# No DoH ISP sees DNS query for weirdporn.xx, TLS to 1.2.3.4:443 (Servername: weirdporn.xx) Cloudflare: nothing Knows what you did: ISP # With DoH ISP sees TLS to 1.2.3.4:443 (Servername: weirdporn.xx) Cloudflare: DNS query for weirdporn.xx Knows what you did: ISP & Cloudflare
-
-
We know for sure that ISPs are abusing access to DNS, and TRRs legally cannot. If you believe your ISP is better than a TRR, fine, disable it, but this is the better default. It's true that ISPs may abuse SNI in future, but that's not a good reason to block DoH.
1 reply 0 retweets 0 likes -
Replying to @taviso @matthegap and
TRR is Trusted Recursive Resolver, it's not accurate to say "Cloudflare", because other providers have also joined the program and I imagine others will in future. https://wiki.mozilla.org/Security/DOH-resolver-policy …
2 replies 0 retweets 3 likes -
As I understand it, you can only chose one at the moment. Having a list of trustworthy ones (like
@applied_privacy ) and alternating through them would make the situation a lot better. Do you know if@mozilla plans something like this?1 reply 0 retweets 0 likes -
Replying to @matthegap @tqbf and
The page I just linked to explains how more providers can join, the bar is *very* high,
@nextdnsio have also joined. There's no reason you can't just use any provider you want though?1 reply 0 retweets 0 likes -
I know I can change it, but hardly anyone will ever do that. As long as there is a single default setting that is used by anyone all the time, all the metadata eggs will end up in one basket, and that's problem, no matter if it is Cloudflare or someone else.
1 reply 0 retweets 0 likes -
Replying to @matthegap @tqbf and
You're saying it's a safer default to use an entity known to behave badly, than to use an entity that has qualified for TRR and is legally bound to good behaviour....?
I mean, nobody is arguing shouldn't be allowed to shoot yourself in the foot, but default... ?1 reply 0 retweets 0 likes -
I'm saying it is safer to not centralise everyone's browsing metadata at a single company, no matter which. BTW: Does that "legally bound" claim you mention include non-US citizens?
1 reply 0 retweets 0 likes -
Replying to @matthegap @tqbf and
Is using lots of badly behaving providers better than using a few trusted and vetted providers? Your citizenship status is not relevant....(wut??!?!?!). This does not seem like a rational question.
1 reply 0 retweets 0 likes -
US based privacy are not exactly known to care a lot lot about foreigners and Cloudflare is a company under US jurisdiction. So yes, that question does matter to non-US people.
1 reply 0 retweets 0 likes
I think you're confused, Mozilla are only proposing to enable this in the US. https://support.mozilla.org/en-US/kb/firefox-dns-over-https#w_about-the-us-rollout-of-dns-over-https …
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.