Disappointed that Firefox is giving Cloudflare user DNS resolution data by default via DoH. I trust my ISP but if I didn't, I'd use a trusted VPN to protect *all* my traffic. DoH is just a DNS-only VPN. What's worse, if you do use a VPN for #privacy FF will still leak your DNS data to Cloudflare by default. https://blog.mozilla.org/futurereleases/2019/09/06/whats-next-in-making-dns-over-https-the-default/
Ask yourself why all these companies are fighting each other to be your default DNS provider. Why do their "privacy" solutions always give them your data instead? It's valuable data and it's easy to control it yourself. #privacy https://www.linuxjournal.com/content/own-your-dns-data
Why is it that the best minds in our industry seem unable to improve security without creating products that coincidentally give their employer more control over people and their data? Vendor lock-in is preventing real innovation in infosec.
@kyle Generally agree, but the problem is bigger than vendor lock-in, monopoly or any form of the "crooked capitalism" illusion. "The industry" is not trying to improve security, they're trying to increase profit. Everything takes a back seat to profit, under any form of capitalism. That probably ignites your pattern recognition neurons.
@zeh This is why Purism incorporated as a Social Purpose Corporation, specifically so we could put our social purpose ahead of profits.
@kyle That's nice, it signals your intention, provides some reassurance, and I guess it makes you a harder target for buying and changing your direction and goals. But, ultimately, you still operate under market rules and pressure. Ultimately, you don't get to make the rules, you can't just declare your way out of an economic system.
@kyle I understand your general concern, but in this case, Cloudflare seems aligned with Mozilla's stance against surveillance capitalism.
Cloudflare explicitly states the data collected in the link and which are deleted after 24 hours and the 3 pieces that are retained: https://developers.cloudflare.com/184.108.40.206/commitment-to-privacy/privacy-policy/privacy-policy/
Cloudflare also explicitly states in the other link that the data is not sold or used to target ads: https://developers.cloudflare.com/220.127.116.11/commitment-to-privacy/
@kyle Most people are not going to run their own DNS servers, but Mozilla isn't stopping them from using them if they do, so the immediate benefit is an increase in default privacy. “Better is good.”
@kyle I agree the data is sensitive. There has to be a buyer to make it valuable. Outside of ad targeting, I am not sure who would be interested in buying Cloudflare's DNS access data if the information necessary to target an individual is removed.
@jeremiahlee Cloudflare says they don't sell it for ads, but to answer your question in general, the value is the association of a series of websites with an individual, even if you don't know *who* the individual is.
Advertisers find a lot of value in "someone who likes X also likes Y but doesn't like Z" so that when they do have a target in mind that likes X, they know to market Y to them but not Z. This is why social graphs are valuable--friends/colleagues often share preferences.
@irl The goal is to have control over the DNS logs instead of giving them to Google or other big data firms. If you do not trust your ISP and think they sniff and capture all DNS traffic that goes over their wires, then the solution is to use a trusted VPN as they would probably also sniff all initial SNI requests too.
@kyle here is a question for you. How could you make this act similar to pihole with its blocklists as well as caching your DNS data? Pihole seems to go out to one of the big ones if it doesn't have it
@n0btc Sounds like it would be possible if you set up a DNS server in the pihole server and pointed it to localhost.
Giving your DNS requests a secure tunnel to Cloudflare is like giving you a safe ride in an armored vehicle to a dark alley at midnight.
@kyle has/will librem considering running a doh resolver with adblock? Similar to nextdns.io.