Firefox Installs non-free binaries from Cisco and Google again (2018)(bugs.debian.org)
bugs.debian.org
Firefox Installs non-free binaries from Cisco and Google again (2018)
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=915582
87 comments
It's worse than that. Firefox will download non-free javascript and html from pretty much every website you visit. Debian team needs to get on it, fast!
I do not think the sarcasm is deserved here. Debian is committed to free software. You can find a set of guidelines they implement in their social contract website under the heading "The Debian Free Software Guidelines (DFSG)" at https://www.debian.org/social_contract#guidelines
A substantial user and developer base prefers Debian precisely because of these Guidelines. Inclusion of free software (as-is) that automatically installs non-free binaries would violate almost all of these guidelines.
A substantial user and developer base prefers Debian precisely because of these Guidelines. Inclusion of free software (as-is) that automatically installs non-free binaries would violate almost all of these guidelines.
I'm not sure that these guidelines make a distinction between a call to install a codec on-demand versus a call to download and run (and even cache) a minified Javascript library.
The difference is whether the user has explicitly asked for it. If I point my web browser at a url, I am instructing it to download and execute whatever it finds there. However, if the browser decides to download a codec on-demand, it is making an executive decision as to what code should run on the machine - and to select non-free code without user interaction is a violation of trust.
An analogous situation would be the non-free NVidia blob. Debian fully supports installing it, but it would be very much verboten to do so by default, automatically.
An analogous situation would be the non-free NVidia blob. Debian fully supports installing it, but it would be very much verboten to do so by default, automatically.
> If I point my web browser at a url, I am instructing it to download and execute whatever it finds there.
And your browser will download linked javascript from third party websites to make it run. As firefox downloads a codec from a third party to make the media you've requested run.
I actually agree about the conflict between this codec behavior and the Debian philosophy. But they need to come to terms with the much greater conflict with their philosophy that the modern internet experience presents.
Stallman, for all his faults, was right about a lot of things. We live in a world where people don't own their own books, and buy software on a subscription model. For a few years back in the late 90s and early 2000s it looked like free software was the answer. But the internet made an end run around it, and Debian, etc., hasn't caught up. We're all digital renters instead of owners.
And your browser will download linked javascript from third party websites to make it run. As firefox downloads a codec from a third party to make the media you've requested run.
I actually agree about the conflict between this codec behavior and the Debian philosophy. But they need to come to terms with the much greater conflict with their philosophy that the modern internet experience presents.
Stallman, for all his faults, was right about a lot of things. We live in a world where people don't own their own books, and buy software on a subscription model. For a few years back in the late 90s and early 2000s it looked like free software was the answer. But the internet made an end run around it, and Debian, etc., hasn't caught up. We're all digital renters instead of owners.
Actually there is an extension for that:
https://www.gnu.org/software/librejs
https://www.gnu.org/software/librejs
Can someone here please explain to me what the issue is?
Firefox downloads non-free binaries in order to read some codecs by default, and this issue states that firefox should not download the codec by default because it is non-free, which is against debian's philosophy, is that correct?
Yes, although notably this is about black-box DRM systems, not just your run-of-the-mill video codecs.
Standard versions of Firefox include non-free components by default because most users expect Netflix to work. ("Free" means "open source" in this context.)
Debian repositories (that aren't named "non-free") are supposed to contain only free software, so the Debian-packaged version of Firefox needs to be stripped of any non-free components. Should any slip through, that's a critical bug as far as Debian is concerned.
I don't think there's an issue here, it's just two projects with different goals proceeding as they're supposed to. We can have a discussion about all the things wrong with Encrypted Media Extensions and the like, but it's somewhat beside the point unless Firefox gains way more marketshare.
Standard versions of Firefox include non-free components by default because most users expect Netflix to work. ("Free" means "open source" in this context.)
Debian repositories (that aren't named "non-free") are supposed to contain only free software, so the Debian-packaged version of Firefox needs to be stripped of any non-free components. Should any slip through, that's a critical bug as far as Debian is concerned.
I don't think there's an issue here, it's just two projects with different goals proceeding as they're supposed to. We can have a discussion about all the things wrong with Encrypted Media Extensions and the like, but it's somewhat beside the point unless Firefox gains way more marketshare.
[deleted]
What technical reason is there for Firefox to dynamically download these libraries instead of bundling them at built time? It leads to bugs such as this one.
