Security Researchers Express Concerns Over Mozilla's New DNS Resolution For Firefox (ungleich.ch) 301
With their next patch Mozilla will introduce two new features to their Firefox browser they call "DNS over HTTPs" (DoH) and Trusted Recursive Resolver (TRR). Mozilla says this is an additional feature which enables security. Researchers think otherwise. From a report: So let's get to the new Firefox feature called "Trusted Recursive Resolver" (TRR). When Mozilla turns this on by default, the DNS changes you configured in your network won't have any effect anymore. At least for browsing with Firefox, because Mozilla has partnered up with Cloudflare, and will resolve the domain names from the application itself via a DNS server from Cloudflare based in the United States. Cloudflare will then be able to read everyone's DNS requests.
From our point of view, us being security geeks, advertising this feature with slogans like "increases security" is rather misleading because in many cases the opposite is the case. While it is true that with TRR you may not expose the websites you call to a random DNS server in an untrustworthy network you don't know, it is not true that this increases security in general. It is true when you are somewhere in a network you don't know, i. e. a public WiFi network, you could automatically use the DNS server configured by the network. This could cause a security issue, because that unknown DNS server might have been compromised. In the worst case it could lead you to a phishing site pretending to be the website of your bank: as soon as you enter your personal banking information, it will be sent straight to the attackers.
But on the other hand Mozilla withholds that using their Trusted Recursive Resolver would cause a security issue in the first place for users who are indeed in a trustworthy network where they know their resolvers, or use the ISP's default one. Because sharing data or information with any third party, which is Cloudflare in this case, is a security issue itself.
From our point of view, us being security geeks, advertising this feature with slogans like "increases security" is rather misleading because in many cases the opposite is the case. While it is true that with TRR you may not expose the websites you call to a random DNS server in an untrustworthy network you don't know, it is not true that this increases security in general. It is true when you are somewhere in a network you don't know, i. e. a public WiFi network, you could automatically use the DNS server configured by the network. This could cause a security issue, because that unknown DNS server might have been compromised. In the worst case it could lead you to a phishing site pretending to be the website of your bank: as soon as you enter your personal banking information, it will be sent straight to the attackers.
But on the other hand Mozilla withholds that using their Trusted Recursive Resolver would cause a security issue in the first place for users who are indeed in a trustworthy network where they know their resolvers, or use the ISP's default one. Because sharing data or information with any third party, which is Cloudflare in this case, is a security issue itself.
I'd want to know how to disable the behavior (Score:5, Insightful)
Re: (Score:2, Informative)
about:config
network.trr.mode=5
Re: I'd want to know how to disable the behavior (Score:2)
Will this enable or disable the behavior?
Re: I'd want to know how to disable the behavior (Score:5, Funny)
Will this enable or disable the behavior?
Yes
Re: I'd want to know how to disable the behavior (Score:2)
It's boolean. Doh!
Re: I'd want to know how to disable the behavior (Score:5, Informative)
https://blog.nightly.mozilla.o... [mozilla.org]
https://wiki.mozilla.org/Trust... [mozilla.org]
I imagine the setting we're all looking for is: user_pref("network.trr.mode", 5);
Re: (Score:2)
Maybe.
Re:I'd want to know how to disable the behavior (Score:5, Informative)
They did. Well someone did. I believe this came from documentation on the feature when it was in beta:
https://www.ghacks.net/2018/04/02/configure-dns-over-https-in-firefox/ [ghacks.net]
Re: (Score:2, Interesting)
UK spook team would say 'This is bad'
How will we block British Users from using our censored lists or logging persons of interest who reference very bad extreme religious sites?
China: Eeek - our firewall will need fixing again. We just block and force it to fallback - no probs.
Me: I use a VPN and it will get over this, only I dont trust my AV software from poking
its beak in - such as dangerous sites.
The winners will lbe PirateBay and banned chat apps in oppressed countries - and cloudflare, Microsoft, Bing
Re: I'd want to know how to disable the behavior (Score:3)
It depends on how it's implemented, and what the selected DNS provider do. But it seems like putting all eggs in one basket and someyhing that may slow down the internet experience as well.
Re: (Score:3)
Re:I'd want to know how to disable the behavior (Score:5, Interesting)
I'm done with Firefox (Score:5, Insightful)
Sorry I'll have to pass how Firefox these days. They are making to many decisions that really should be mine not there's. This should be a opt in if it happens at all. A lot of us use chosen DNS servers thank you very much Mozilla but no thanks.
Agreed, but 99% of users are clueless. Turn it off (Score:5, Insightful)
> They are making to many decisions that really should be mine not there's. A lot of us use chosen DNS servers
Like you, I would turn it off. I also recognize that 99.9% of users don't know what DNS is. So that goes to the question of "they [Firefox] are making too many decisions that should be mine, not theirs". I would say the *defaults* should be selected based on what is best for the 99% of users who can't and won't make a choice. Settings should be available for the 0.1% who will use them.
That said, I'm not convinced that this particular choice is best for the 99% who don't know what we're talking about. That's an entirely separate question.
Re: Agreed, but 99% of users are clueless. Turn it (Score:3)
Re:Agreed, but 99% of users are clueless. Turn it (Score:5, Insightful)
Agreed (Score:2)
Yep
Re:Agreed, but 99% of users are clueless. Turn it (Score:4, Interesting)
That just trains users to blindly click "use recommended settings" all the time. Within about a week of Microsoft rolling that screen out you started seeing malware requesting permissions from the user with "use recommended settings" or "accept (recommended)". Worst of all, having gone with the recommendation the next pop-up from Windows asking them to confirm if they are really really sure also becomes a blind click-through.
Besides which, I don't see any value in such a screen when the settings menu is two clicks away and power users are going in there anyway.
Re: (Score:2)
This would be a neat feature for the .1% as well, if you could explicitly define what service back-end provides the TRR. Then it is just a redundant failsafe DNS alternative that you can still control.
The issue is not that there is an alternative resolver that can work even when DNS is down; the issue is that it makes a decision for you that you don't like-- specifically, the choice of who is providing the resolution services. If they give you that control too, then this "issue" disappears completely.
They still use Internet Explorer & probablyAOL (Score:2)
> What about the remaining 0.9% of people?
Those are the ones still using Internet Explorer. Probably also using AOL's DNS servers, to find Geocities.
Re:I'm done with Firefox (Score:4, Interesting)
I suppose you prefer to do yoru forwarding requests to your ISP DNS who sells your browsing information instead hu?
FYI cloudflare's business model is to help business customers secure their connections. You can read it here [1.1.1.1] which is a plus for grandma. But if you're technical like most of us then I am sure you can disable it.
Re: (Score:2)
Don't "be done" with software freedom. (Score:5, Insightful)
It's a shame you're reaching such a radical decision with no clear indication of how you'll achieve this desired end. The other popular browsers (Edge, Safari, Chrome, or Opera) are proprietary (nonfree software, user-subjugating software). So without more information it seems like you're likely going to choose a browser that will, ironically, give you considerably less control over your browser and you'll end up making a choice to have fewer "decisions that really should be mine not [theirs]". You're overreacting in response to something that is literally a preference change away (as far as we know now). Encrypted DNS lookups could be a very good thing, but pushing users into using a particular DNS server is bad and choosing an organization with a track record for going back on their promises (as Cloudflare is famous for doing [torrentfreak.com]) makes this decision worse.
But regardless of the change or how easy it is to switch the behavior back to using only your preferred DNS server and never informing an unwanted third-party about your browsing, the saving grace of Firefox remains the same: Firefox is licensed such that one can make a free derivative browser (as others have done). We're all allowed to inspect the code, make changes, run the now-trusted version, and help others by distributing a derivative browser. You can't legally do any of that with other popular browsers.
We make free software better by improving it and using the improved versions, not abandoning free software when it becomes inconvenient or undesirable. The privacy you obviously, and rightly, want to keep depends on software freedom.
Re: (Score:3)
The other popular browsers (Edge, Safari, Chrome, or Opera) are proprietary (nonfree software, user-subjugating software).
Chromium is free software. Or do proprietary Google Chrome and free Chromium differ specifically in a way relevant to this article? That is, do they differ in how they send DNS requests?
Re: (Score:2)
What about this feature protects 90% people? (Score:2)
Re: (Score:2)
Problem is Firefox is eager to give Cloudfare *all* the DNS traffic, and Chrome is also talking about doing the same, but to 8.8.8.8 (Google's).
So... now what?
Re: (Score:2)
Re: (Score:2)
There are variations like Waterfox. The problem is that there are a thousand different options. What someone considers tight security such as blocking the use of Javascript, or the automatic installation of plugins and scripts, someone else considers a restrictive feature that stops them from using ad-blockers or other security utilities.
Re:I'm done with Firefox (Score:4, Insightful)
Have you ever actually tried to help Mozilla / Firefox? Have you ever filed a bug report or commented on one?
Every time I have, Mozilla's goons either:
1 - Report it as a dupe of a related issue that was closed (closed as fixed, closed as won't fix / feature request, or closed as being a dupe of yet some other one).
2 - Close it as fixed without fixing it. Often, the issues marked as fixed are not actually fixed, or were fixed but have reappeared (what you're trying to report before getting marked as a dupe, see above).
3 - Close it as won't fix / feature request and lock the comments (see above). These are often issues where people are complaining that FF's latest change or injection of some bullshit no one wants has broken basic functionality and the mods on their bug tracker just stick their fingers in their ears and scream "LALALALALALALALA I CAN'T HEAR YOU" before locking the comments and marking everything as dupes that ultimately trace back to some completely unrelated issue.
4 - Report it as a dupe of a completely unrelated issue and chastise you for not using the broken and unwieldy search to find issues unrelated to what you're trying to report.
Hipster using wifi in fashion coffee shops... (Score:5, Insightful)
... need this feature a lot.
And since the Firefox developer team has a big subset of that demographic, is quite clear why this was included.
All the rest of us, who carefully configured our DNS resolvers (or set up our own DNS servers), get screwed by default. Please tell me how to turn this off in Firefox for Mac/Android...
All the hipster developers using wifi in starbucks and other hipster coffee shops should be thanking Mozilla right now. All the rest of us, not so much.
PS: How does this work when one needs to go to a captive web portal in order to authenticate on the Wifi?
Re:Hipster using wifi in fashion coffee shops... (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
Then use the search bar not the URL bar.
Re: (Score:2)
Again, bad idea, this only helps the browser and will add a common well known attack vector, it will not help any installed applications or services making internet calls.
Keep it separate, if you want to avoid resolving DNS over your network connection get a service/application that will curate your hosts file or act as a local personal DNS server/service itself. This way more than just your browser gets the benefits.
keep it separate
Re: (Score:2)
If you're grandma or a hipster yes this is a good thing and it offers better performance too. Cloudflare is a company that offers protection from DDOS attacks, CDN, as well as networking security. Cloudflare's DNS guarantees privacy as well [1.1.1.1].
If you are the slashdotter nerd then you will go into about:config and turn it off so what is the big deal.
Re: (Score:2)
This should not be done without a popup saying "Do you want me to fuck with your settings without asking?" then the person who codes it will understan
Re: (Score:2)
... need this feature a lot.
And since the Firefox developer team has a big subset of that demographic, is quite clear why this was included.
This is of course complete bullshit.
As if anyone with something better to do than snoop on the wire at Starbucks won't see destination IP, SNI or servers public key identity and have access to the exact same data DNS provides.
What they really need is 802.1x.
Re: (Score:2)
Where do you get your DNS information for your resolvers? From your ISP? From Google? Why do you trust those people more than Cloudflare? Why do you think this ONLY works with Cloudflare?
The DNS over HTTPs allows you to connect to any server capable of DNS relay through HTTPs. That means you can setup your mobile browser to use YOUR OWN DNS RESOLVERS in your house and it cannot be intercepted (because it's being encrypted) nor will those reading the traffic KNOW you are getting DNS over the HTTPS (because i
Re:Hipster using wifi in fashion coffee shops... (Score:5, Interesting)
As I stated on my original post, I use Firefox ESR 60 on a mac. And Firefox on my android (KeyOne).
At home I use 9.9.9.9, 8.8.8.8 and 208.67.222.222 since I have better things to do than to set up my Synology to be my DNS server.
But when I travel, I use public wifi whenever I can get it, be that my hotel, the training centers were I teach, or, god forbid, a hipster coffee shop. And many of those need a captive portal to autenticate to the Wifi, and that depends on using the Network's DNS servers. So, I configured an "Automatic" setting on the network locales of my mac to handle those cases.
