A corp network should set up their own DoH resolver anyway. And/or simply install a cert on their workstations and MITM every TLS connection.
Even better corps should only allow TLS that they can successfully MITM.
It's basic security. If the endpoint/host can do whatever due to lack of firewall/enforcement, then it doesn't really matter what the network operator wants.
> A corp network should set up their own DoH resolver anyway
What good is that is the browser uses their own list?
Literally that's what the article is saying. Firefox will force users to use ones that break the top-down approach on how software works. If I set a DHCP option for DoH, and setup my own DoH resolver, Firefox wont care, they will jsut use their list.
This also opens up possibilities for selling positions on the trusted list, because we've seen that happen before (adblock, or the firefox Mr Robot extension.)
Firefox itself, with plays like this are trying to make a decision about the whole, when they are completely forgetting the corporate side.
Are you going to change the settings manually after each connection in different network? Most people won't. We already have an automation for that, called DHCP, setting up network specific config system-wide... which Mozilla decided to ignore.
On your router, you can configure whatever you want to use for the DNS. You were able to do that for years.
But I want all the devices and apps to use whatever the local network tells them. I don't want to reconfigure the browser every time I connect at home/work/customer place/etc.
P.S. My ISP's DNS doesn't lie. Maybe you should vote with your money and choose better.
> On your router, you can configure whatever you want to use for the DNS. You were able to do that for years.
Sure, if you have a router and know how to configure it. The second requirement excludes the vast majority of non-tech-savvy users, even though they are also harmed by lying or data-collecting DNS resolvers and likely would not consent to them if asked. (The first requirement additionally excludes phones and other devices directly connected to a mobile network; of course, you can generally configure the devices themselves to use a different DNS server, but it may be annoying if you have a lot of them. More convenient if devices already default to the option that protects your privacy, i.e. DoH.)
> P.S. My ISP's DNS doesn't lie. Maybe you should vote with your money and choose better.
Even if it doesn’t lie, does it log requests and sell that data? Are you sure?
Anyway, in many locations including most of the US, there’s no meaningful choice available among wireline ISPs.
The point is that your router is a client of your ISPs network and you're overriding the servers provided by DHCP to your router.
In a crazy world where internally Firefox ran a small IP network for each tab and routed traffic between them for IPC would it suddenly be okay for Firefox to override DNS? Why or why not?
The difference is not in what is being done, but in who is in charge.
If you modify your router settings, it's you. You decided that you are not going to honor ISP suggested defaults, and it is up to you to assess costs/benefits and pick the right choice.
If Firefox overrides your settings, it means someone else does the decision about your tools. If that someone else makes it difficult to automate changing the default (e.g. ignoring DHCP; if you want, you can ignore DHCP at the system level, but this is not a decision an app should take), it means, that this someone else doesn't have good intentions towards you. Someone else decided what's "best" for you.
But right now within epsilon every computer will just blindly take what is given to it by DHCP making the local network operator, who is for almost everyone an untrusted party, the person who decides what's best for you.
I agree that DNS should be a system level concern rather than an app-level concern but in the real world browsers want to protect their users' privacy and the OS they run on doesn't do that. If every app went out and started using app-level DNS then it might get annoying but browsers are particularly privacy and security sensitive.
With this change almost everyone (i.e. people who don't mess with their OS setting and don't know or care what DNS is) are markedly better off.
I am no sysadmin but working closely with some. I have never seen any case where HTTPS-MITM helps. Yes, theoretically it does allow us to scan for malicious content in a secured connection. Brilliant, but that are not the attack vectors they are concerned about.
So what is left is that breaking up TLS just infringes on privacy and allows for tighter control. The security aspect is laughable.
Users are angry that their internet got slower, an it creates an enormous administrative cost, because you need countless exceptions to the rules.
Some of your best friends, eh? The point of MITMing HTTPS in an enterprise setting is not inbound content scanning (though that's pretty useful to), it's to prevent outbound transfer of secrets/HIPAA or PII data/financial data, and it's a regulatory requirement for some industries.
Besides, the point of DoH is to move DNS into the browser, which Google also controls, to prevent pihole-like DNS-based ad blocking. Cloudflare supports it because it allows them to lock down one of the few remaining actual distributed systems powering the internet. These companies are not your friends, and you should think harder about their incentives.
> it's a regulatory requirement for some industries.
It won't be when it's functionally impossible, which seems to be the point.
You do see the light at the end of the tunnel, right? Browsers shipping their own unmodifiable CA stores and disrespecting 3rd-party CAs signatures for public DNS names.
It seems you don't understand that there's Firefox ESR and other browsers too. The law very likely won't change just because consumer-friendly browsers by default are not enterprise-friendly. Big corps provision and manage their machines themselves, they modify the packages' built in configuration (they either create a new install package, or do it after install with scripts, or - if the application supports some kind of "group policy" then they use that).
Cost of compliance is a real thing, and making the workstations secure and compliant with their own policy is their responsibility in those industries. It's not fun, but it's perfectly doable.
Even better corps should only allow TLS that they can successfully MITM.
It's basic security. If the endpoint/host can do whatever due to lack of firewall/enforcement, then it doesn't really matter what the network operator wants.