subverted?
o Does it even know about and properly implement DNSSEC, or will it ignore
   that and make DNS even *less* secure where it's already been
   rather well secured?
o What could possibly go wrong with outsourcing all one's DNS (or even just
   all one's browser DNS) to some specific 3rd party?  Do I smell a nice
   big fat juicy target for a potential major exploit perpetrated by
   external party(/ies)/agent(s) ... or even a nasty inside (or infiltrated)
   job?
o WTF ... latency!  Egad, okay, so sometimes the communication channels may
   be congested and have significant latency (DSL anyone?).  Now you're gonna
   bypass all my lovely DNS - which often very well and efficiently caches,
   and is even often very well secured by DNSSEC, and instead and often
   redundantly run those queries over high-latency HTTPS connections to some
   remote 3rd party?  What were you smoking?

So, yes, DNS over https - bad idea.  Sure, it might (marginally) add some
protection for some, but at a really bad high cost - and false sense of
security while adding additional risks.  Not to mention it's not
fixing/addressing the issue - at least in any reasonably proper way.
Geez.

I tend to think I could come up with apt analogies as to how poor an idea
this is, but I'm just too gobsmacked at what a poor idea it is to give
suitable analogy.

> From: "Rick Moen" <rick at linuxmafia.com>
> Subject: [conspire] More about Firefox: upcoming default to DNS-over-HTTPS
> Date: Sun, 15 Sep 2019 16:30:25 -0700

> There's a classic Far Side cartoon
> (https://beforenine.blogspot.com/2011/01/vocabulary-of-dog.html):
>
>   Panel 1: 'What we say to dogs'.  Human speech-bubble says:
>   'Okay, Ginger.  I've had it!  You stay out of the garbage.
>   Understand, Ginger?  Stay out of the garbage, or else.'
>
>   Panel 2: 'What they hear' (same image, speech bubble has different text):
>   'blah blah GINGER blah blah blah blah blah blah blah GINGER blah blah
>   blah blah blah.'
>
>
> A lot of the time when I discuss security with Linux users, I'm pretty
> sure all they hear is 'blah blah LINUX blah blah SECURITY blah blah
> YOU blah blah SECURITY blah blah' -- because (only) either nothing or
> non-sequitur responses tend to follow.
>
> And that's just the _users_:  Thing is, when you work in IT, you learn
> that professional coders tend to be Dunning-Kruger Syndrome[1] poster
> children, any time they bloviate on the subject of security:  They tend
> to make ghastly errors in total confidence that they're doing the right
> thing.  Because they're _experts_, and God forbid they'd consult people
> who actually live and breathe the subjet, like sysadmins.
>
> As if the two recent Firefox apocalypses I've posted about weren't bad
> enough, late this month, Firefox is rolling out another (minor) example:
> New browser releases will default to re-routing all outbound DNS queries
> over HTTPS to USA Internet-capacity firm Cloudfare.
>
> Say what?
>
> You read that right:  Web users from all over the world including users
> making a concerted effort to stay out of the grasping hands of USA
> official spooks, will able to be subjected to comprehensive traffic
> analysis by any US spy agency that has hooks into Cloudfare -- and by
> Cloudfare itself, by any non-state interests that have hooks into
> Cloudfare, etc.  Because shipping all your query data to some remote
> bunch of strangers in a single juicy basket is such a great idea.  What
> could possibly go wrong?
>
> Blog post (from a friend in Switzerland) explaining in detail why this
> is an extremely dumb move:
> https://ungleich.ch/en-us/cms/blog/2019/09/11/turn-off-doh-firefox/
> (It includes how a user can overcome this stupid default.)
>
> When that blog post was mentioned on IRC, one reader's comment was 'the
> DNSCrypt thingy is a better approach'.
>
> Well, sort of -- in much the same way that putting lemon juice into a
> finger cut is a better approach than pouring it into a limb amputation.
>
>
> What's DNSCrypt?
>
> The OpenDNS people with all good intentions framed the problem to be
> solved thus:  Problem:  People need to resolve their recursive DNS
> against ISP nameservers, but have insecure connections to them.
> Solution:  a piece of lightweight software that wraps all DNS traffic
> between the user and a remote endpoint through a cryptographic tunnel.'
>
> As my idol Jamie Zawinski said in a slightly different context[2]: 'Very
> usability much crypto wow.'
>
> OK, well done -- except, where is it written that people have no choice
> but to outsource recursive DNS to their ISPs?
>
> There are a number of good, simple, highly reliable recursive nameserver
> packages that can run on any *ix machine and even in many cases on
> MS-Windows.  My personal favourite is Unbound.  Thus, a novel solution
> to problems of outsourcing that apparently never occurred to the OpenDNS
> people:  'Hey, here's an idea:  How about just not outsourcing?'
>
> Meanwhile, evidently we can expect Mozilla, Inc. to keep coming up with
> dazzlingly stupid solutions to wrong problems, and falling flat on its
> figurative face.
>
> [1] https://en.m.wikipedia.org/wiki/Dunning–Kruger_effect
> [2] https://www.jwz.org/blog/2018/07/two-factor-auth-and-sms-hijacking/

More information about the conspire mailing list