Cloudflare DoH is not just a privacy problem.
- Consumer protection and choice
- Cloudflare Blocklists
- Loss of jurisdiction
- User confusion
- A bad precedent... think Superfish
What should Mozilla do to help?
Operating systems need better tooling, not just browsers, so make an unbiased DNS tool for the operating system and make it easy to install from Firefox.
dnsmasq demonstrates where this could techincally sit in the DNS stack.
Firewall and antivirus apps demonstrate the nature of app we need.
The app would need to check, notify, offer config options and recommendations: triggered by network changes.
- Visibility: To see how bad their current DNS is
- Control: to learn and change their DNS config with a UI
- Choice: A marketplace of providers with pros and cons listed, sure Cloudflare should be listed
- Plugins: Cache control, local overrides, Bonjour/Avahi, Gnunet, Namecoin, IPNS, etc might enjoy a common name resolver interface and users might trust Mozilla to install them
What is Firefox doing?
Firefox is starting the rollout of Cloudflare being the DNS provider for Firefox installs by default.
Mozilla believes it knows better than the choices you made or the local network defaults.
Some opinions already expressed:
I live in the EU, so Cloudflare appears to be a higher privacy risk.
I know I am a low privacy risk as I'm not a: soldier, doctor, journalist, politician, cancer sufferer, member of a demographic typically at risk of discrimination, ...
If I had a reason not to trust my network, I'd need a VPN, not a better DNS resolver.
Consumer protection and choice
My DNS is provided by an ISP that I pay for and because of this it has to be of merchantable quality under UK law.
If my ISP fails it has to answer to my wallet, my demands for a refund and potentially multiple regulators here.
Should Cloudflare fail for my local network or devices what action can I take or the UK regulators?
Will I be able to change if Cloudflare becomes mainstream? Why would my ISP provide DNS services? Like email it may disappear and I'm stuck with whatever Cloudflare offers.
Loss of jurisdiction
In the UK there are websites that have been banned.
Whether you agree with the Pirate Bay being blocked or not, you might agree that it's a good idea that UK users cannot resolve child pornogrphy sites.
Users who wish to circumvent local jurisdiction should be looking at VPNs not DNS. In some countries I might support their efforts if well intended..
As an account holder, on a home wifi I share with friends and family, I'm not just thinking about my own browsing when I want resolution to fail if they visit illegal sites.
The USA has different laws that mean it may force US companies to block content that may be okay abroad. Maybe Wikileaks, maybe SciHub or maybe The Guardian when the next Snowden style leaks happen.
Cloudflare has repeatedly been known to refuse to block hosting services to content that was controversial.
However, it also has abided by some, notably removing hosting to 8chan.
Whilst I agree that 8chan should have been removed by Cloudflare, if Cloudflare has a marketplace control, like over most users of Firefox, then the only blocking it should do is that necessary by law.
It might make my day to see them block DNS resolution of a company like Google, on the grounds that Google is breaching privacy laws and therefore unethical to resolve, but that shouldn't be an option Cloudflare can take.
Think about the following scenarios:
I can view my workplace email in Chrome, but not Firefox? Why? How will Firefox keep up with intranet resolvers that come and go according to users context and may be different on the open web than in the office?
Developers often play with DNS to investigate problems or avoid hitting production servers. This risks blacklists and overrides set in infrastructure or local settings no longer working, which may cause confusion or worse security hardening techniques failing.
A privacy invading hotel gets annoyed at 220.127.116.11 not being visible so blocks it on their wifi: what happens? I'm guessing Firefox gives up Cloudflare or the user gives up on Firefox.
A bad precedent
Firefox is an application, like any other and deciding that apps should be managing encrypted DNS is worrying.
With the privacy problems we've seen with period apps, Facebook SDK tracking and similar, users desparately need control and visibility of what apps can do on the network. DNS control and similar should be in the hands of the OS and global settings users can control.
Firefox is now going to be another app that is doing weird encrypted stuff you cannot see and maybe Firefox will have audit logs and network logs to see what Cloudflare gets, but will your Period app or the Facebook SDK when it starts using DoH too?
And why just your apps playing directly with DoH? If apps should be taking DNS control away from your network, why not your laptop manufacturer: why not Lenovo? Some manufacturers may love to take control of your network for their own purposes for ad distribution and if Firefox supports DoH controls over the network, then perhaps Lenovo should fork it and distribute it with new laptops set to use their DoH resolver?