Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Wait, Firefox. Didn't they push DNS over HTTPS? Doesn't that allow you to track all the requests a user makes on the server side?

I mean the server operators could sell that data, subtract their operating costs, divide by two and then push huge donations to Firefox.

Firefox wouldn't track you or sell your data. Right?



> Didn't they push DNS over HTTPS? Doesn't that allow you to track all the requests a user makes on the server side?

Making DNS requests usually involves sending the query to a server that could track you; this has been true since long before DNS over HTTPS was even imagined. It's just a question of who is tracking you; the way Firefox migrated means that requests were concentrated on Cloudflare but nobody else can see the queries. Whether this is good or bad depends on your threat model.


This has nothing to do with my threat model.

First of all, not every country allows the ISP to spy on its users.

Then, by using the ISPs DNS resolver, there's a high chance when browsing a well known site, like ycombinator, I hit the ISP's cache, so the information that I want to access that side doesn't go past the ISP's DNS resolver.

Also the ISP's resolver may hit a cache higher up in the hierachy before talking to root servers and requesting the information directly from the source. But even if I do NOT hit the ISP's cache, and the DNS resolver has to look it up, my single request drowns in the sea of all kinds of requests from the ISP's resolver and only the ISP is able to tell that I made that request. Again, in a country where the ISP is not allowed to spy on you, that's a rather safe thing.

DNSSEC doesn't play a role here as it only signs stuff and doesn't encrypt it. So the DoH resolver, that uses the DNS protocol to resolve unknown requests, will rely on the same information that my ISP's resolver will. In the end they'll always query the root servers and go straight to the authorative source.

Also, DNS is like a public phone book, so no problem if I look something up while that lookup drowns in a sea of requests. The only identifiable part here is my udp "connection" to the ISP's resolver and my IP-Address. This information isn't forwarded past the resolver I contact even if the resolver has to request anything on my behalf.

Fast forward to Firefox' DNS over HTTPS approach:

- Now all requests go to a single resolver and are bundled there.

- The requests are encapsulated in HTTP.

- HTTP contains much more information in the headers than any direct DNS request ever could.

- I'm not just identifiable by my IP-Address, but also by the information in the HTTP-Headers and the fingerprinting of the browser that can be done.

Also Firefox made it OPT-OUT and not OPT-IN. Which is a problem in and of itself.


Great job on finding the one thing (perhaps 2 including pocket) compared to the extensive list of past transgressions by Google's Chrome team.

I greatly disagree with this kind of whataboutism brought up to whitewash the biggest offenders.


You know, the issue at hand is that they _ALL_ do it.

But some tell you they don't and do it anyway in ways that make it not as easy to detect.

And it's those sneaky ones that are really, REALLY bad, no matter what others have or haven't done.


Mozilla is a non-profit that made a couple of poor decisions. Meanwhile Google's whole business model is based around it. It is not the same thing at all.


Mozilla Foundation is a non-profit. Mozilla Corporation, a for-profit corporation which develops Firefox, made those bad decisions.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: