Just about every part of this is incorrect

The overwhelming majority of people don't even know what DNS is, let alone "run" it. If you "run" your own DNS server then it's trivial to disable Firefox's use of DoH

Your American ISP can't be trusted: several have been caught abusing it. Up to now we've only enabled DoH for users in America. We've now added Canada. People in Europe seem to trust their ISPs a lot more and I haven't heard of any plans to enable it by default there.

I have no idea what the network printer and ESP32 chips thing means

Mozilla does NOT snoop your DNS queries. DOH uses partner resolvers with strong privacy policies and they don't share any of that data back

By default Firefox only knows a set of certificate authorities who agree to abide by certain requirements and are audited. When it encounters an unknown one it has no way to distinguish yours from an attacker's, but if you tell Firefox to trust yours it absolutely will. This is no stricter than any other modern program on your computer which aren't going to trust your home-rolled CA unless you tell them to. If you've installed your own CA into your Mac or Windows OS Firefox should now be able to find it and trust it without you doing anything specifically for Firefox.

You can totally disable any builti-in CA. you can't "remove" them because the default set is compiled in, but you can definitely change them from trusted to untrusted. I've done that myself with all but the biggest CAs.

Businesses can turn off DoH for everyone on their network through a Group Policy setting, or by blocking the canary domain.

Good news! your DNS data will stay in Canada and be sent to CIRA, the Canadian non-profit that manages the .ca TLD. They've got a strong privacy policy.

Mozilla is small tech: fewer than 800 employees, compared to Google's 100,000 employees and 120,000 contractors (per a 2019 NYT article, probably more now) and similar sizes for other tech giants. And although our HQ is in America, 1/4 to 1/3 of our employees are based in Canada, including the executive director of the non-profit Mozilla Foundation that owns us.

I do. I don't think its a perfect solution, but it's a good one that adds privacy and security improvements that will prevent real, documented abuses, and can be made functional on today's internet with reasonable tradeoffs.

PKI problems are a separate mess, which obviously impact DoH but more importantly everything else. There have been a lot of improvements there, too, over the past few years in policy and enforcement. For example, CAs are now required to publish certs in auditable CT logs, and errors are getting caught and fixed. But that's off-topic for this thread. If you'd like you can see the conversations between browser vendors, Certificate Authorities, and other interested folks about these issues and problems at https://groups.google.com/a/mo...

Did they make that promise in a legal agreement with another company?

Ultimately for a free market to work someone has to hold companies to account for the claims and promises they make. We have a long history that shows a fair number of people are happy to rip customers off with whatever false promises they can get away with. If you're unhappy that companies are getting away with fraud you should demand that your representatives fix that.

An ISP can disable Firefox DoH by simply blocking the canary domain we created for that purpose. That's discoverable though. An ISP going that route had better be sure that's what their paying customers want. DoH as implemented prevents passive undetectable surveillance by your ISP and forces them to make DNS tracking explicit. You could also turn on a strict mode that will "fail safe" in that case, but that's not the default.

You lost me here.

That's not the "only" protection, no. It was the one relevant to the comment I was responding to, about how the Mozilla-chosen resolver differed from their default DNS provider. The HTTPS part protects against passive surveillance on the wire and active redirection attempts, and that protection comes from from math, not lawyers.

If such laws are passed they will affect all DNS providers in that jurisdiction, including the default ones run by your ISP. That's why we are only enabling DOH when we have a partner resolver in the same jurisdiction -- thus this announcement that we're extending this to Canada now that CIRA has agreed to our policy requirements. At the very least the policy includes requirements for transparency about what is being blocked, which you may or may not get from your ISP. And of course you're free to manually choose a resolver in a different jurisdiction that doesn't fall under your local laws.

So far four resolvers have agreed to meet the Mozilla policy requirements for trusted resolvers. Privacy requirements are the main part of that policy, so no, CloudFlare and the others can't share or sell your data without breaching that agreement. Our lawyers are not afraid to defend privacy when necessary.

A few hours ago Mozilla released Firefox 36.0.3 for Windows, OS X, Linux, and Android to patch the exploits revealed at the Pwn2Own contest.

No modern browser allows javascript URLs in CSS. None. Completely non-standard and dangerous. Old IE and Netscape? Yeah, they were dumb back then, but that was over a decade ago.

That misses the point of this vuln entirely which requires NO JavaScript whatsoever on the user's part. The site is written to use JavaScript and set up a JSONP service. This trick fools the JSONP service into returning a "callback name" that just so happens to be valid .swf data. The attacker then uses the URL that triggers that response in a context that expects flash (e.g. an or tag). As far as Flash is concerned the .swf came from that site so it's allowed to make any further requests to that site it wants. [I, too, am sad the UI for disabling JS is gone, but honestly for myself I've always used the Web Developer Toolbar when I wanted to disable JS because it's faster to get to that option.]

Why was ping a "Mozilla" fiasco? It was a WHATWG specification, never shipped enabled in a Firefox final release, but is currently supported by Chrome.

As the Firefox Security Manager I completely and vehemently disagree. I employ a team that spends 100% of their time "going on bug-hunts" looking for security bugs in Firefox, and I know my counter-part at Google is doing the same for Chrome. Our Bug Bounty programs (VRP? ugh, so very corporate) are an incentive for people who stumble on neat stuff to pass it on, not a substitute for doing the work ourselves.