If you’re worried about the NSA intercepting your DNS traffic, we don’t have any good solution today - I’m guessing that the only real difference between ISP DNS and DNS over Tor (if you’d be crazy enough to use it) is hiding in a big crowd and hiding in a very tiny, heavily watched crowd… your traffic will be monitored either way. I’m really hoping for this “Russian alternate DNS” that’s heavily be-FUDded to launch and allow some level of encrypted access for non-Russian citizens, as I think NickP’s antagonistic jurisdiction model is the only real chance we have.
If you’re worried about leaking data to big businesses, Cloudflare has a ton of it anyway as they host so many endpoints. But being able to pull them out of the loop sure would be an improvement.
This definitely solves the script kiddie in the coffee shop attack though, which seems to be the only traffic interception risk we can seem to get meaningful traction against, so hey - that’s a win.
I dislike CloudFlare because they’re making the internet more centralized (the more small websites use them as a proxy, the less direct connections to small websites are made) and because of some infamous abuse handling incidents, but I would trust them 100000% more than my local ISP.
The local ISP knows where I live, the local ISP has to comply with local laws, the local ISP has monitoring installed by the local equivalent of the NSA. The local ISP didn’t even promise any privacy at all, which is worse than CloudFlare’s privacy policy for this resolver.
“the local ISP has monitoring installed by the local equivalent of the NSA”
You should assume Cloudfare does, too. They are a venture-funded, for-profit company operating in a surveillance state in ideal position to do surveillance. The NSA/FBI also pays or coerces compliance per Core Secrets leaks. The real question to determine if they won’t cooperate with the NSA is: “Will they turn down $30-$100+ million, go bankrupt, and/or go to prison for me?” If not, then they’ll likely cooperate. The cooperation also always mandates they lie about cooperating. They can promise government-proof anything while relaying data to the government.
Couldn’t the opposite be just as true? If you live in a country that’s not friendly enough to the US, it may also be better to have local surveillance than NSA surveillance. If I know my government is out for my data, can’t easily access the stuff the US has, and isn’t sophisticated enough to upstream crypto algorithms into the Linux kernel or tap into underwater fibre cables, I’d pick local any day.
That’s true. However, your local ISP will still know where you connect. It will still see how much and if it’s unencrypted what you send/receive.
CloudFlare being a big target has to comply with some other country’s laws, as a US company it has to comply with NSLs, which might or might not exist in your local country. CloudFlare being a big company might also comply with other country’s laws - maybe not small ones, bug look at the list of companies that comply with China, etc.
Also this is actually not about your ISP vs CloudFlare. It’s about whatever you have configured vs ClfoudFlare. If Firefox starts making HTTPS requests to CF as a system administrator, when you expect DNS requests you might even miss them.
I think the problem is not that Firefox allows this, but that it’s skipping your system-wide configuration, without asking. After all I can already use CloudFlare’s DNS servers if I want to do so.
And then: CloudFlare makes its money by selling CDN features (including analytics, etc.) to companies, while my ISP makes money by selling internet to me. If your ISP doesn’t promise any privacy (or has no privacy policy, as you make it sound like) maybe consider switching your ISP.
The main point however is: I don’t think “overwriting” things like resolving hostnames is something an application should do, unless it’s asking or by design made to do so. In this case it’s not.
It will per default skip what you, your system administrator, etc. might have done to secure you.
It’s totally fine you trust CloudFlare more than your ISP/your local setup, but I don’t think it’s fine if a piece of software dictates and overwrites whom you trust silently, when you might already have consciously chosen someone else you trust.
If your ISP doesn’t promise any privacy (or has no privacy policy, as you make it sound like) maybe consider switching your ISP.
In most of the US, that isn’t feasible. Most places have at most two residential broadband providers: the phone company (typically AT&T), and the cable company (either Comcast or Spectrum, depending on location). And not counting MVNOs, there are, what, four mobile broadband providers?
I do basically agree with you that this may skip what your local sysadmin has done to secure you. But it’s making the trade-off that most people do not have a local sysadmin doing anything to secure you, and will never opt-in to anything to secure themselves.
That depends on your individual situation. Some users might appreciate that the system ‘just works’ even if not configured properly. Other wouldn’t, for 2 reasons:
Sending data a third party, especially one like google, without telling the user, is not ok in terms of privacy.
If something is misconfigured but silently falls back to a default which appears to work (while actually behaving in a different manner to how the user intended), then it’s much more difficult for the user to know that it needs fixing, and often much more difficult for the user to fix.
You cannot imagine how many people mark comments they do not like as incorrect without even checking the sources, commenting or noticing that they are opinions!
You shouldn’t care much: other might learn something from your comment anyway. At least an incorrect downvote make you double check the sources!
I assume that Firefox will ignore the local system resolver entirely, so this feature would no longer work for you unless you turn this off in Firefox.
It’s all about the threat model, right?
