Disappointed that Firefox is giving Cloudflare user DNS resolution data by default via DoH. I trust my ISP but if I didn't, I'd use a trusted VPN to protect *all* my traffic. DoH is just a DNS-only VPN. What's worse, if you do use a VPN for FF will still leak your DNS data to Cloudflare by default.

Ask yourself why all these companies are fighting each other to be your default DNS provider. Why do their "privacy" solutions always give them your data instead? It's valuable data and it's easy to control it yourself.

Show thread

Why is it that the best minds in our industry seem unable to improve security without creating products that coincidentally give their employer more control over people and their data? Vendor lock-in is preventing real innovation in infosec.

Show thread

@kyle Generally agree, but the problem is bigger than vendor lock-in, monopoly or any form of the "crooked capitalism" illusion. "The industry" is not trying to improve security, they're trying to increase profit. Everything takes a back seat to profit, under any form of capitalism. That probably ignites your pattern recognition neurons.

@zeh This is why Purism incorporated as a Social Purpose Corporation, specifically so we could put our social purpose ahead of profits.

@kyle That's nice, it signals your intention, provides some reassurance, and I guess it makes you a harder target for buying and changing your direction and goals. But, ultimately, you still operate under market rules and pressure. Ultimately, you don't get to make the rules, you can't just declare your way out of an economic system.

@kyle Is it valuable data? Neither Mozilla nor Cloudflare seem to have an economic incentive to monetize this data. Also, Cloudflare’s privacy policy states:

@jeremiahlee it's your entire browsing history. Every site you visit. Very valuable data and their privacy policy is vague about which data they keep indefinitely, so you focus on the "24hrs" part.

@kyle I understand your general concern, but in this case, Cloudflare seems aligned with Mozilla's stance against surveillance capitalism.

Cloudflare explicitly states the data collected in the link and which are deleted after 24 hours and the 3 pieces that are retained:

Cloudflare also explicitly states in the other link that the data is not sold or used to target ads:

@kyle Most people are not going to run their own DNS servers, but Mozilla isn't stopping them from using them if they do, so the immediate benefit is an increase in default privacy. “Better is good.”

@kyle I agree the data is sensitive. There has to be a buyer to make it valuable. Outside of ad targeting, I am not sure who would be interested in buying Cloudflare's DNS access data if the information necessary to target an individual is removed.

@jeremiahlee Cloudflare says they don't sell it for ads, but to answer your question in general, the value is the association of a series of websites with an individual, even if you don't know *who* the individual is.

Advertisers find a lot of value in "someone who likes X also likes Y but doesn't like Z" so that when they do have a target in mind that likes X, they know to market Y to them but not Z. This is why social graphs are valuable--friends/colleagues often share preferences.

@kyle This article seems to argue to set up a recursive resolver that sends plaintext via your ISP anyway. If your goal was to have privacy from your ISP, you failed.

@irl @kyle My understanding is that article is about owning DNS logs instead of *legally* handing them over to third parties. I don’t recall any stronger claims.

@irl The goal is to have control over the DNS logs instead of giving them to Google or other big data firms. If you do not trust your ISP and think they sniff and capture all DNS traffic that goes over their wires, then the solution is to use a trusted VPN as they would probably also sniff all initial SNI requests too.

@kyle sniffing and capturing DNS traffic is probably allowed under your TOS. At the very least they are allowed to do it for technical reasons, which might include looking at where their customers are going to so they can work out what peering arrangements they need, etc.

You're right on SNI. Even if you're not using SNI it's probably the case then that the IP address is going to give away where you're going.

I think that destination IP addresses are collected by all UK ISPs by law, and retained for some specified time period.

I lost track on what was happening there in the end. Maybe that didn't happen, maybe it got worse.

@kyle here is a question for you. How could you make this act similar to pihole with its blocklists as well as caching your DNS data? Pihole seems to go out to one of the big ones if it doesn't have it

@n0btc Sounds like it would be possible if you set up a DNS server in the pihole server and pointed it to localhost.

Giving your DNS requests a secure tunnel to Cloudflare is like giving you a safe ride in an armored vehicle to a dark alley at midnight.

@kyle has/will librem considering running a doh resolver with adblock? Similar to

Sign in to participate in the conversation
Librem Social

Librem Social is an opt-in public network. Messages are shared under Creative Commons BY-SA 4.0 license terms. Policy.

Stay safe. Please abide by our code of conduct.

(Source code)

image/svg+xml Librem Chat image/svg+xml