DNS over HTTPS in Firefox
DNS over HTTPS in Firefox
Posted Jun 3, 2018 11:59 UTC (Sun) by tialaramex (subscriber, #21167)In reply to: DNS over HTTPS in Firefox by oldtomas
Parent article: DNS over HTTPS in Firefox
I'm sure at least one person in the world finds "Bing" to be absolutely the best search engine, and is annoyed every time something defaults to Google. But if it's a just _default_ that's better than making all the millions of people who prefer Google reach in and change that setting.
This is also a security consideration, and Mozilla absolutely does make decisions about security on behalf of its users with only "Build your own browser instead from our source" left as an option for those who disagree. For example the upcoming distrust of CA roots controlled by Symantec (Verisign, Thawte, etcetera) won't be something you opt into, or even a default, it'll just happen automatically when you upgrade Firefox. Again I have no doubt that at least one person in the world would prefer to continue trusting these roots, and that person might not even work at Symantec, but Mozilla chose on behalf of its entire user population to distrust these CA roots.
Posted Jun 3, 2018 21:52 UTC (Sun)
by ballombe (subscriber, #9523)
[Link] (1 responses)
Posted Jun 4, 2018 0:57 UTC (Mon)
by tialaramex (subscriber, #21167)
[Link]
I don't know how far Symantec got into that plan exactly, but somewhere between asking DigiCert "Can you help us?" and actually executing the plan changed into DigiCert acquiring the CA roots, branding, goodwill etcetera from the Symantec business. There was plenty of scepticism on m.d.s.policy but DigiCert seem to have been very diligent about this, I hope it's paying off for them profit-wise in proportion to the effort they must have spent.
One of the things that eased minds at m.d.s.policy is that DigiCert seems to understand the old roots had to go, and there was no foot-dragging, "mistakes" where old certificates have to be grandfathered in and so on as we'd come to expect from Symantec.
The end result will be that cryptographically nothing inherited (at presumably considerable expense) from Thawte, Versign, etcetera is left standing, that's all gone. In terms of infrastructure it's all DigiCert, in terms of staff, leadership is DigiCert there may be particular personnel even on the crypto side who are Symantec, but leadership is where it all went wrong previously so that's not a great worry. For customers, I suspect much of the branding and maybe sales teams are kept from Symantec, if you have a customer paying $5000 for Verisign, well, that customer probably doesn't care about some rotten ten year old 2048-bit RSA root from the actual Verisign, they just remember the brand name, and DigiCert have bought that.
From a trust perspective what we (m.d.s.policy, anybody paying attention) didn't trust was Symantec executive level management and thus the roots which had been under the oversight of that management. Negligence, incompetence, malice, I don't know and I don't care, personally as a lay person my suspicion is incompetence, I think the Symantec board hasn't the first idea what they're doing, and it was just more obvious to us, and we were better able to take action, than say, a pension fund or other shareholder.
Posted Jun 6, 2018 15:25 UTC (Wed)
by buchanmilne (guest, #42315)
[Link]
There is another browser that often re-sets such defaults, e.g. from Google to Bing.
I refuse to use that browser (for anything other than downloading a better browser).
There is also an OS that keeps trying to change your default browser to use that browser.
I refuse to use that OS.
I hope I don't need to add Firefox to the list ...
DNS over HTTPS in Firefox
DNS over HTTPS in Firefox
DNS over HTTPS in Firefox