Disable DNS over HTTPS
2020-02-26 23:39
by zlg

Mozilla recently changed Firefox so that all United States users are using
technology called DNS-over-HTTPS[1], which stuffs your DNS queries into an
HTTPS request, which then spits back the IP to connect to. On its surface it's
supposed to be "more secure", but the default DoH provider is Cloudflare. [2]
This should be alarming to anyone who considers centralization a threat. The
effect of this is that all Firefox traffic will be routed through Cloudflare.

Cloudflare uses Google captchas and other analytics. Mozilla has also been 
gathering "anonymous browsing data" through their Studies platform. [3] The only
reason to gather this data is to sell it. As such, I do not recommend using any
of Mozilla's products.

If you're intent on staying with Firefox, you can disable DoH:

1. Open 'about:config';
2. Search for 'network.trr.mode', and set it to 5. If it doesn't exist, create 
   it, so when you update Firefox the key will already be made. See [4] for a 
   description of the magic numbers used here.
3. Restart your browser.

Be sure to do this for *all* Firefox installations.

Who knows how long they'll allow it. At present I cannot recommend any HTTP 
browsers. The whole protocol is a mess, as are the attempts to secure it.

If you've been paying attention, it's become harder and harder to run your own 
website, because corporations and browser vendors (one and the same here) keep 
changing the requirements to be considered "secure". This is a repeat of what's 
happened to the e-mail protocol, and apparently we'll need to fuck up HTTP to 
relearn that lesson.

We need to have a serious conversation about trust and networking. Large, 
powerful organizations are trying to steer what the public does online and we're 
expected to just trust them. What have they done to deserve our trust? We read 
about leak after leak of data; data that wouldn't leak if it wasn't gathered in 
the first place. And their answer is to trust yet another entity, that we 
*don't* have legal agreements with, to our most personal browsing information.
That's a trap, folks.

None of this makes me trust the Web. It highlights how broken TCP/IP itself is. 
We need a networking stack that puts security and privacy first, not as a 
half-baked, cat's-out-of-the-bag "solution" through corporate partnerships and 
continuously changing the requirements for Web authorship.

There are solutions out there to sandbox your browser: Firejail, a chroot, 
whatever "universal packaging solution" is hip on Linux these days, or just a 
regular ol' VM.

If you have to use all of these things dressed up to the nines to browse the 
Web, then it's time to realize that HTTP(S) Is Harmful.

-z

[1]: https://blog.mozilla.org/blog/2020/02/25/firefox-continues-push-to-bring-dns-over-https-by-default-for-us-users/
[2]: https://wiki.mozilla.org/Trusted_Recursive_Resolver#network.trr.resolvers
     (check this key in your browser and it will say Cloudflare unless you've
      changed it.)
[3]: https://groups.google.com/forum/#!topic/mozilla.governance/81gMQeMEL0w
[4]: https://wiki.mozilla.org/Trusted_Recursive_Resolver#network.trr.mode