Re: [Doh] [Ext] panel discussion on DoH/DoC

Adam Roach <> Thu, 07 February 2019 16:41 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4770A124BF6 for <>; Thu, 7 Feb 2019 08:41:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.078
X-Spam-Status: No, score=-0.078 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id V-JsEOW5U0FX for <>; Thu, 7 Feb 2019 08:41:36 -0800 (PST)
Received: from ( [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 95F941271FF for <>; Thu, 7 Feb 2019 08:41:36 -0800 (PST)
Received: from ( []) (authenticated bits=0) by (8.15.2/8.15.2) with ESMTPSA id x17GfCPT060382 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Thu, 7 Feb 2019 10:41:14 -0600 (CST) (envelope-from
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=default; t=1549557674; bh=8by/jpjCWw12XKmaBkKKPf4fhx49otdE2upy40gTrPA=; h=Subject:To:Cc:References:From:Date:In-Reply-To; b=SN29nG69lMJn+hm9PCUEQXwkUSNN2VHxqltLlza9Ld3m237CxKCbhhIzWkvjHwwzG XcRn6023HHOuPOSwfxB3RQNao1RjKfk/pAenmOrj7rE0fcNuoObMDI/X2aYmZXdP2E 5xcoB8TdL/0W8jZr9ftkFHrioM78+As4ND4AWAmg=
X-Authentication-Warning: Host [] claimed to be
To: Paul Hoffman <>
Cc: DoH WG <>
References: <> <> <> <> <> <> <>
From: Adam Roach <>
Message-ID: <>
Date: Thu, 07 Feb 2019 10:41:07 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.5.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------5DE247B9F9C09A21786BD2F4"
Content-Language: en-US
Archived-At: <>
Subject: Re: [Doh] [Ext] panel discussion on DoH/DoC
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 07 Feb 2019 16:41:38 -0000

On 2/7/19 10:06 AM, Paul Hoffman wrote:
> On Feb 7, 2019, at 7:46 AM, Adam Roach <> wrote:
>> On 2/7/19 9:36 AM, Paul Hoffman wrote:
>>>> although not the use case that subsequently emerged, where browsers do it instead of using the local resolver.
>>> A browser vendor (Mozilla) does use a cloud provider as their default DoH server. That browser vendor has not explained why.
>> The claim that Firefox has a cloud provider as its default DoH server isn't wrong on its face, but the implication that Firefox uses DoH by default is.
> Sorry, I certainly didn't mean to imply that. The dialog where you can turn on DoH is completely clear that it is off by default.
>> The claim that Mozilla has not explained why, however, is flatly false. There's been a lot of electronic ink spilled on the topic; including, notably:
> We disagree that that article from six months ago explains why Cloudflare is still the default provider.

I thought the following text in the article I cited was pretty clear: 
"We’ve chosen Cloudflare because they agreed to a very strong privacy 
that protects your data."

If you want a little more meat on that statement, I'll clarify that the 
agreement here isn't just some informal "put these words up on a 
webpage" kid of thing. There's a formal legal agreement in place between 
Mozilla and Cloudflare that ensures that Cloudflare is handling DoH 
queries with the standards of privacy that Mozilla demands as part of 
its core mission.