So, as a user of Firefox, I am not happy with this. I am capable enough to configure my DNS settings (or, if push comes to shove, set up a DNS from scratch, not even touching my nas).
So thank you for the inconvenience mozilla. I hope you guys enjoy the backslash when hipsters start to realize that they can not connect to the net in their favourite hipster watering spot because they can not get to the captive portals...
At least, the guys who use Mozilla in corporate networks will get this assinine setting turned off in group policies... as for the rest of us, a quick google and a trip to about::settings shal suffice
Re:Hipster using wifi in fashion coffee shops... (Score:5, Informative)
You might consider switching to DNS Watch [dns.watch]. Instead of providing Google or Cloudflare all your DNS query data (they have fingers in plenty enough other places in my opinion), DNS Watch favors privacy, security, and anonymity.
Preffered DNS server: 84.200.69.80
Alternate DNS server: 84.200.70.40
Re:Hipster using wifi in fashion coffee shops... (Score:5, Interesting)
Why trust them? A lot of dead links on their website, GitHub, Facebook, their "network", even their other website ideal-hosting.com isn't resolving.
All I can find is that they are some IT/Media company from Munich, Germany.
Re:Hipster using wifi in fashion coffee shops... (Score:5, Interesting)
Mozilla employee here, though not involved with this project.
The hipsters will be fine, as the most likely setting falls back to the system DNS when TRR fails. For a little more detail see: https://wiki.mozilla.org/Trust... [mozilla.org]
Re:Hipster using wifi in fashion coffee shops... (Score:5, Insightful)
The hipsters will be fine, as the most likely setting falls back to the system DNS when TRR fails.
... which negates any purported security benefit from this "feature". All a malicious access point wanting to send you to phishing sites would need to do would be to block TRR.
Re:Hipster using wifi in fashion coffee shops... (Score:5, Interesting)
Mozilla employee here, though not involved with this project.
Will Mozilla be disclosing its financial relationship with cloudflare and provide a full accounting of funds it receives as a result of this insanity?
Re:Hipster using wifi in fashion coffee shops... (Score:4, Interesting)
I hope you guys enjoy the backslash when hipsters start to realize that they can not connect to the net in their favourite hipster watering spot because they can not get to the captive portals...
I take it you don't realise that Firefox detects captive portals and brings up a bar across the top asking you to sign in, and that since Firefox is in control of when and how it makes requests this functionality is not affected?
May I recommend another slashdot story, the one suggesting we need more people studying liberal arts because the concept of "critical thinking" seems to be lost.
Re:Hipster using wifi in fashion coffee shops... (Score:5, Informative)
This is what is currently on the 1.1.1.1 site (which I'm assuming that's what Firefox is using since it's owned by Cloudflare)
Privacy First: Guaranteed.
We will never sell your data or use it to target ads. Period.
We will never log your IP address (the way other companies identify you). And we’re not just saying that. We’ve retained KPMG to audit our systems annually to ensure that we're doing what we say.
Frankly, we don’t want to know what you do on the Internet—it’s none of our business—and we’ve taken the technical steps to ensure we can’t
Of course, like any other DNS Resolver, you have to trust what they're saying is true, but vs. your ISP DNS (which most firefox users are using by default) or Google Public DNS, Cloudflare would be a privacy improvement. Not sure if it's better than Quad9 security wise though.
The biggest issue I have is that the settings aren't exposed by the settings menu and has to be configured using about:config. I would like to see better controls for it and possibly a list of supported DNS providers to choose like how I can choose Search engines.
Re: (Score:3)
But by law, your ISP is required to maintain a log of all Internet meta-data going back three years as part of the strategy against cybercrime. In turn these companies outsource this work to centralised providers.
Re: (Score:2)
Thre truth is in the middle, as usual.
Keep it seperate (Score:3)
once again, this is a bad idea!
browsers are not the only things using DNS, additionally, it is just one more attack vector on an already sizable surface area.
And if FF enforces this feature... they will only risk losing market share in the browser space every time their "vision" is used to attack systems.
Re: (Score:2)
I don't understand why Mozilla thinks the browser has any business directing DNS to whoever they think it should go to. So, once this update happens, as a Firefox user, all my DNS-related browsing info goes to Cloudflare? At the moment, I'm just using my ISP's default DNS. They already know where I'm browsing. Now, both my ISP and Cloudflare know where I'm browsing. How is this better? At the moment, we can disable it, of course, but no one but Slashdot denizens might do this.
Re: (Score:2)
How is this better?
It is not "better" for me, but this behaviour should have an interesting, unintended effect for Australian users of Firefox. Australian ISPs are, for the most part, subject to a series of court orders requiring them to serve fake IP addresses when asked for The Pirate Bay, Rarbg etc. That fake address leads a browser to a information/warning page. It is trivially circumvented for tech savvy users by not using the ISP DNS. It strikes me that this change will, at least in the short term, make Firefox au
Re: (Score:2)
For about 5 seconds, until Cloudfare configure their resolver to appear to be local to where the request originated (if they haven't already done so).
This is just like the behaviour of Google's 8.8.8.8 resolver.
Re: (Score:2)
Might take more than 5 seconds but it will happen given the small number of targets. The existing court orders would need to be extended to to cover non-parties to the original law suits, or new suits raised with handy precedent, and the Copyright Act might need to change to cover entities other than "carriage service providers" (which may not cover Cloudflare at the moment). Nothing that money cannot buy.
Re: (Score:2)
They'll have to do that anyway, as CDNs sometimes use DNS to direct users to a content server local to the user.
Re: (Score:2)
Because they can tap the requests on the DNS resolvers and resell it. Verisign did something commercially similar by putting a wildcard at *.com instead of returning an "invalid address" response.
Re: (Score:2)
Coding for the sake of coding. The same reason Gnome is a mess along with systemd. One could also argue design by committee.
Re: (Score:2)
I don't understand how anyone (including Firefox's design team) can think this is different from any other malware doing the same thing. Surely it is a criminal act?
Re: (Score:2)
Security issues aside this would result in some very strange behaviour on a misconfigured network:
- Different content being served to different applications.
- An apparent network outage for one application is transparent to the other.
Will it help route around censorship? (Score:2)
Re: (Score:2)
Re: (Score:2)
only as long as the thing you looking for is not censored by cloudflare
... or Mozilla.
Re: (Score:2)
What we really need anyway is Distributed DNS so it can't be bogarted.
Yes, I know that's not an easy thing to ask for. But sooner or later, it will be figured out.
In the meantime, Cloudflare's guaranteed secure and private DNS servers are the best we have, other than OpenDNS.
Granted, it's all based on a privacy guarantee in their Terms of Service, but it's worded correctly and I trust that a lot more than I trust Google.
Re: (Score:2)
What we really need anyway is Distributed DNS so it can't be bogarted.
Facepalm.
the meantime, Cloudflare's guaranteed secure and private DNS servers are the best we have, other than OpenDNS.
When cloudflare uses system to resolve names guess what ... that process itself uses insecure protocol to query root resolvers up to whoever owns the zone so claiming that cloudflare is secure is rather comical. It's actually no more secure than running your own server using default root list without a forwarder.
Why is it even relevant whether name resolution is secure? The underlying network isn't secure. Anyone in the network path can fuck you. Heck there is a long history of those normally o
If people want to use an alternate resolver (Score:5, Insightful)
They should be allowed to do so, at the OS level.
The summary didn't mention if this "feature" was possible to disable.
I DO NOT want every freaking app to use a different DNS to resolve my queries.
Re:If people want to use an alternate resolver (Score:5, Informative)
>"The summary didn't mention if this "feature" was possible to disable."
about:config
network.trr.mode = 5 to completely disable it
0 Off. To use operating system resolver.
1 Race native against TRR. Do both in parallel and go with the one that returns a result first. Most likely the native one will win.
2 First. Use TRR first, and only if the secure resolution fails use the operating system resolver.
3 Only. Only use TRR. Never use the native (after the initial setup).
4 Shadow. Runs the TRR resolves in parallel with the native for timing and measurements but uses only the native resolver results.
5 Off by choice This is the same as 0 but marks it as done by choice and not done by default.
https://blog.usejournal.com/ge... [usejournal.com]
Internal hosts? (Score:2)
Hmmm. I haven't looked at this... but it sounds like it'll break any host names I've set up locally (for development) and not published to global DNS...
