Genuine question, what is Mozilla doing that's so bad? I know stuff like pocket etc but can't you turn this stuff off? Interested so I know what I'm missing and can make an informed decision.
Automatically enabling Cloudflare to monitor DNS queries is my biggest current pet peeve. The whole reason I used to use Firefox was that it wasn't a corporate product. Allowing a corporation to monitor DNS resolutions is undesirable, as is having to trust their privacy policy, or that they will abide by Mozilla's policy (I don't, and more importantly, shouldn't have to trust Cloudflare). And yes, you can opt-out, but the fact that it is enabled by default in some regions is offensive.
I would a thousand times over rather have my local ISP monitor DNS than Cloudflare. But the choice isn't ISP or Cloudflare. There are many options for secure DNS resolvers [1].
I had a user of my email server complain about not being able to receive emails from "cock.li". Turns out that this happened because I was using dnscrypt-proxy with cloudflare's dns (as it is the default in my distro) and thus the DKIM check was failing because it was not able to resolve the domain as it is being filtered by cloudflare. I changed to NextDNS after that.
Are you sure? It does not for me. Although I am using my distro's release of Firefox. I will be trying it on my windows pc with the official FF release later.
It's not like ISP's aren't shady af when it comes to this. I can appreciate your concern w.r.t. cloudflare but, at least in the US, ISP's are often more ostensibly dangerous than cloudflare.
To suggest that Cloudflare is "thousand times" worse is a bit of a stretch, I guess.
Forgive me if you will, but I don't really understand the idea behind privacy on DNS. If you're not using a VPN, even if the DNS resolution is private, the ISP can still see what IP you're connecting to. It's trivial to do a reverse lookup on that. And if I'm not mistaken, even on HTTPS sites, the domain is visible in the request in plaintext too. So why is there so much focus on proxying DNS?
While encrypted DNS does conceal the domain name from the ISP, it also prevents the ISP from intentionally returning an incorrect IP address in response to a DNS request. This behavior is known as DNS cache poisoning[1] (or DNS spoofing) and has been used by governments to censor websites and perform DDoS attacks on other websites.[2]
> And if I'm not mistaken, even on HTTPS sites, the domain is visible in the request in plaintext too.
I originally misread this sentence. Yes, HTTPS requests expose the domain/subdomain name in plaintext to support Server Name Indication, which allows a server to host multiple HTTPS sites.[1] The domain/subdomain name can be concealed from the ISP with Encrypted SNI,[2] which Cloudflare's 1.1.1.1 DNS resolver supports.
Firefox used to support ESNI as an about:config option, but in version 85, Firefox replaced it with support for an improved mechanism called Encrypted Client Hello.[3][4] ECH is not widely used yet, though Cloudflare is testing it on some of its servers.[5]
With DNS over HTTPS/TLS and ECH, the entire process of connecting to an HTTPS site can be done without leaking the domain/subdomain name to the ISP. The only remaining parts exposed in plaintext are the remote IP address and port.
Some people, perhaps correctly, see them as a centralizing entity for the internet with a profit motive. That they are also currently kind of "eating the world" gives cause for concern. They currently haven't yet betrayed their users but many see it as a matter of time before they begin selling user data.
Happy to be corrected on that last bit by the way if they have done anything egregious.
The alternative is that all of your DNS queries are monitorable by anyone who happens to share a network path or segment with you, because the default behavior of DNS is that it is unencrypted.
DoH is a massive security and privacy improvement as a default, and you have many other options besides CloudFlare if you don’t want to use them. Personally I use NextDNS.
The browser now includes ads based on your bookmarks and browsing history through Mozilla's "trusted" partners:
> “When contextual suggestions are enabled, Firefox Suggest uses your city location and search keywords to make contextual suggestions from Firefox and our partners, while keeping your privacy in mind,” the support post reads. The “relevant suggestions” from “trusted partners” appear at the bottom of the usual search suggestions pulled from your bookmarks, browser history, and open tabs — a less intrusive version of a search ad, but technically still an ad.
(It's annoying that the mods unnecessarily removed my parent post that said Firefox is now an adware / spyware - I stand by it. Including ads and using and sharing users data is the definition of an adware / spyware.)
For those who ask, why not just turn it off - remember that corporations only have to follow the law. They have no obligation to be ethically good. If your country has lax privacy laws, companies will exploit it because it is legal. Then there is the trust factor - Mozilla has lost a lot of goodwill in selfishly only focusing on making more money from its browser than listening to their users and creating a good browser. That's why it has been losing ground to Chrome, and will continue to do so as long as greed guides all its decisions and makes Firefox worse. You'd think uBlock Origin's popularity would already have given some insight to Firefox on how much people hate unwanted and intrusive ads, especially that try to mine our personal data.
