@jpmens Very poor article (as always with McCarthy, the form trumps the content). 1) It never mentions the possibility of other DoH resolvers, outside of Cloudflare 2) It never mentions that DoH to the ISP resolver is pointless since the problem is pecisely the ISP's resolver behaviour.

@bortzmeyer @jpmens And your answer is very biased and somewhat dishonest:
* configuring an alternate resolver is something that will only be done by power users. Default config matters a lot.
* bypassing ISP resolvers was never the purpose of an encryption protocol. The goal is to protect data over the network from snooping and from alteration.

@x_cli @jpmens Yes, the default is very important (most users won't change it or wouldn't even dare to think about it). That's why the default must be towards security. If the ISP were to pledge solemnly to follow the principles of network neutrality and privacy, they would have a right to complain. But they don't. Quite the opposite.

Also, yes, the default choice is very important but most anti-DoH texts lie by claiming that Mozilla forces the use of CLoudflare. This is simply not true.

@bortzmeyer @jpmens I'll write during my winter holidays a piece on DoH and Mozilla's strategy that will illustrate, with some PoC, why Mozilla is putting us at risks, and why Cloudflare is also a very bad default choice. No politics. Tech-only.

@x_cli @jpmens Don't spend time convincing me that Cloudflare is bad, I know. (I use my own DoH resolver.) The question is about DoH, not about Cloudflare.

@bortzmeyer @jpmens Most sound people complain about Mozilla-Cloudflare partnership. Not about DoH itself, although there is a bit to say about it as a protocol as well.
I, for one, have no problem with Chrome strategy for DoH implementation and deployment. But I am a fierce opponent of Mozilla's strategy.

@x_cli @jpmens So, nothing to do with DoH?

And I criticize the Mozilla strategy as well. Allowing ISP to disable security at will (via the canary domain) is a bad idea.

@bortzmeyer @jpmens DoH as a protocol is stupidly complicated from the network stack point of view (DNS over H1 over H2 over TLS over TCP (WTF?!!), and stupidly ignorant because it leverages almost none of the features of the underlying transport protocols.
Apart from that, it's peachy.

@x_cli @jpmens Then use DoT. But I suspect that the people who criticize DoH because it protects the user won't like DoT either.

@bortzmeyer @jpmens I personally prefer DNScrypt. But my preferences are uninteresting. The problem lies in Mozilla's strategy.

I would oppose them even if they were to use DNScrypt to talk to Cloudflare by default.

@bortzmeyer @jpmens Regarding Mozilla's kill-switch, I concur. This is totally brain-dead.

@bortzmeyer @jpmens

"As a side-note: we already deny RFC1918-addresses from DNS-over-HTTPS
responses so in that regard, using TRR will save you from these DNS attacks!"!to

So, I was wrong. DoH-to-Cloudflare-by-default is not an issue, as far as DNS rebinding is concerned. Sorry 😶😥

@x_cli @jpmens For the second point, it goes in the opposite direction: the goal is to bypass IAP resolver because of their practices. Despite what the anti-DoH propaganda says, this can be done without DoH or even without encryption. But this is dangerous (IP hijacking, for instance). So, to use a public resolver, DoE is really useful.

(On the other hand, DoE to the IAP resolver is not very interesting.)

@bortzmeyer @jpmens You are conflating your political ideas with the purpose of a protocol.

As you said it yourself, bypassing ISP resolvers can be done in numerous ways and could already be done for ages. DoH was not created to be "one more way of doing it".

There is a bit of security behind DoH, but mostly there is a political and economical agenda for Browsers and CDNs, that has nothing to do with ISP. ISP are just a distraction used to hide the true agenda.

@x_cli @jpmens Please explain this theory. A browser can talk DoT or Do53 as well (Chrome did it a long time ago). Besides security (encryption and authentication), what is changed by DoH?

@bortzmeyer @jpmens DoH as a protocol changed nothing. You said it yourself: they could have implemented a secure transport before.

So why now? Why the sudden interest? Yes, it relies on a stack browsers already implemented, but browsers obvisouly don't care about attack surface.

The answer is: being (much) faster than the other CDNs. And Cloudflare not supporting ECS "for privacy reasons" is actually doing it to be even faster than their competitors.

Inscrivez-vous pour prendre part à la conversation
Mastodon - Gougère Network

Le réseau social de l'avenir : Pas d'annonces, pas de surveillance institutionnelle, conception éthique et décentralisation ! Possédez vos données avec Mastodon !