Killing bad internal DNS (Score:2)
Please tell me that this will break internal DNS for non-existent top level domains. I've recently encountered several business partners who insisted on inventing their own internal top level domains, and simply accepting that there is no HTTPS signatory for those top level domains.
Already broke it (Score:2)
Good Job, Mozilla, in making an unexcusable privacy-raping tool..
Fuck off,
Signed,
The majority of reality, faggots.
And I'm gay, so I can call you faggots all day long without repercussion, dick-suckers.
Re: (Score:2)
Uh... the "researchers" are missing something big. (Score:2)
AND -- this is the big point -- they guarantee that they keep no records and do not even log the traffic going through those servers.
Frankly, I trust that a whole lot more than any promise from Google.
And yes... as long as cloudflare continues the same policy, and live up to it, it is a heck of a lot more secure than going through some random DNS resolver you don't eve
Re: (Score:2)
https://developers.cloudflare.... [cloudflare.com]
Eh I'll just post this link here and you can draw your own conclusions.
Re: (Score:2)
-- this is the big point -- they guarantee that they keep no records and do not even log the traffic going through those servers.
LOL...
Cloudflare will collect only the following information from Firefox users:
âTimestamp
âIP Version (IPv4 vs IPv6)
âResolver IP address + Port the Query Originated From
âProtocol (TCP, UDP, TLS or HTTPS)
âQuery Name
âQuery Type
âQuery Class
âQuery Rd bit set
âQuery Do bit set
âQuery Size Query EDNS
âEDNS Version
âEDNS Payload
âEDNS Nsid
âResponse Type (normal, timeout, blocked)
âResponse Code
âResponse Size
âResponse Count
âResponse
Re: (Score:2)
And loudflare answers to US law enforcement. See any problem with sovereignty issues? I do.
They all answer to US authorities. I thought CLoudflare was European but I could be wrong. Your American service provider is no exception.
Re: (Score:2)
Whoops meant to post this here.
https://developers.cloudflare.... [cloudflare.com]
You can draw your own conclusions.
A load of crap. Cloudflare is secure (Score:5, Insightful)
First off your ISP guarantees they sell your browser history to advertisers and some EVEN INSERT ads into your browsing experience. Cloudflare who is behind 1.1.1.1 guarantees your privacy as well as gives you the lowest latency if you read the agreement at www.1111.com. [1.1.1.1]
Cloudflare is used for companies that have been hacked for security as well as CDN services. Experia consulted with them after the scandal.
Re: (Score:2)
I already set my DNS servers to cloudflare (1.1.1.1) when they launched their service. Now I can use it over https so no one along the network path can snoop my dns queries. If there is a faster or more private dns service, I'd like to know about it so I can switch to it.
https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:2)
I'm also using cloudflare but only because the I.P. address for their primary DNS is the same as Pocky Day [wikipedia.org].
Re: (Score:2)
Cloudflare is an adversary and is doing its utmost to break the world wide web [notabug.org]. You can have no reasonable expectation of privacy from them, either [device5.co.uk]. Cloudflare is a MiTM attack on the web and should be treated as such. They have a track record of spreading disinformation and even messing with bug tickets of privacy projects like tor to try to make themselves look better without fixing anything.
Your ISP should not *have* your browser history. You should be using tor [eff.org]. If your ISP can see your browsing
Not to mention Cloudflare has exactly (Score:3)
zero visibility to internal DNS resolution for corporate networks
Ham handed is the kindest thing I can say about this.
Re: (Score:2)
Obviously you don't work for a living. I've worked IT for over 30 years, for companies, very large and very small. Often IT does suck, especially when ideas are done thoughtlessly, just as this knee jerk initiative from Mozilla is.
Re: (Score:2)
IT doesn't control my firefox. I install it myself. IT provides me DHCP specified DNS resolver that understands our internal network. They provide the certificate I can install.
This path ultimately leads to firefox resolution acting *differently* than chrome and neither resolving like the rest of the system.
The browser projects need to not internalize name resolution and instead work toward whatever they need out of the OS resolver.
Isn't this disabled by default ? (Score:2)
Re: (Score:2)
This is from "we know better than you" Mozilla. I bet it's enabled by default.
And I verified (Score:2)
I am sorry, AGAIN, what is the problem ? People are simply throwing mud and getting angry because they want to.
Fuck mozilla (Score:2)
DNS is one of the few remaining services yet to be totally centralized. Assertions centralized systems (Mozilla) are more trustworthy and privacy preserving than federated ones is doublespeak.
Mozilla is basically asserting without evidence everyone's DNS servers are untrustworthy and therefore for users own good only theirs can be trusted.
It is not even clear what even practical theoretical benefit to the end user would be given anyone in data path can see destination address, SNI, PKI Identity and TLS ses
Mozilla hijacks DNS? (Score:2)
In security world, changing DNS servers being used without notifying the owner of the machine is known as "hijacking DNS".
How on earth is Mozilla getting away with hijacking DNS?
Thats. Not. How. It. Works. (Score:2)
Exposing data to a particular party is an issue iff the security model treats that data as confidential and not intended for that party. In the current model of things, DNS queries are sent in the clear and so there is no confidentiality with respect to any party that happens to be eavesdropping.
So then thinking for a bit, we could have some transport layer security for DNS, this would prov
Re:Firefox updates, more stuff to disable (Score:5, Informative)
Stop updating.
Block javascript by default.(noscript)
Block cross-site scripting by default. (uMatrix)
Block tracking cookies. (Privacy Badger)
Block advertising. (uBlock Origin)
Feature thrash does not solve security problems. If you can't get updates that are separate from new features, you can't trust them to reduce the attack surface.
Re: (Score:3)
Re: (Score:2)
This gives a blank page which is not truly a blank page. The blank page shows some icons for frequently visited pages. That's why I also use an add-on to get a real blank tab.
Netscape (Score:2)
Ah! Hark the days of Netscape Navigator 2.0, and the little Lizard Throbber on the corner!
(can you install the old lizard throbber back? Firefox 61/Linux here.)
Re: (Score:2)
Re: (Score:2)
Yep so the answer is to use your ISP who tells you in the agreement they will sell your information and history to advertisers instead
Re: (Score:2)
The trustworthiness of an ISPs DNS is not really significant, if you canâ(TM)t trust their DNS server your canâ(TM)t trust their routers either, and if thats true no IP address you use is safe from redirection. Only an an external authenticated connection is safe and DNS doesnt work like that. If Mozilla is using a public key encryption mechanism between the browser and their name resolution server it will be far more secure than current DNS servers, whether you use your own, an know external, or your ISPs.
A lot of websites now are going HTTPS with Google banning HTTP already in canary releases in Chrome. This will make it harder with transport layer security. FOr example your ISP will know you went to Amazon but not much else.
However, true pornhub will still be a record if they track each ISP unless you do a proxy with a securre connection.
Re: (Score:2)
Cloudfare doesn't log your requests, so using cloudfare DNS is not a privacy problem (even if law-enforcement requests your DNS lookups from them, they have no log to provide).
Their own site explicitly says otherwise.
Cloudflare will collect only the following information from Firefox users:
âTimestamp
âIP Version (IPv4 vs IPv6)
âResolver IP address + Port the Query Originated From
âProtocol (TCP, UDP, TLS or HTTPS)
âQuery Name
âQuery Type
âQuery Class
âQuery Rd bit set
âQuery Do bit set
âQuery Size Query EDNS
âEDNS Version
âEDNS Payload
âEDNS Nsid
âResponse Type (normal, timeout, blocked)
âResponse Code
âResponse Siz
Re: (Score:2)
I use Cloudflare's 1.1.1.1 DNS server because it saves me up to 8 digits on each look request!
Re: (Score:2)
Dude, DO NOT write their name as "Mozi//a", that's SJW and/or hipster crap. Mozi//a reads as "Mozi slash slash A". They're called Mozilla, in all letters.
Re: (Score:2)
It gives us extra overhead. Maybe Mozilla thinks the Web is not slow enough with all the current crap, maybe they want to make it even slower.
Re: (Score:2)
Oh, sure thing guy. This is, after all, the official way to send us queries and since you've clearly gave us a way to contact you, you'll be hearing an official reply soon.