Yep. The entire point is to make it impossible to block ads at the network level. And since ad companies control the application level too, they then have a complete end-to-end ad delivery stack that you can't tamper with.
Yep. Everything's going to be locked from the bootloader to the screen and you WILL watch the ads.
What I think will really happen is the same thing as everything else. They'll use tech to take away features / abilities we have right now and then rent it back to us as a subscription.
We are talking about Firefox, a web browser, that allows you the most control over your computer, has the best adblock technology, on which the author of Ublock origin has said his software runs the best, which comes with built-in anti tracking, which now comes with technology making it harder for public wifi to trick your computer into going to captive portals, often with ads.
And somehow you ad this up to making it impossible not to see ads and locked down computers.
Firefox's primary sponsor is still Google. And whether they are pushing it because of malice or just incompetence, DoH was designed and built by Google to protect ad companies from network security. Implementing it by default is a hostile act, and one Mozilla should reconsider.
i have a pihole and have been worried that DoH would break it. i checked the network settings in firefox and the DoH setting is there but it is disabled.
I doubt that chrome will allow one to disable DoH but at least firefox does for now.
I believe Pihole automatically put in the NXDOMAIN entry needed to disable DoH on Firefox for you. But who knows how long Firefox will respect that, since there's nothing stopping ISPs from employing the same strategy to disable DoH.
>the entire point is to make it impossible to block ads
the entire point is to make it impossible to modify DNS requests at the network level. this has a lot more serious consequences than just blocking ads. especially for the parties involved with this, none of whom are advertising companies. phishing and data security are actual big issues with financial implications that companies want to prevent. just because blocking ads is the consequence that will most immediately impact you personally, doesn't make it the whole point.
this accusation is especially rich on an article about mozilla, one of the few companies fighting to make sure that advertisers don't control the application level.
> phishing and data security are actual big issues with financial implications that companies want to prevent
These are issues exacerbated by DoH, not fixed by it. DoH assists in the circumvention of security and monitoring. We block ads because they're security problems.
>DoH assists in the circumvention of ... monitoring
yes, that's the point. I understand you want to monitor traffic within your network, but forcing clients to use insecure protocols to enable network-wide monitoring means you're enabling network-wide monitoring. and that's the opposite of security.
remember that your browser traffic crosses multiple networks before it hits the website you're trying to connect to. forcing that traffic to be observable and modifiable in your own network means it will also be observable and modifiable by your ISP.
> forcing that traffic to be observable and modifiable in your own network means it will also be observable and modifiable by your ISP
This is factually false. And represents a key part of the problem in the rollout browser vendors have designed: Browsers should not be implementing their own network stacks. It's the wrong place to begin encrypting network requests, but for the "if you're a hammer" crowd, everything looks like a nail.
If the browser respected the OS stack, the OS could decide to encrypt requests, but it isn't given the choice. If the browser respected the network it's in, the network could decide to encrypt requests at the border, but it isn't given the choice.
Browser vendors decided the right choice was to build a product purpose-built to bypass nearly every good method of restricting malware, phishing, and, oh of course, ads. Google and their ilk would happily install ransomware on every PC on the planet if it would guarantee Google Ads couldn't be blocked, and that ISPs couldn't compete with their well-established surveillance tools.
The latter is why any suggestion DoH is to protect user privacy is silly... the user's privacy was compromised by the browser application pre-encryption. They just need you to believe the ISPs are somehow a bad actor for tracking you, so that only they can track you.
It's not sufficient in itself, but it bears most of the load of network-wide management of harmful traffic. It's the 99% effective method.
Endpoint-level control is no longer possible, since ad companies are skipping the OS network stack and bringing their own. Application-level control is less efficient, and more difficult, particularly when the applications are designed by the same ad companies trying to circumvent DNS control as well. (See Manifest V3.)
Yes unfortunately this seems to be the reason. Earlier you could tell the resolver to look at files first and filter with your hosts file the ad and other sites. Now you have to do packet inspection. We are living on a planet that's revolving and evolving ...
Blocking ads at network level is very easy to circumvent. Just serve ads from your domain. It's impossible to block youtube video ads using DNS, for example, you must intercept their API queries and modify them on-the-fly which requires browser extensions or custom apps.
It's easy to circumvent if your ads are first party, as in YouTube's case. Most ads are not. Even most Google websites serve ads from ad-specific endpoints, as opposed to their own domain.
I think that's because those who care about blocking ads, will block them anywhere. And percentage of those who're using pihole or similar methods to block ads is negligible, so they don't really care about that.
You can't do that with a Chromecast. The goal here is to sell devices which can ensure they always talk to their own DoH endpoint with no ability to secure it.
Chromecast was already bypassing local DNS for years before DoH was even conceived.
Blocking people from using DoH isn't going to solve the problem you are describing, it will just weaken users' privacy. Big vendors like Google will just create their own workarounds.
> Chromecast was already bypassing local DNS for years before DoH was even conceived.
Before DoH though, my understanding is a good gateway appliance could just overwrite those DNS requests as it sees them. Now they'll be encrypted, and you'll have no way to tell the Chromecast where to connect (or even to where it is connecting).
If the possibility of having the DNS packets rewritten was a concern for them, any junior developer could have easily implemented a proprietary REST web service to get the IPs over HTTPS just like DoH. Standardization of DoH in browsers isn't really furthering that issue.
That problem isn't solved by DoH, you still need to hardcode the DoH server IP there too if you intend to bypass the network level settings. So a proprietary system would be no different.
All the major appliance vendors (Google, Amazon) already have huge fixed IP ranges to devote to this purpose, which are effectively unblockable because they might be shared with important cloud services.
> The entire point is to make it impossible to block ads at the network level.
The entire point is to make DNS secure. For every 1 person who uses DNS to block ads, there are many thousands who just use their ISP's DNS servers, and thus remain subject to surveillance, ads, redirects, and other malice. You can't possibly believe in good faith that the entire point or even the primary point of DoH is to hurt the small fraction of people who use DNS to block ads, rather than to protect the much larger set of people who are subject to the whims and financial interests of their ISP.
ISPs do not inject malware and phishing scams, Google Ads does. The benefit of blocking ISP tampering is vastly outweighed by protecting the bad behavior of a far more malevolent party.
Google ads (like most ads) are hosted by websites that intentionally put them there; install an adblocker. Google doesn't MITM sites; ISPs and malicious networks do. ISPs are also known to surveil traffic on their networks.
I'm not disputing that Google ads and tracking, like all other ads and tracking, should be blocked. Run a browser you trust, and run an adblocker. But the widespread use of unencrypted DNS is a problem that needs fixing. And DoH provides the most viable solution for that problem, by running DNS over an ordinary HTTPS connection.
> including weather, emergency broadcast, and police stations
These seem like reasonable uses of this technology. My ISP has tried to inject a copyright violation notice before. (This was hilarious, actually, because it went to a guest in my house's browser, not one of mine, and I almost didn't hear about it at all, because they only sent it that way once... and I had to ask them to send me an actual letter about it with the details, which would've been the straightforward way to tell me in the first place...) Irritations with copyright holders aside, that was a notification of a mark against my account, which is arguably information that needed to be delivered to me.
Meanwhile, Google is preserving their ability to send phishing sites unimpeded.
