this post was submitted on 05 Oct 2023
287 points (98.0% liked)
Firefox
20363 readers
22 users here now
/c/firefox
A place to discuss the news and latest developments on the open-source browser Firefox.
Rules
1. Adhere to the instance rules
2. Be kind to one another
3. Communicate in a civil manner
Reporting
If you would like to bring an issue to the moderators attention, please use the "Create Report" feature on the offending comment or post and it will be reviewed as time allows.
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Yes I had missed the part of the article where they described their opt-out behavior.
There is no technical reason for them to do it that way and it is a poor way of automatically determining an opt-out for the sake of not pissing off enterprise users (who rely on SNI for filtering). It is needlessly hostile to tie this privacy future to a different one instead of just using a separate toggle and corporate policy setting. ECH isn't DNS and shouldn't be tied to the DNS server setting.
For a local annoying example, NextDNS automatically blocks DoH via the canary domain use-application-dns.net. If I set my router up to use NextDNS over DoH, Firefox automatically disables DoH and ECH internally. I want it to use my router's DNS, because everything is centrally logged, automatically organized by hostname, and it does local caching. I'd still rather my ISP can't view SNI information. If I want ECH I have to manually enable DoH on every machine, and do more hoops if I want central logging to work correctly.
Regarding no technical reason, you can return these public keys from any normal DNS: