Put the "user" back in "user agent"

Petition to change Chromium's User-Agent header to Google-Agent

@sir uhh what am I missing about Firefox and Cloudflare?

@anelki DNS over HTTPS (aka sending all of your DNS lookups to CloudFlare) is now the default behavior in Firefox

@sir @anelki
which would be great, if it weren't sending them to cloudflare of all people

and it's only the default in the US, you have to opt in from elsewhere.

@tn5421 @anelki honestly it's not great at all. We have DNSSEC. Let's not replace distributed, fault tolerant systems with centralized, failure-prone ones

@sir @tn5421 @anelki That's been exactly my observation. There are probably good edge case uses for dns over https, but generally speaking I don't see the advantage.

Cloudflare eats shit, I don't think many people here disagree, but you can find all sorts of alternatives and many of them seem to be reputable sources with privacy focuses..

@shebang @sir @tn5421 @anelki cloudflare's contract with Mozilla presumably prevents things like selling your DNS lookup history, which was made legal in 2017 after years of trying to lobby for it by AT&T and Comcast.

I figure your average person will get abused less by Cloudflare than by 99% of US ISPs, so I can't really complain that much, especially given it's only happening in the US.
@tn5421 @anelki @shebang @sir that's pretty much my point yeah; people who are technical enough to know what it is can change it pretty easily, and people who don't get an easy privacy 'win'

@kick @tn5421 @shebang @anelki I would much rather distribute DNS records among thousands of ISPs than centralize them with CloudFlare. Fuck CloudFlare seven ways to wednesday. There is no scenario under which this is an improvement.

@sir @tn5421 @shebang @anelki If looking at the largest US ISPs ( ) the top ones listed are pretty much entirely companies that have been known to sell as much data as possible (some of them even providing malware/ad-filled search engines when failed queries occur).

Given that Cloudflare's contract with Mozilla presumably prevents misuse of data like that, and Cloudflare's business model isn't literally "ad company," the threat model for these people goes from "ad companies, governments" to "governments," which is hard to see as a particular down/sidegrade.
@kick @sir @anelki @shebang and what magic forces them to comply with said contract, exactly. this isnt harry fucking potter where contracts are self reinforcing, they can just break the spirit and possibly the letter and so long as Mozilla doesn't find out they cant be held liable. so those ad companies still get to buy your data to misuse, and you're back to the old threat model again
@tn5421 @anelki @shebang @sir

>and what magic forces them to comply with said contract, exactly.

Threat of lawsuit, which is pretty serious, actually.

>this isnt harry fucking potter where contracts are self reinforcing, they can just break the spirit and possibly the letter and so long as Mozilla doesn't find out they cant be held liable.


>so those ad companies still get to buy your data to misuse, and you're back to the old threat model again

@tn5421 @anelki @shebang @sir It's not just Mozilla that uses their DNS; it's not just Mozilla that would be able to figure this out. It has like millions of users, if it was selling data, someone would have found out by now.
@anelki @shebang @sir @tn5421 (And given how many users use it, breaking their privacy policy would set them up for a big, damaging lawsuit. Which would be fun, given they're a public company now. Most companies have clauses that allow them to sell data, but that's notably absent in's.)

@kick @tn5421 @shebang @anelki don't @ me in this any more, I'm tired of hearing more of your ridiculous blind trust of CloudFlare

@kick @tn5421 @anelki @shebang @sir >Threat of lawsuit, which is pretty serious, actually.

It's not. Lawsuits are actively calculated into business decisions for most, if not all, large companies. There's some big money going on, and a lawsuit will not hurt them as much as you think it will. Besides, a lawsuit won't retroactively revert any wrongdoing.
@kick @sir @anelki @shebang @tn5421 "Presumably prevents" means it doesn't prevent. Any slightly vague idea will be horribly abused by USA based companies. Perhaps you should fix some legislation to fix the root issue, instead of applying a dirty bandaid to an infected wound.

@kick @sir @tn5421 @shebang @anelki

>misuse of data like that

They can still sniff on OCSP and SNI.

(Encrypted SNI isn't implemented by anyone else than Cloudflare at this moment)

@kick @anelki @shebang @sir dunno, Drew seems to regard it as a sidegrade at best and I think his opinion is probably not too far from the reality.
corporate will always do their best to make wins against them as worthless as possible while spinning it as positive PR for their "compliance"

@tn5421 @anelki
DoH is addressing a different problem. In corporate networks, and probably evil ISPs, DNS to other servers is simply blocked. You have no way to use DNSSEC. But they can't really block HTTPS traffic to cloudflare. Unfortunately, this also means a DoH server needs to be a big CDN to be effective.

@sir @tn5421 @anelki dnssec provides zero privacy. The more appropriate comparison would be a VPN. Everybody else is just leaking their dns traffic into some untrusted network, pick your poison.

@sn0int @tn5421 @anelki but can we fix this without sending all of your lookups to fucking cloudflare

@sn0int @tn5421 @anelki also, note that reverse IP lookups or SNI can be snooped out of the plaintext parts of SSL traffic, which reveals basically the same information

@sir @tn5421 @anelki Firefox already has ESNI support that's also enabled if you enable DoH. The IP is only meaningful metadata if only a single website is hosted on that website.

With a correctly configured Firefox you can connect to a malicious network and it's still fully hidden which cloudflare enabled website you're visiting.

@sn0int @sir @tn5421 @anelki Are you sure ESNI really plugs this flaw? Last time I looked at the (draft) RFC it had few known ones, including that monitoring with enough data could know which site is being accessed (like wikipedia vs youporn).

@lanodan @sn0int @tn5421 @anelki also note that the vast majority of IPs are linked to only one or two services, and definitely one service operator. You need to use Tor to keep this secret

@sir @lanodan @tn5421 @anelki

1) If I can force the attacker into traffic pattern analysis I'd consider that a success. The status quo you've been suggesting is just giving away that data for free to anybody who knows how to run sniffglue on a router.

2) Running services on their own dedicated ip is going to be considered bad opsec in the future. In real life a significant number of websites run on a very small set of ip addresses like cloudflare, whether you like it or not.

@sn0int @lanodan @tn5421 @anelki this is definitely not going to be bad opsec in the future, in fact the trend is the opposite with IPv6

@sn0int @sir @tn5421 @anelki 1: Not I mean if it's basically about as hard as an hash it's not that hard, just get one for Alexa Top 1000 and you'll be very good for normies.

@lanodan @sn0int @sir @tn5421 this is all really helpful, y'all. thanks!

guess it's time to just finally run everything through my VPN and DNS Crypt?

unless there's a better way?

@anelki @sn0int @sir @tn5421 VPN is only moving the problem to another location, would definitely recommend something like tor instead.

@sir @lanodan @tn5421 @anelki if you're suggesting we should stop trying to fix a privacy issue that's exploited by every scriptkiddy ever and everybody should just use tor all the time you're severely disconnected from reality.

@sn0int @lanodan @tn5421 @anelki was thinking someone was severely disconnected from reality in this thread, too

@sir @tn5421 @anelki dnssec isn't distributed; it's heavily-centralized, and not only that, but centralized by governments, which is kind of the opposite of what most people need.

@kick @tn5421 @anelki it's no less centralized than SSL itself. In any case, DNS over HTTPS is far from an improvement in this respect

@sir @anelki So "your ISP can't snoop on you", so now a USA based company with little to no regulation on said "snooping" is going to do it. Such a worthy trade-off!

@sir they opened a ticket somewhere lemme see if I can find it

Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!