Consider me a somewhat informed EU-based internet user.
I support Mozilla pushing forward with DNS integrity and privacy. I hope the study can shed more insight into how widespread the problems are, without causing overreactions, panic and loss of perspectives. I have no objection to the details of how the study is being performed. It seems to me that users who have opted to run Nightlies has in part already given consent to be guinea pigs - though I don't know how far this covers their data integrity and privacy.
I'm more concerned about agreeing on a good goal state of future possible integration of this feature into the browser (and possibly setting standard for other browsers).
1. Consent - specifically in the EU, full compliance with EU GDPR requires users' being able to opt-in on extra data processing and sharing with 3rd parties. (I.e. if X is some bonus feature, by default X must be opted in to by users. Services must be possible to use with a minimal set of privacy exposure in terms of what data processing organisations are involved. IMO these are truly good standards, and I don't buy the "users are stupid" argument - "that's a UX issue" (have seen lots of good GDPR consent UI improvements recently))
2. Going forward, I assume the intent of Mozilla is to use future DoH server selection methods including automatic ones, for example OS-managed ones where a DHCP option or equivalent has provided the DoH servers from the users' ISPs?
3. Would Mozilla consider moving forward with the feature prior to automated OS-managed server selection methods, i.e. relying on what I assume has to be manual application-based configuration?
4. How would said application-based configuration promote diversity of providers and counter-act the centralization of user data and DNS history?
5. Specifically, a future scenario with a default on & opt-out where a specific single provider such as CF is responsible for all Mozilla browser DoH DNS, would actually be a very bad one from a privacy perspective, generally due to the overly centralization of user data, and specifically due to CF being a US based company which adheres to US laws which provides essentially zero protection of non-US citizens privacy in terms of mass surveillance (EU Court of Justice). This scenario simply doesn't fly. Opt-in based on informed consent would be absolutely necessary, I believe.
There be dragons and there are several variables to consider in total user privacy.
This said, I'm definitely looking forward to interesting results from this study and future improved total user privacy.
On Saturday, March 17, 2018 at 11:51:02 AM UTC+1, Patrick McManus wrote:
> Hi All, FYI:
> Soon we'll be launching a nightly based pref-flip shield study to confirm
> the feasibility of doing DNS over HTTPs (DoH). If all goes well the study
> will launch Monday (and if not, probably the following Monday). It will run
> <= 1 week. If you're running nightly and you want to see if you're in the
> study check about:studies
> Access to global DNS data is commonly manipulated and can easily be blocked
> and/or collected. DNS services are also sometimes poorly provisioned
> creating performance problems. We posit that integrity and confidentiality
> protected access to well provisioned larger caches will help our users. In
> a nutshell, that's what DoH does.
> This work relies on a IETF specification that I hope will go into Last Call
> this coming week: https://datatracker.ietf.org/doc/draft-ietf-doh-
> This initial test is focused on performance feasibility assessment and we
> won't actually be using the DNS data returned from the DoH server (i.e. the
> traditional DNS service is used in parallel and only those answers are used
> - the code calls this shadow mode.) This is obviously not the optimal
> arrangement of things - the anticipated end state will involve running in
> "first mode" where DoH is normally used and soft fails (either based on DNS
> or TCP errors) to traditional DNS. There are also modes where DoH is used
> and hard fails (known as "only mode" - it requires some bootstrap info),
> and a mode where DoH and traditional race against each other using
> whichever is faster. Their are acomodations in place to deal with
> split-horizon DNS issues.
> DoH is an open standard and for this test we'll be using the DoH server
> implementation at Cloudflare. As is typical for Mozilla, when we
> default-interact with a third party service we have a legal agreement in
> place to look out for the data retention/use/redistribution/etc interests
> of both our users and Mozilla itself.
> The study launch bug is https://bugzilla.mozilla.org/show_bug.cgi?id=1446404
> Daniel Stenberg has written much of the code for this - he, I, and Valentin
> Gosu are the team that will chase down any issues. Feel free to reach out
> to us (or #necko on slack). There is currently one open issue related to
> captive portals and "only mode" but that should not be triggered by the
> study as "only mode" is not used.