I'm so sad to see Mozilla move forward with this massive attack on user privacy.

Firefox DoH is snake oil, plain and simple. It sends all the users DNS queries to Cloudflare, adding a new party which can surveil the user's traffic (and can be legally compelled to do so and not disclose this fact)-- providing a convenient choke point to save spies and hackers the trouble and exposure of extracting the data from tens of thousands of individual ISPs.

Simultaneously, it does not protect the user from monitoring by their ISP or parties situated there because the user's destination IPs remain unencrypted, as well as the hostnames via SNI (for cases of shared hosting, e.g. on cloudflare, where the IP alone wouldn't be enough).

At the moment you can disable this across your whole lan by blocking traffic to 104.16.248.249, 104.16.249.249, 2606:4700::6810:f8f9, and 2606:4700::6810:f9f9 and by DNS blackholing use-application-dns.net and cloudflare-dns.com.

iptables -t raw -A PREROUTING -d 104.16.248.249 -j DROP

iptables -t raw -A PREROUTING -d 104.16.249.249 -j DROP

ip6tables -t raw -A PREROUTING -d 2606:4700::6810:f8f9 -j DROP

ip6tables -t raw -A PREROUTING -d 2606:4700::6810:f9f9 -j DROP

And if you're using bind:

zone "use-application-dns.net" { type master; file "/etc/bind/db.empty"; };

zone "cloudflare-dns.com" { type master; file "/etc/bind/db.empty"; };

Or unbound:

local-zone: "use-application-dns.net" static

local-zone: "cloudflare-dns.com" static

But there is no guarantee that these mitigations will continue to work.

[Edit: Aside, this comment and many/most(?) comments on this thread were moved from a more recent thread with a headline "Firefox turns on DoH as default for US users". The new title which omits the on-as-default, is kinda burying the lead.]

I'll bite:

People should be allowed to modify their property, including what runs on their computer.

What you do if you're the one trying to manipulate the company from the outside and on the short side:

A company might have a shareholder that needs a new certificate of stock issued because they "lost" their old one. Or it got eaten by sharks or something while you were at the beach, somebody's house burned down, they moved it got lost, cancer. Whatever the case, this happens everyday in the market, people lose certs for all kinds of reasons. If you own a public co, you'll have to work with your current stock transfer agent to get the certs reissued and this is a pain in the ass as affidavits and sometimes insurance bonds need to be issued along with them. These certs might represent e.g. 1 million shares of stock, 50k, 100k but it all accumulates if not taken care of and tracked like a hawk immediately. This might happen 1-3 times per year.

Each time this happens, the DTCC needs to finally validate the certs and "put them on deposit" officially approved for trading. Once this is done, if you have not worked with your SEC attorney, stock transfer agent (to get the ledger updated) and the DTCC to make sure there are no hold ups you then make sure CapitalIQ/S&P are holding accurately reflected updates in their DB as most institutions and market makers and some traders just rely on this data to adjust or predict your price in their models. Remember, a price adjustment must come if there is any change in the float. And, you've just witnessed a change in the float as the CEO properly overseeing the process, if you're on top of it, so you then expect to see a corresponding change, more or less, in the price in some reasonable amount of time, say a day or two or immediately if you have some good connections.

Now multiply the above by several accumulated share cert reissuances, which is more real-world, then add the fact that not many small cap CEO's are hawkish about that (half of them just let the stock transfer agent take care of everything and call it day, wake up the next day, grab a bag of popcorn and watch their stock trade <- keep this mind. Now add, the critical part, guys on the inside that know this process like the back of their hand. They in fact make money by making sure all this happens "smoothly", they are usually working closely with the stock transfer agents.

Next factor shrewd but unscrupulous friends in this guys little network, who might be big shorts of this stock. They call their friend at the transfer agent and throw a monkey wrench into the process knowing that inaccurate float data will then be distributed to OR within CapitalIQ. Prices then will not be accurately reflected and they are now in the money for building a short position in the stock while everyone else including the public thinks it should be valued differently. Unethical Information Arbitrage is happening.

Then then call their buddy up at the stock transfer agent and correct a synthetic mistake. Once corrected, the price of the stock must come down, making the short a load of $$$ on the way down because e.g. 20M shares have just been added to the float. This means more supply right. BTW: you want no where near that amount in your float as a small cap.

Unless the CEO can correct this or even knows about it, a form of fraud can continue to exist on that company stock.

This is just 1 of many examples of how fraud can be structured on the short side. The long side is a bit different but with the same principles of screwing with a public companies cap table based on inside manipulation of the float, by deep insiders, not company insiders. I know this because I had to fight this exact scenario and few others from happening to my company. Being a software engineer also helps quite a bit. I built all kinds of automated monitoring systems for this in particular to monitor the NOBO list and true "short interest" for example.

I also use to have bots send certain small Market Maker guys updated news on our company. They hated that because it then bound them to a piece of knowledge that could be traced back to them. I thought it was funny. I eventually stopped that as I thought it was also too aggressive in terms of taking a bite out of fraud that ran against my company.

Keep in mind, some CEOs are in collusion here shorting their own stock after going long and just riding the waves of what they consider giant ATMs. You can tell who they are because 99% of the time they have super high floats and know that the public are clueless related to the bad "financial engineering" specific to float structures.

Other examples of the above including someone disagreeing with the NAV (Net Asset Value) of the assets within your company. If you legitimately change the NAV of one of your assets such as an LLC that has a JV with a new partner based on some IP or the acquisition of something valuable, then you can negotiate with CapitalIQ/S&P to have them change your float based on shares being issued to the JV or LLC and no longer being part of the public company. This is bit more complex strategy for the CEO to control the float. This process can also be manipulated by being help up a firm being used by some outsider. I had to deal this scenario too. I had some outside shareholders saying one of our NAVs was too low and another saying it was too high and he would not stand for a change in the float so he wanted to get personally involved with communicating with the outside data vendors.

Another example relates to "Donkey Kong" but that's different kind of volume manipulation that can help chip away a bloated float altogether.

And then there are those that will offer to manipulate the option pool which of course entails them cashing out very soon or immediately, buying all the way up and then shorting all the way down when your float become bloated from all the options being converted to actual tradeable stock and then just sitting out there waterlogging everything for investors and traders that are trying to figure out why your stock does not move up like the others but moves down much greater than the others... messing with options for the CEO while the deal includes the same options for the outside partner is still outright illegal and can land you jail. But I'm pretty sure its still being done.

And there's always the good nuclear option of cleaning up the cap table, buying back shares, finding ones no one is using (believe it not yes, unclaimed or those someone may want to give back to the company based on first right of refusal or for tax reasons and then once all rounded up - outright "canceling" a large lot, which can burn a lot of people real quick on the short side and make tons for others on the long side overnight. This is actually perfectly legal with the right intent. This also takes lots of phone calls and negotiation.

The bad nuke option is a reverse split, this leads different kind of death spiral for the stock and is encouraged by dealers and brokers some of which know that you won't be able to sustain it. You cut the float in half e.g. and then the price doubles correspondingly overnight. However, most companies are unaware that they being manipulated such that naked shorts keep piling on and worse off than where you started. Naked shorting and other kinds can almost endless add to an inaccurate float number.

Lots of details left out but in principle that's how the above works.