Hi, On Thu, Sep 12, 2019 at 06:52:47PM +0200, Adam Borowski wrote:
> > I still believe that generic users are better served by deploying more > > censorship-resistant protocols than by worrying that Cloudflare (or > > whoever else) would violate the privacy requirements mandated by > > Mozilla. > Sure, but DoH is less censorship-resistant not more. The idea for resilience is "too big to block". When Domain Fronting still worked with Google, people used this to circumvent censorship because blocking it would have required blocking Google, so cooperation from Google was necessary to implement effective censorship. For the same reason, a lot of political activism is taking place on Github, who have a smaller target market than Google and have fewer staff exposed in hostile political environments, so they can manage threats by restricting employees' travel. The same will apply to services also hosted on a big CDN, and I believe that is the business model behind providing this service in the first place -- pull international activists onto CloudFlare. I expect this to bring a marked improvement for a short time, followed by the realization at CF that they exist by the kind permission of nation-state actors that are very interested in strategic Internet choke points. To put it bluntly: CloudFlare has, as a consequence of their business model, too many employees and assets bound in various jurisdictions. Their censorship resilience is going to be limited to countries where they do not have a local presence. They already need to be able to return different results depending on the client's IP address, otherwise they break anycast or split horizon based load balancing for everyone whose DNS they do not control themselves. This mechanism will be used to limit the scope of governmental censorship requests to the appropriate geographic area. To be honest, my feeling is that CloudFlare management are not believing this to be political at all -- it's a technical solution that improves service for their own customers and degrades service for non-customers (because it breaks traditional geo-based load balancing), so of course they are going to do this. They have a history of ignoring context, and the fallout will be interesting to watch. In the meantime, we have a responsibility towards our users to not expose them to unnecessary risks. I'm fairly sure that a plugin to control the DoH setting from the navigation bar will pop up shortly. I'd be in favour of installing it by default (keep in mind: we are also "too big to block", so we're in the position to give software that is useful for activists an install base that makes it hard to identify activists by having the software installed). Simon