Licensing. Cisco has an all you can eat distribution license for the codec, so Firefox downloads from Cisco to piggyback on the Cisco license. If Firefox bundled it Mozilla would need a distribution license, and that's expensive.
Pretty sure its up to Debian to repackage and modify software to meet their standards. Not for app developers to somehow comply with every bizarre packaging policy each Linux distribution cooks up.
That as it may be, "why is this component downloaded separately" is a fair question to ask. (Sibling comments have proposed some answers.)
Because if the user doesn't use netflix, you don't have to bother them with widevine or EME, it's not even installed. It only gets installed if necessary and Mozilla can ship the occassional update without having to wait for distro maintainers, preventing Netflix from not working.
[deleted]
Note the two binaries are downloaded for two different reasons. OpenH264 is actually free and open source software in terms of copyright, the binary is simply downloaded from Cisco's servers rather than Mozilla's to comply with the H.264 patent license. It's worth noting that in general, Debian disregards patent licenses - they ship ffmpeg with many patent encumbered formats enabled, for example.
On the other hand, Widevine is actually proprietary DRM.
On the other hand, Widevine is actually proprietary DRM.
see also this cluster-fudge: "firefox: Safe Browsing updates fail due to insufficient quota on the Google API key" https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895147
both issues are still open after more than 1 year! There seems to be a disconnect in how FF security is perceived by tech savvy users and how security/privacy critical bugs get prioritized by Mozilla.
edit:
Just recently I discovered DoH was activated by default now and bypassing my /etc/hosts block list without any warning. This opened me up to tracking from sites I thought I had blocked (discovered it only by accident and after several months when I actively looked into DoH and the network.trr.mode setting).
In all above cases the failure-modes are insecure. It's like a firewall that suddenly switches its enforcement policy from a deny-all+whitelisting to allow-all+blacklisting without properly informing users.
Totally unacceptable!
both issues are still open after more than 1 year! There seems to be a disconnect in how FF security is perceived by tech savvy users and how security/privacy critical bugs get prioritized by Mozilla.
edit:
Just recently I discovered DoH was activated by default now and bypassing my /etc/hosts block list without any warning. This opened me up to tracking from sites I thought I had blocked (discovered it only by accident and after several months when I actively looked into DoH and the network.trr.mode setting).
In all above cases the failure-modes are insecure. It's like a firewall that suddenly switches its enforcement policy from a deny-all+whitelisting to allow-all+blacklisting without properly informing users.
Totally unacceptable!
> Just recently I discovered DoH was activated by default now and bypassing my /etc/hosts block list without any warning
It reads your /etc/hosts before going to DoH I believe.
It reads your /etc/hosts before going to DoH I believe.
Thanks for this. What should I do to disable this? Set network.trr.mode in about:config to 0?
set network.trr.mode to 5: https://wiki.mozilla.org/Trusted_Recursive_Resolver
also if you have unbound or local dnsmasq caching you could set a canary domain (https://support.mozilla.org/en-US/kb/canary-domain-use-appli... ). To set it up with dnsmasq just add the line for the canary to /etc/dnsmasq.conf:
also if you have unbound or local dnsmasq caching you could set a canary domain (https://support.mozilla.org/en-US/kb/canary-domain-use-appli... ). To set it up with dnsmasq just add the line for the canary to /etc/dnsmasq.conf:
address=/use-application-dns.net/For those running a PiHole, I thought for sure that the pihole was already doing this for me. Turns out the implementations (#2915 & #2916) are still sitting in the development branch waiting for a release - they were merged to development on Sep 07, 2019.
* https://github.com/pi-hole/pi-hole/pull/2915
* https://github.com/pi-hole/pi-hole/pull/2916
* https://github.com/pi-hole/pi-hole/compare/master...developm...
* https://github.com/pi-hole/pi-hole/pull/2915
* https://github.com/pi-hole/pi-hole/pull/2916
* https://github.com/pi-hole/pi-hole/compare/master...developm...
The linked bug appears to be waiting on action from the Debian maintainers. The Mozilla devs in that thread seem very responsive.
Yes, the linked bug (from the comment) appears to be entirely between Debian and Google (Chromium is affected too) with Mozilla offering to facilitate, with no (public at least) response from debian?
[deleted]
Thank you for that note on DNS-over-HTTP .. it might explain a weird event for me recently where a blacklisted site wasn't blocked (opendns + pihole).
Are FF sending all my DNS data to a private third party now then? Doesn't sound a very FOSS thing to do?
Are FF sending all my DNS data to a private third party now then? Doesn't sound a very FOSS thing to do?
If you have an up-to-date PiHole, firefox should automatically disable DoH since PiHole now ships the necessary canary.
Still unacceptable if I'm not at home or on a VPN.
If you're not at home or on a VPN you trust, how can you trust the network you are in delivers a safe DNS server? Besides, you can always disable DoH or point it to your own DoH server.
Yes, they are sending all of your DNS requests to Cloudflare.
You can of course change it, but it's opt-out and not communicated to users that this is happening.
You can of course change it, but it's opt-out and not communicated to users that this is happening.
In the name of privacy.
https://support.mozilla.org/en-US/kb/dns-over-https-doh-faqs
https://support.mozilla.org/en-US/kb/dns-over-https-doh-faqs
You may trust Cloudflare, but I do not. I trust my DNS provider. It's fine for me, I keep up on these things and I have disabled DoH already (I don't care for any current DoH provider, and I also rely on /etc/hosts entries.) In any case, my post was only meant to inform. To each their own, use them if you like or if you trust their privacy promises more than I do. But people should be aware that Mozilla silently changed where all your DNS requests are routed to.
> You may trust Cloudflare, but I do not. I trust my DNS provider.
For many, maybe even most, the situation is reversed. ISP-provided DNS (the default for 99% of web users) is very often intentionally mis-configured to return ad-laden "search results" instead of NXDOMAIN. The situation is more authoritarian administrative districts is even worse. You're right that trusting Cloudflare isn't ideal either, but they are at least better behaved than most ISPs, so it's the lesser of two evils, I think. Non-technical users shouldn't be expected to know how these things function, they should just get the least-bad option by default.
For many, maybe even most, the situation is reversed. ISP-provided DNS (the default for 99% of web users) is very often intentionally mis-configured to return ad-laden "search results" instead of NXDOMAIN. The situation is more authoritarian administrative districts is even worse. You're right that trusting Cloudflare isn't ideal either, but they are at least better behaved than most ISPs, so it's the lesser of two evils, I think. Non-technical users shouldn't be expected to know how these things function, they should just get the least-bad option by default.
Completely agree with both sides here.
It's a tradeoff and people should weigh the pros/cons seriously. Firefox claims it shows a notification popup, but it may be too easy to click away. (I didn't see it.)
It should be front-and-center.
It's a tradeoff and people should weigh the pros/cons seriously. Firefox claims it shows a notification popup, but it may be too easy to click away. (I didn't see it.)
It should be front-and-center.
It should not. Firefox is not designed for the tech-savvy, it is a general public product. The average user has no idea what DNS is, couldn't care less. In the best case he is only bothered by the question, in the worst will call me for instructions on cleaning up a "virus".
I think this a mostly US issue.
> For many, maybe even most, the situation is reversed.
Big claim, with no evidence what so ever. Consider this a "Citation needed".
Big claim, with no evidence what so ever. Consider this a "Citation needed".
This phenomenon is so popular it has its own section on the "DNS Hijacking" wikipedia page.
https://en.wikipedia.org/wiki/DNS_hijacking#Manipulation_by_...
Unless they explicitly say so, your ISP is not spending a boat-load of money running a DNS server for you to use because they're nice. They're not even doing it because you're paying them for a service. They're doing it because they can monetize the data and serve you ads.
https://en.wikipedia.org/wiki/DNS_hijacking#Manipulation_by_...
Unless they explicitly say so, your ISP is not spending a boat-load of money running a DNS server for you to use because they're nice. They're not even doing it because you're paying them for a service. They're doing it because they can monetize the data and serve you ads.
They're doing it because it's been a standard ISP practice for years because most people don't run their own recursive resolver and have no skills to do so. End result is that to provide an internet connection, you have to also provide a DNS resolver, full stop. Monetizing and ads came later when business stopped caring about the RFCs.
> End result is that to provide an internet connection, you have to also provide a DNS resolver, full stop
Nope. You have to provide the address of a resolver, but that doesn't mean you have to run one yourself. There's nothing stopping the ISPs shipping a standard DHCP config that points their customers at (for example) 8.8.8.8, or 1.1.1.1, or whoever.
Nope. You have to provide the address of a resolver, but that doesn't mean you have to run one yourself. There's nothing stopping the ISPs shipping a standard DHCP config that points their customers at (for example) 8.8.8.8, or 1.1.1.1, or whoever.
German Telekom does this, just get a german DSL link and you'll find out the joy of getting redirected to shitty search engines plastered with ads.
Has it been suggested by anyone yet that Google is pushing for DoH because those DNS-typo advertisers are a competitor to its ad/search hegemony and eliminating them as a business model helps Google's bottom line.
I am certain it's been suggested. But I can't see Google's motives I can only see its actions. If you do good things whatever the reasons the good things stay done while the reasons die with you.
A few minutes walk from me some people opened a gelato place. You go there, you buy some gelato. Nice. Warm summer evening, drop in, buy a cone, delicious. I am 100% certain that by selling me frozen desert they get money! Their plan may not specifically have focused on me enjoying this at all. And yet, since the effect is that I can enjoy desert that's exactly what I do, and I don't begrudge them their money.
A few minutes walk from me some people opened a gelato place. You go there, you buy some gelato. Nice. Warm summer evening, drop in, buy a cone, delicious. I am 100% certain that by selling me frozen desert they get money! Their plan may not specifically have focused on me enjoying this at all. And yet, since the effect is that I can enjoy desert that's exactly what I do, and I don't begrudge them their money.
I doubt it, from what I know, the money the ISPs make from typo-searching is barely noticable, mostly a leftover from when ads where valuable.
You can say anything Google does is because it ends up pushing its own ad model, but I don't think many users would actively want ad results to show up when you would regularly get a NXDOMAIN.
Most people use their ISP provided DNS should be the null hypothesis / status quo. I wouldnt expect someone to prove that claim. I would expect someone to prove the claim "most people change their DNS from the ISP default to google."
I thought they were questioning whether ISPs in general routinely hijack DNS. I've not heard of this happening in the UK, but haven't scoped around looking for it.
It was normal in the US for an ISP to return a "helpful" page when you entered a nonexistant domain. It sort of looked like a search results page. In reality it usually turned into a page of ads. Each ISP may have been different with the volume of actual search results they returned on the page.
I've seen things like that in the UK, too; it's certainly not a US-only practice.
Both of the major ISPs in my area do this.
AT&T and Cox Communications
I'm fairly certain Comcast and Verizon does this as well.
You seem like you may know what you're doing. Would you mind sharing who your DNS provider is? Do you pay for recursive service?
I don't trust my ISP, so I'd prefer not to use their DNS or to pass requests up to root servers over cleartext. I also had some performance issues with root server requests since they have to chase the authoritive servers.
Right now I'm sending TLS requests to cloudflare, but obviously since I'm not paying for them, I'm the product.
I don't trust my ISP, so I'd prefer not to use their DNS or to pass requests up to root servers over cleartext. I also had some performance issues with root server requests since they have to chase the authoritive servers.
Right now I'm sending TLS requests to cloudflare, but obviously since I'm not paying for them, I'm the product.
OpenDNS offers paid dns service (if paying for dns give you peace of mind). Alternatively, you can rent a vps and run your own recursive dns server there, but make sure your vps provider allows running recursive dns to avoid account suspension.
> I don't trust my ISP
Then switch to one you do trust.
Then switch to one you do trust.
I'm not sure where you call home, but at least in the US, that is impossible for many people. Or rather, impossible without physically moving your house.[0]
Especially if you do not count satellite, which I do not. My house has one crappy DSL 18Mbps provider and that's it. Their way or the highway.
https://arstechnica.com/information-technology/2016/08/us-br...
Especially if you do not count satellite, which I do not. My house has one crappy DSL 18Mbps provider and that's it. Their way or the highway.
https://arstechnica.com/information-technology/2016/08/us-br...
You can just point to other DNS servers instead of your ISP's. Some providers might intercept and redirect those queries, but I haven't ever run across any.
You could, but DoH exists to provide a crypto-based guarantee that they can't even passively monitor the DNS requests you're sending to the alt. resolver.
DoH only hides the domain name lookup. You still connect to the other server by IP. Even $2.50/mo VPS plans offer a unique IP these days, and building a database of IP:hostname is extremely trivial, especially for ISPs that already run DNS resolvers.
But let's be real: the internet is quickly becoming a walled garden, so having access to DNS requests is mostly only going to give you a billion facebook.com + twitter.com + youtube.com + google.com + google-analytics.com lookups anyway.
But let's be real: the internet is quickly becoming a walled garden, so having access to DNS requests is mostly only going to give you a billion facebook.com + twitter.com + youtube.com + google.com + google-analytics.com lookups anyway.
I live in Norway, Europe and around here ISPs compete for my business.
Kinda like a “free market”, except it’s “regulated“ to not allow scamming end-customers. I find it quite enjoyable.
Maybe you in the US should fix the root cause of your problem (legislation) instead of deploying rogue technology making life complex for everyone else?
Kinda like a “free market”, except it’s “regulated“ to not allow scamming end-customers. I find it quite enjoyable.
Maybe you in the US should fix the root cause of your problem (legislation) instead of deploying rogue technology making life complex for everyone else?
It would be interesting to see stats on this.
I would guess between monopolies and hostile governments, more people worldwide have no choice, and it's a good default, but I don't know.
In any case, both Firefox and Chrome should make it super clear to users that they are doing this.
I would guess between monopolies and hostile governments, more people worldwide have no choice, and it's a good default, but I don't know.
In any case, both Firefox and Chrome should make it super clear to users that they are doing this.
Here in the UK, I have a choice of many different ISPs, all of whom (in theory) compete for my business.
Guess what? The big ones are still awful: hijacking DNS, providing horribly congested service and laughable "support". All in the race to cut as much cost and increase profit in the name of being able to undercut the next guy by £1/pm. Competition isn't the pancea you seem to think it is.
> Maybe you in the US should fix the root cause of your problem (legislation) instead of deploying rogue technology making life complex for everyone else?
Maybe you should use a different browser. Or learn how the one you're using works at least.
Guess what? The big ones are still awful: hijacking DNS, providing horribly congested service and laughable "support". All in the race to cut as much cost and increase profit in the name of being able to undercut the next guy by £1/pm. Competition isn't the pancea you seem to think it is.
> Maybe you in the US should fix the root cause of your problem (legislation) instead of deploying rogue technology making life complex for everyone else?
Maybe you should use a different browser. Or learn how the one you're using works at least.
That kind of feels like answer the question "why is there cellophane on the counter" with "Why don't you go to apple and get them to change their packaging to reduce plastic waste?" I mean, yeah, that's a solution, but you're requiring a massive effort, when really that doesn't address your problem at the moment.
> Especially if you do not count satellite, which I do not.
Hopefully starlink will change this :)
Hopefully starlink will change this :)
> I trust my DNS provider.
Do you also trust everyone in the same Internet Cafe as you? And your ISP? And everyone else on the network path to your DNS provider? Because they all can see all of your DNS requests. Your ISP can even alter them. DoH ensures privacy and integrity of your DNS requests, so they are _only_ shared with your DoH provider.
Do you also trust everyone in the same Internet Cafe as you? And your ISP? And everyone else on the network path to your DNS provider? Because they all can see all of your DNS requests. Your ISP can even alter them. DoH ensures privacy and integrity of your DNS requests, so they are _only_ shared with your DoH provider.
What I don't trust is Cloudflare. When a DoH provider I trust pops up, I will move to that.
Mass surveillance is privacy. Freedom is slavery. Ignorance is strength.
I guess you want your money back?
no I want people who call themselves "devs" to actually care about security or stay away from production code. These are violations of very basic security principles.
[deleted]
My DoH in 71.0 and 72.0 is off by default, I haven't changed those settings.
Seems to be automatically enabled for users in the US [1] if I understand correctly.
[1] https://support.mozilla.org/en-US/kb/firefox-dns-over-https
[1] https://support.mozilla.org/en-US/kb/firefox-dns-over-https
Mozilla likes to talk a good game about caring about privacy and user control, but it's mostly just marketing. These are the same people who integrated Pocket and did that stupid Mr. Robot thing.
DoH is only activated by default in the US and if you use PiHole or similar there is a DNS canary that prevents FF from using DoH. Additionally it shouldn't be ignoring your /etc/hosts block list as DoH simply replaces DNS not the host list.
Why is this relevant if it's from DEC 2018?
Next week will be entertaining when someone takes a baseball bat to the pinata and 50;security vulnerablities fall out. thanks Cisco for your continued dangerous and terrible software.
I wonder if the devs get a bonus for everyone they fix.
I wonder if the devs get a bonus for everyone they fix.
that's why I use chrome
This doesn't even make sense, Chrome is non-free to begin with.