Changes

Jump to: navigation, search

Security/DNS Over HTTPS

21 bytes added, 23:47, 15 July 2020
improve reading flow
* Prefs are set to true via Normandy Rollouts, which allows us to target specific regions and control population size and growth so we can manage risk.
== Heuristics == * We run various heuristics to determine whether the network is (un)suitable to enable DoH.* The heuristics are run at startup and upon network changes.* DoH is enabled on the network if all heuristics pass. == Respecting User-choice ==
* User-choice is respected throughout the frontend code.
* If we detect that the user changed their DoH settings in about:preferences, we permanently turn off our heuristics and other mechanisms. The user-set values are obeyed.
* This holds for prefs that were set prior to enrollment in the rollout.
== Enterprise Policy ==
* This is true whether the policy is configured on the local machine or propagated by the network e.g. via Group Policy.
* If a DNSOverHTTPS policy to turn on DoH is in effect, this is respected and heuristics and other mechanisms will be enabled.
 
== Heuristics ==
 
* We run various heuristics to determine whether the network is (un)suitable to enable DoH.
* The heuristics are run at startup and upon network changes.
* If all of the heuristics pass, DoH is enabled by setting the pref `doh-rollout.mode=2`.
* If any heuristic fails, DoH is disabled by setting the pref `doh-rollout.mode=0`.
== Default Provider Selection ==
* This feature is controlled by the prefs `doh-rollout.trr-selection.enabled`.
* Before running heuristics for the first time, we attempt to choose one of the available providers as the default for the profile.
* The chosen default is used whenever DoH is enabled, via the pref `doh-rollout.uri`.
* A network-provided endpoint, if detected, will take precedence over the default provider when on that network. (See Provider Steering below)
* This feature is controlled by the prefs `doh-rollout.trr-selection.enabled`.
== Provider Steering ==
* This feature is controlled by the pref `doh-rollout.provider-steering.enabled`.
* Some providers supply their own DoH endpoints which we want to use if indicated.
* This capability is discovered via the CNAME response when looking up the domain `doh.test`.
* Discovery is only attempted if all heuristics are passing on the network.
* A DoH endpoint discovered in this manner takes precedence over the automatically chosen default provider (see Default Provider Selection above).
* A provider (endpoint + expected CNAME for discovery) must be explicitly supported for this mechanism to work.
* Currently, Comcast is the only supported provider.
* This feature is controlled by the pref `doh-rollout.provider-steering.enabled`.
== Opt-out Doorhanger ==
Nhnt11
63
edits
Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1229126"

Navigation menu