If you’re worried about the NSA intercepting your DNS traffic, we don’t have any good solution today - I’m guessing that the only real difference between ISP DNS and DNS over Tor (if you’d be crazy enough to use it) is hiding in a big crowd and hiding in a very tiny, heavily watched crowd… your traffic will be monitored either way. I’m really hoping for this “Russian alternate DNS” that’s heavily be-FUDded to launch and allow some level of encrypted access for non-Russian citizens, as I think NickP’s antagonistic jurisdiction model is the only real chance we have.
If you’re worried about leaking data to big businesses, Cloudflare has a ton of it anyway as they host so many endpoints. But being able to pull them out of the loop sure would be an improvement.
This definitely solves the script kiddie in the coffee shop attack though, which seems to be the only traffic interception risk we can seem to get meaningful traction against, so hey - that’s a win.
I dislike CloudFlare because they’re making the internet more centralized (the more small websites use them as a proxy, the less direct connections to small websites are made) and because of some infamous abuse handling incidents, but I would trust them 100000% more than my local ISP.
The local ISP knows where I live, the local ISP has to comply with local laws, the local ISP has monitoring installed by the local equivalent of the NSA. The local ISP didn’t even promise any privacy at all, which is worse than CloudFlare’s privacy policy for this resolver.
“the local ISP has monitoring installed by the local equivalent of the NSA”
You should assume Cloudfare does, too. They are a venture-funded, for-profit company operating in a surveillance state in ideal position to do surveillance. The NSA/FBI also pays or coerces compliance per Core Secrets leaks. The real question to determine if they won’t cooperate with the NSA is: “Will they turn down $30-$100+ million, go bankrupt, and/or go to prison for me?” If not, then they’ll likely cooperate. The cooperation also always mandates they lie about cooperating. They can promise government-proof anything while relaying data to the government.
Key word being local. If you live in a country that’s not very friendly to the US, it’s better to have NSA surveillance than local surveillance :)
Excellent point! I argued something similar in essay on using multiple, non-cooperative jurisdictions for security. :)
Couldn’t the opposite be just as true? If you live in a country that’s not friendly enough to the US, it may also be better to have local surveillance than NSA surveillance. If I know my government is out for my data, can’t easily access the stuff the US has, and isn’t sophisticated enough to upstream crypto algorithms into the Linux kernel or tap into underwater fibre cables, I’d pick local any day.
edit: pluralThat’s true. However, your local ISP will still know where you connect. It will still see how much and if it’s unencrypted what you send/receive.
CloudFlare being a big target has to comply with some other country’s laws, as a US company it has to comply with NSLs, which might or might not exist in your local country. CloudFlare being a big company might also comply with other country’s laws - maybe not small ones, bug look at the list of companies that comply with China, etc.
Also this is actually not about your ISP vs CloudFlare. It’s about whatever you have configured vs ClfoudFlare. If Firefox starts making HTTPS requests to CF as a system administrator, when you expect DNS requests you might even miss them.
I think the problem is not that Firefox allows this, but that it’s skipping your system-wide configuration, without asking. After all I can already use CloudFlare’s DNS servers if I want to do so.
And then: CloudFlare makes its money by selling CDN features (including analytics, etc.) to companies, while my ISP makes money by selling internet to me. If your ISP doesn’t promise any privacy (or has no privacy policy, as you make it sound like) maybe consider switching your ISP.
The main point however is: I don’t think “overwriting” things like resolving hostnames is something an application should do, unless it’s asking or by design made to do so. In this case it’s not.
It will per default skip what you, your system administrator, etc. might have done to secure you.
It’s totally fine you trust CloudFlare more than your ISP/your local setup, but I don’t think it’s fine if a piece of software dictates and overwrites whom you trust silently, when you might already have consciously chosen someone else you trust.
In most of the US, that isn’t feasible. Most places have at most two residential broadband providers: the phone company (typically AT&T), and the cable company (either Comcast or Spectrum, depending on location). And not counting MVNOs, there are, what, four mobile broadband providers?
I do basically agree with you that this may skip what your local sysadmin has done to secure you. But it’s making the trade-off that most people do not have a local sysadmin doing anything to secure you, and will never opt-in to anything to secure themselves.
Didn’t systemd hard code 8.8.8.8 as well at some point?
It’s such a good thing that people are watching out for violations in free software.
They use it as the default for the fallback if no DNS is configured. https://github.com/systemd/systemd/blob/master/meson_options.txt#L200
Which is quite reasonable.
That depends on your individual situation. Some users might appreciate that the system ‘just works’ even if not configured properly. Other wouldn’t, for 2 reasons:
2 people marked this as incorrect but the source code proving it is linked right there!
You cannot imagine how many people mark comments they do not like as incorrect without even checking the sources, commenting or noticing that they are opinions!
You shouldn’t care much: other might learn something from your comment anyway. At least an incorrect downvote make you double check the sources!
Is it hard coded or is it a fallback default?
Apparently, the issue is not only US government agencies, but I’m starting to think that the introduction of a single point of failure is intentional.
Will the new DNS over HTTPS lose the hosts file records? I also use a feature of systemd which makes any subdomain of localhost point to localhost.
I assume that Firefox will ignore the local system resolver entirely, so this feature would no longer work for you unless you turn this off in Firefox.