DaemonForums  

Go Back   DaemonForums > DaemonForums.org > News

News News regarding BSD and related.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 4 Days Ago
fvgit's Avatar
fvgit fvgit is offline
Spikes in tights
 
Join Date: May 2016
Location: perl -MMIME::Base64 -le 'print decode_base64("U2hlcndvb2QgRm9yZXN0")'
Posts: 178
Thumbs up OpenBSD will disable DoH in Firefox by default

The new DNS over HTTPS setting which Mozilla will roll out on Firefox will be disabled by default on OpenBSD:

https://marc.info/?l=openbsd-ports&m...5437630591&w=2

Code:
#OpenBSD has disabled #DoH by default in our #Firefox packages.  This is active in -current, and will be in our 6.6 -release.

From @otto 's commit message:

"""Disable DoH by default.  While encrypting DNS might be a good thing, sending all DNS traffic to Cloudflare by default is not a good idea.
Applications should respect OS configured settings."""
https://bsd.network/interact/102767562311572315
Reply With Quote
  #2   (View Single Post)  
Old 4 Days Ago
ripe's Avatar
ripe ripe is offline
Fdisk Soldier
 
Join Date: Feb 2013
Location: Haute-Garonne, France
Posts: 79
Default

What are the consequences for us, user of FireFox and OpenBSD? And I found that on wikipedia:
Quote:
Criticism

The Internet Watch Foundation and the Internet Service Providers Association (ISPA)—a trade association representing UK ISPs, criticised Google and Mozilla for supporting DoH, as they believe that it will undermine web blocking programs in the country, including ISP default filtering of adult content, and mandatory court-ordered filtering of copyright violations. Mozilla responded to allegations by the latter (who nominated Mozilla as an "internet villain"), arguing that it would not prevent filtering, and that they were "surprised and disappointed that an industry association for ISPs decided to misrepresent an improvement to decades-old internet infrastructure".[23][24] On 9 July 2019, the ISPA withdrew Mozilla's "Internet Villain Nomination and Category."[25]
Reply With Quote
  #3   (View Single Post)  
Old 1 Day Ago
ibara's Avatar
ibara ibara is offline
Real-life IT professor
 
Join Date: Jan 2014
Posts: 712
Default

You will enjoy a safer Internet this way.
Paul Vixie gave a nice talk about DNS (including DoH) at vBSDcon this year; worth watching when the video emerges.
Reply With Quote
  #4   (View Single Post)  
Old 1 Day Ago
ripe's Avatar
ripe ripe is offline
Fdisk Soldier
 
Join Date: Feb 2013
Location: Haute-Garonne, France
Posts: 79
Default

Ok thanks
Reply With Quote
  #5   (View Single Post)  
Old 23 Hours Ago
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 494
Default

Quote:
Originally Posted by ibara View Post
You will enjoy a safer Internet this way.
Paul Vixie gave a nice talk about DNS (including DoH) at vBSDcon this year; worth watching when the video emerges.
I have found that tweet: https://twitter.com/paulvixie/status...86628832382977
Does it mean DoT is easier to intercept/attack using MitM than DoH? What about DoT with pinset (Stubby)?

Firefox exposes two ways of controlling DoH for IT departments, so they can turn it off for their users:
1. policies.json file
2. using Group Policy (Windows only)

Regular users on their private devices can, as always, disable it by about:config.
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase
Reply With Quote
  #6   (View Single Post)  
Old 12 Hours Ago
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 494
Default

I forget some things about this DoT/DoH/DNS things and did some recollection of them. My thought is that silent opportunistic DoT is useless. There should be an alert or at least some indicator for GUI users that DoT might be intercepted when certificate is not validated against pinset.
I understand that IT departments running corporate networks should be able to log or even sometimes block DNS requests, but it must not undermine privacy of users who use Internet in their home.

I don't like some decisions Mozilla have done over the last few years, but experimenting with DoH isn't one of them.
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase

Last edited by e1-531g; 11 Hours Ago at 07:55 PM. Reason: Added last sentence
Reply With Quote
Reply

Tags
doh, firefox, openbsd

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenBSD xterm(1) now UTF-8 by default J65nko News 1 10th March 2016 07:22 PM
Any info on OpenBSD 5.6's new default IPv6 to off change? SlyM OpenBSD General 4 2nd November 2014 09:45 PM
is nginx going to be default OpenBSD httpd? ershiba OpenBSD General 4 6th January 2013 03:55 AM
OpenBSD switches from pthreads to rthreads by default Alphalutra1 News 7 20th February 2012 06:19 PM
Is OpenBSD secure by default from ssh users? steamrent OpenBSD Security 2 19th December 2011 09:21 PM


All times are GMT. The time now is 07:54 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick