Slashdot Mirror
Security Researchers Express Concerns Over Mozilla's New DNS Resolution For Firefox (ungleich.ch)
With their next patch Mozilla will introduce two new features to their Firefox browser they call "DNS over HTTPs" (DoH) and Trusted Recursive Resolver (TRR). Mozilla says this is an additional feature which enables security. Researchers think otherwise. From a report: So let's get to the new Firefox feature called "Trusted Recursive Resolver" (TRR). When Mozilla turns this on by default, the DNS changes you configured in your network won't have any effect anymore. At least for browsing with Firefox, because Mozilla has partnered up with Cloudflare, and will resolve the domain names from the application itself via a DNS server from Cloudflare based in the United States. Cloudflare will then be able to read everyone's DNS requests.
From our point of view, us being security geeks, advertising this feature with slogans like "increases security" is rather misleading because in many cases the opposite is the case. While it is true that with TRR you may not expose the websites you call to a random DNS server in an untrustworthy network you don't know, it is not true that this increases security in general. It is true when you are somewhere in a network you don't know, i. e. a public WiFi network, you could automatically use the DNS server configured by the network. This could cause a security issue, because that unknown DNS server might have been compromised. In the worst case it could lead you to a phishing site pretending to be the website of your bank: as soon as you enter your personal banking information, it will be sent straight to the attackers.
But on the other hand Mozilla withholds that using their Trusted Recursive Resolver would cause a security issue in the first place for users who are indeed in a trustworthy network where they know their resolvers, or use the ISP's default one. Because sharing data or information with any third party, which is Cloudflare in this case, is a security issue itself.
From our point of view, us being security geeks, advertising this feature with slogans like "increases security" is rather misleading because in many cases the opposite is the case. While it is true that with TRR you may not expose the websites you call to a random DNS server in an untrustworthy network you don't know, it is not true that this increases security in general. It is true when you are somewhere in a network you don't know, i. e. a public WiFi network, you could automatically use the DNS server configured by the network. This could cause a security issue, because that unknown DNS server might have been compromised. In the worst case it could lead you to a phishing site pretending to be the website of your bank: as soon as you enter your personal banking information, it will be sent straight to the attackers.
But on the other hand Mozilla withholds that using their Trusted Recursive Resolver would cause a security issue in the first place for users who are indeed in a trustworthy network where they know their resolvers, or use the ISP's default one. Because sharing data or information with any third party, which is Cloudflare in this case, is a security issue itself.
I run my own local recursorsive nameservers even on my portable devices. totally not interested in using anyone's resolvers but my own. I hope they publish instructions on how to bypass the behavior.
Sorry I'll have to pass how Firefox these days. They are making to many decisions that really should be mine not there's. This should be a opt in if it happens at all. A lot of us use chosen DNS servers thank you very much Mozilla but no thanks.
... need this feature a lot.
And since the Firefox developer team has a big subset of that demographic, is quite clear why this was included.
All the rest of us, who carefully configured our DNS resolvers (or set up our own DNS servers), get screwed by default. Please tell me how to turn this off in Firefox for Mac/Android...
All the hipster developers using wifi in starbucks and other hipster coffee shops should be thanking Mozilla right now. All the rest of us, not so much.
PS: How does this work when one needs to go to a captive web portal in order to authenticate on the Wifi?
*** Suerte a todos y Feliz dia!
once again, this is a bad idea!
browsers are not the only things using DNS, additionally, it is just one more attack vector on an already sizable surface area.
And if FF enforces this feature... they will only risk losing market share in the browser space every time their "vision" is used to attack systems.
Everytime Firefox updates, I have to find a new way to disable the latest cruft. Even getting a totally blankk new tab anymore requires an addon. And of course the totally undocumented cruft of about:config is another nightmare in itself.
After several noteworthy attempts, Firefox has finally jumped the shark. I've got to find a new browser. Messing with my DNS is totally unacceptable.
Mozilla went full retard. Time to block the auto-updating for a while and find a browser that allows overrides that's not Chrome-based.
And even if anyone thought Mozilla's idea is a good one, which it isn't, why so much trust in Cloudflare?
Did everyone completely forget "Cloudbleed" of early 2017?
When my work VPN is up, dnsmasq redirects some (not all) DNS queries to the resolvers at work. Sounds like FF is going to break my work VPN.
http://forums.dds6qkxpwdeubwuc...
https://bugzilla.mozilla.org/s...
https://trac.torproject.org/pr...
FYI
Because if it does, I think I can overall live with it.
Liberty - Security - Laziness - Pick any two.
They should be allowed to do so, at the OS level.
The summary didn't mention if this "feature" was possible to disable.
I DO NOT want every freaking app to use a different DNS to resolve my queries.
I don't trust third parties, why would I trust cloudflare? So for most firefox users there will now be a single point of failure if cloudflare goes down or compromised? One of the points of DNS is that it is decentralized just like most of the internet, why are they trying to break that? Why are they not listening to our network settings? Who's pocket is being lined to do this? Oh I get it this is for wifi users that will connect to any network as long as they get their fix? Why are you screwing the rest of us?
this is arguably more of a privacy issue than security issue. while cloudflare represents a large attack vector, they are certainly have better security than you ISP. as to where all that DNS information goes, whether it be google or cloudffare, it is not hard to guess.
Personally I would trust most ISP's revolvers only slightly more than a coffee shop's wifi. We've already seen them do plenty that's not in the best interests of users, like hijacking NXDOMAIN responses and redirecting them to the ISP's own search engines. ISPs have also been caught injecting ads.
The big concern here at this point for me is that this leads to more centralization. Privacy is still a concern, but it's one you should already have. Cloudflare's DNS seems to offer greater assurances of privacy than blindly accepting your ISP's default. Those that have actually checked out their ISP's privacy practices or who are running their own revolvers are probably safer sticking with those.
Hmmm. I haven't looked at this... but it sounds like it'll break any host names I've set up locally (for development) and not published to global DNS...
In Australia, all ISP's are supposed to override DNS for a government list of "undesirable" websites.
This will be great for Aussies who want to access pirate sites, but don't know how to override their routers default DNS settings.
It'll probably also work around corporate networks which have certain sites blacklisted.
Cloudflare is offering "free SSL certificates" that are actually a false front.
"The certificate that is issued belongs to CloudFlare and not the site you're trying to connect to, and traffic on the other side of CloudFlare between their network and the host site is not encrypted."
https://scotthelme.co.uk/tls-conundrum-and-leaving-cloudflare/
Mozilla seemingly operates more as a for-profit than a non-profit. In my view, Firefox up to 3.6.x was great. Since version 4, it's been downhill.
Ah! Hark the days of Netscape Navigator 2.0, and the little Lizard Throbber on the corner!
(can you install the old lizard throbber back? Firefox 61/Linux here.)
Mozilla and Cloudflare seem like a good match. One fired their CEO or whatever, because of his political views and Cloudflare shirked their responsibility as an impartial service facilitator by cutting off service to a group over their (admittedly fucking awful, to be fair) political views.
And on top of these, these two cunt-organizations want me to give them full control over my DNS. Suck my fucking dick you fucktards.
Please tell me that this will break internal DNS for non-existent top level domains. I've recently encountered several business partners who insisted on inventing their own internal top level domains, and simply accepting that there is no HTTPS signatory for those top level domains.
#1 This better be able to be disabled and end-users cannot turn back on. We use DNS filtering for a lot of things in our corporate networks. If someone can use Firefox with Cloudfare's DNS then they will be bypassing all our DNS servers, filtering and security! #2 I use DNS filtering at home to keep my teenagers off sites I do not approve. Again this better be able to be disabled without my kids being able turn it on. This is a very very very bad idea and will really piss me off because we just standardize on Firefox for over 50,000 machines.
If you check this Mozilla blog post, they have instructions on how to disable it. Basically change network.trr.mode to 5 in about:config. They also mention how Cloudflare is just the default, but you can configure it to use any DNS over HTTPS provider. Granted this should be something you can do via the GUI, but it's not quite the doomsday scenario Slashdot posters are known to leap to right away.
In an ideal world, they could somehow probe the network connection and tell if it's a public wifi at Starbucks, or your ISP at home, and then enable or disable this feature accordingly, but I think if you consider the unwashed masses out there who fall for all those tech support phone scams, or the guy who stormed into the FBI HQ complaining that they were blocking him from viewing kiddie porn because of one of those ransomware programs, as opposed to the average Slashdot reader, this is a good thing on the whole. It could probably use with a bit more tweaking before going live with FF 62, especially in terms of explaining to people exactly what it is, what it isn't, and what it will/won't do, so people who frequent certain sites with a green and white color motif might be less likely to blow it completely out of proportion.
https://blog.nightly.mozilla.org/2018/06/01/improving-dns-privacy-in-firefox/
Are you you fucking retarded? Do you want to break the internet? Because this is how you break the internet.
You do realise who recommends Firefox to average users? People like us who read slashdot and fucking hate this idea.
If this makes it to production, I can no longer recommend Firefox. I will stop using it myself and go back to SRWare Iron.
You better not do this to Thunderbird too.
You won me back with Quantum's performance. You will lose me and many others like me because of this.
You want me to send my DNS queries to a US company? Are you fucking insane?
Sorry, no, I will use the DNS servers here in my own sovereign nation and you can go fuck yourself.
Good Job, Mozilla, in making an unexcusable privacy-raping tool..
Fuck off,
Signed,
The majority of reality, faggots.
And I'm gay, so I can call you faggots all day long without repercussion, dick-suckers.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
This whole so-called "security issue" ignores the fact that Cloudflare already offers its own DNS resolvers, at 1.1.1.1 and 1.0.0.1.
AND -- this is the big point -- they guarantee that they keep no records and do not even log the traffic going through those servers.
Frankly, I trust that a whole lot more than any promise from Google.
And yes... as long as cloudflare continues the same policy, and live up to it, it is a heck of a lot more secure than going through some random DNS resolver you don't even know.
Mozillas browser will be more secure than those that depend on DNS, if they use public key encryption to authenticate the name resolution server. Theyâ(TM)d be stupid otherwise, so I think its safe to assume they are.
The only real concern is privacy.
Also, all those people posting about using custom and well known DNS servers are waisting their time. If you cant trust your ISP you cant trust their router and so any address you use is subject to redirection regardless of which DNS server it ws retrieved from.
It seems that many developers have forgotten that protocols other than HTTP exist. Jamming DNS on top of it is silly, especially the serialization into JSON for extra inefficiency. There's an experimental RFC for DNS over DTLS:
https://tools.ietf.org/html/rfc8094
Why not direct effort towards this more logical solution? That way, all DNS traffic is protected, not only traffic from the stub resolver to a centralized man-in-the-middle who is somehow trusted to proxy everyone's DNS queries.
For all their talk about openness and a free Internet, I think the Mozilla people are fine with centralization and surveillance, as long as they get to join the elite club of those who hold the keys. "Partnering" with Cloudflare is their bargaining chip for that.
And loudflare answers to US law enforcement. See any problem with sovereignty issues? I do.
As this is quite clearly a commercial, not security, change I'd like to know just how much Cloudflare is paying to be able to collect all this personal data through Firefox. A LOT can be gleaned from DNS requests, both about the user and their activities. Why should we imagine that one scumbag data harvester is any more secure or privacy conscientious than the others? Or is there someone why thinks Cloudflare are doing this for free?
> They are making to many decisions that really should be mine not there's. A lot of us use chosen DNS servers
Like you, I would turn it off. I also recognize that 99.9% of users don't know what DNS is. So that goes to the question of "they [Firefox] are making too many decisions that should be mine, not theirs". I would say the *defaults* should be selected based on what is best for the 99% of users who can't and won't make a choice. Settings should be available for the 0.1% who will use them.
That said, I'm not convinced that this particular choice is best for the 99% who don't know what we're talking about. That's an entirely separate question.
"At Mozilla, we believe that privacy is fundamental to a healthy internet."
Bullshit you fucking lying corporation. Time you got sued for false and misleading advertising.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Aren't they behind the 1.1.1.1 DNS resolver that supposedly doesn't track you?
Two them CloudFlare is pwned by the NSA.
-- I ignore anonymous replies to my comments and postings.
Proof that even non-profit turns evil.
It doesn't have to be black and white. Take an approach similar to Microsoft's where they show a screen on first use with all the defaults set but the ability to select your own, clueless users get to click next and keep what Mozilla thinks is best while knowledgeable users can make whatever choice that they see fit as they are being informed.
How can I make it so NO Firefox browsers on my network can use this? Dns/ip blocks?
First off your ISP guarantees they sell your browser history to advertisers and some EVEN INSERT ads into your browsing experience. Cloudflare who is behind 1.1.1.1 guarantees your privacy as well as gives you the lowest latency if you read the agreement at www.1111.com.
Cloudflare is used for companies that have been hacked for security as well as CDN services. Experia consulted with them after the scandal.
http://saveie6.com/
Yep
Yet another damn thing I need to change in the about:config because the default sucks.
Fuckers.
And loudflare answers to US law enforcement. See any problem with sovereignty issues? I do.
They all answer to US authorities. I thought CLoudflare was European but I could be wrong. Your American service provider is no exception.
http://saveie6.com/
It's a shame you're reaching such a radical decision with no clear indication of how you'll achieve this desired end. The other popular browsers (Edge, Safari, Chrome, or Opera) are proprietary (nonfree software, user-subjugating software). So without more information it seems like you're likely going to choose a browser that will, ironically, give you considerably less control over your browser and you'll end up making a choice to have fewer "decisions that really should be mine not [theirs]". You're overreacting in response to something that is literally a preference change away (as far as we know now). Encrypted DNS lookups could be a very good thing, but pushing users into using a particular DNS server is bad and choosing an organization with a track record for going back on their promises (as Cloudflare is famous for doing) makes this decision worse.
But regardless of the change or how easy it is to switch the behavior back to using only your preferred DNS server and never informing an unwanted third-party about your browsing, the saving grace of Firefox remains the same: Firefox is licensed such that one can make a free derivative browser (as others have done). We're all allowed to inspect the code, make changes, run the now-trusted version, and help others by distributing a derivative browser. You can't legally do any of that with other popular browsers.
We make free software better by improving it and using the improved versions, not abandoning free software when it becomes inconvenient or undesirable. The privacy you obviously, and rightly, want to keep depends on software freedom.
Digital Citizen
they guarantee that they keep no records and do not even log the traffic going through those servers.
And what immutable, legally-binding contract enforces this guarantee? A pinky swear? Amd what legal reparations do I get when they break the guarantee?
zero visibility to internal DNS resolution for corporate networks
Ham handed is the kindest thing I can say about this.
Hey,
Something missed in this, is that Cloudflare created their new public resolver with a very security-focused conscience, to the point of not even keeping lookup records. Refs https://blog.cloudflare.com/announcing-1111/ and https://blog.cloudflare.com/dns-resolver-1-1-1-1/ (similar content, difference focus).
Personally, with these goals and oversight, I trust them more than nearly any other resolver.
-Platima
This would be a neat feature for the .1% as well, if you could explicitly define what service back-end provides the TRR. Then it is just a redundant failsafe DNS alternative that you can still control.
The issue is not that there is an alternative resolver that can work even when DNS is down; the issue is that it makes a decision for you that you don't like-- specifically, the choice of who is providing the resolution services. If they give you that control too, then this "issue" disappears completely.
https://developers.cloudflare....
Eh I'll just post this link here and you can draw your own conclusions.
Whoops meant to post this here.
https://developers.cloudflare....
You can draw your own conclusions.
Cloudfare doesn't log your requests, so using cloudfare DNS is not a privacy problem (even if law-enforcement requests your DNS lookups from them, they have no log to provide).
But it also isn't a solution. Your ISP sees the IP address and domain that your https connections go to anyway. The IP address is in each IP packet header, and the domain name is sent in plain text as part of the "client hello" message that is the first step in setting up a secure connection between client and server.
All this does is send DNS requests to a known DNS server (cloudfare) instead of a (possibly) unknown DNS server, so a random unknown DNS server won't log the domains you visit. But your ISP still can (and probably does).
What where they thinking? DNS results can vary depending on your location in the network topology!
90% people who don't even know what DNS is, and who wouldn't be able to select this security feature in the first place (since they don't understand it) do welcome the feature, unknowingly.
Slashdot, fix the reply notifications... You won't get away with it...
IoW, your link will not work.
Easily demonstrated to be false.
And if this is disabled by default why is everybody so pissed off ?
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
Split DNS will be screwed over by this. It also, by default, won't allow responses with RFC1918, like most company networks use for internal addressing.
This will cause a lot of trouble...
I've used Firefox since it was called Netscape Navigator, but if this cannot be disabled, then I will have no choice but to abandon Firefox.
Maybe I should just fork Firefox and start removing the garbage.
p.s. Dear Firefox, nobody asked for this. Nobody wants this. If you send my DNS to Cloudflare, then I'll consider your company malware vendor and boycott all of your products for the rest of my life.
As a security feature our local DNS server maps certain untrustworthy domain names to 127.0.0.1 (eg microsoft, adobe, google, facebook, samsung, and more). So by overriding our local nameserver with some untrustworthy third party server Mozilla is really becoming another of those untrustworthy companies. Why on earth would anybody do what Mozilla is going to do? Isn't stuffing up a perfectly good browser good enough?
"AND -- this is the big point -- they guarantee that they keep no records and do not even log the traffic going through those servers. "
You've obviously not read their actual policy, because that's not true.
DNS is one of the few remaining services yet to be totally centralized. Assertions centralized systems (Mozilla) are more trustworthy and privacy preserving than federated ones is doublespeak.
Mozilla is basically asserting without evidence everyone's DNS servers are untrustworthy and therefore for users own good only theirs can be trusted.
It is not even clear what even practical theoretical benefit to the end user would be given anyone in data path can see destination address, SNI, PKI Identity and TLS session identifiers. It isn't ever any secret where you are going unless you use an overlay network like Tor.
Mozilla's unilateral decision to bypass name service administrative policy including DNS based filtering of harmful domains greatly reduces user privacy and security for no reason.
It also creates unnecessary administrative problems accessing resources using naming services not globally resolvable from cloudflare in addition to TFA's points.
Enabling this by default is unconscionable. Mozilla should be boycotted if they actually go through with it. I'm tired of them falling all over themselves asserting they care so much about privacy when reality is Firefox by default is an endless parade of excuses to call home. It requires an unreasonable amount of effort screwing around in about:config to actually stop it.
In security world, changing DNS servers being used without notifying the owner of the machine is known as "hijacking DNS".
How on earth is Mozilla getting away with hijacking DNS?
-- this is the big point -- they guarantee that they keep no records and do not even log the traffic going through those servers.
LOL...
Cloudflare will collect only the following information from Firefox users:
âTimestamp
âIP Version (IPv4 vs IPv6)
âResolver IP address + Port the Query Originated From
âProtocol (TCP, UDP, TLS or HTTPS)
âQuery Name
âQuery Type
âQuery Class
âQuery Rd bit set
âQuery Do bit set
âQuery Size Query EDNS
âEDNS Version
âEDNS Payload
âEDNS Nsid
âResponse Type (normal, timeout, blocked)
âResponse Code
âResponse Size
âResponse Count
âResponse Time in Milliseconds
âResponse Cached
âDNSSEC Validation State (secure, insecure, bogus, indeterminate)
âColo ID
âServer ID
What a sad quagmire FF has become. Anyone recall the fun we had when FF was lightning fast and you had plugins like "Bork Bork Bork". I miss that. All this "new tech" nonsense is irrelevant.
Because Google is not just untrustworthy due to their weird actions, but it's their entire business model.
(Google is an ad company. And when was the last time you saw an ad that was not lying to you? Especially fraudulent concealment. In a sane world, advertisement would be a crime by definition.)
Got any other suggestions? Vivaldi? Pale Moon?
"While it is true that with TRR you may not expose the websites you call to a random DNS server in an untrustworthy network you don't know(...)"
I don't use random DNS servers and I don't trust Cloudfare at all. Why in the world should they choose that for me? I see so many problems (performance and security for starters) with this approach that find it hard to believe how this idea got this far.
This reminds me the time Network Solutions wanted to resolve all unknown hosts to his own IP's to show a friendly message (and maybe gather some data in the process).
Hope it's possible to change this behavior and sincerely hope Mozilla invest their resources in optimizing Firefox performance rather than this nonsense.
Not just critical thinking, but thinking for yourself *at all*. And having empathy, being social, giving a fuck, being creative, and all the other things differentiating humans from psychopathic drone robots ... like you.
Why DNS over HTTPS, and not DNS over TLS? What does the extra overhead of HTTPS give us?
I would say the *defaults* should be selected based on what is best for the 99% of users who can't and won't make a choice. Settings should be available for the 0.1% who will use them.
What about the remaining 0.9% of people?
The author mixes up issues of security and privacy in the article.
I have a small ipset that contains allowed, trusted DNS for upstream resolvers. My iptables prevent DNS from using any resolver not on the list and my settings are to use dnsmasq on the localhost. Cloudflare is not currently on my allowedDNS list.
I thought everybody at /. was paranoid and firewalled DNS and only allowed email to specific server IPs.
Mozilla is still better than Chrome for privacy. I'm sticking with them. I trust you will let me know about upcoming changes that require a user response.
"When Mozilla turns this on by default, the DNS changes you configured in your network won't have any effect anymore."
Just for this part, I'll have to drop Firefox. I use a local DNS on my network for web development that resolve any .localweb URL, allowing me to work on my computer and test with my phone easily.
And no, going to the settings and changing this at every small update they do is not a solution. And the "developer edition" of Firefox is cancer. IE9 was better for web development.
services by our internal DNS server that knows about them. That.s crazy.
Oh, sure thing guy. This is, after all, the official way to send us queries and since you've clearly gave us a way to contact you, you'll be hearing an official reply soon.
#DeleteFacebook
The bad guys used to have to compromise many many dns servers run by many many different organizations. Now thy only have to pwn Cloudflares and they are set.
Exposing data to a particular party is an issue iff the security model treats that data as confidential and not intended for that party. In the current model of things, DNS queries are sent in the clear and so there is no confidentiality with respect to any party that happens to be eavesdropping.
So then thinking for a bit, we could have some transport layer security for DNS, this would provide confidentiality and integrity over the wire. We still have to share the domains we need with the service that resolves them though, so it literally cannot be kept confidential from that service. Or to put it another way, we want to receive a particular piece of information X, we can't keep it a secret that we requested X.
So then we are into distributed networks (aka TOR) and other sort of services where we accept that we cannot hide the nature of our request to the network (or else it wouldn't be able to return the requested resource) but we try to smear it out so that requests are all over the place. This would have major implications for authenticity though -- nodes in a 'mesh' DNS resolver could maliciously substitute their own resolutions.
To resolve that you need an authority like DNSSec, which means some root-level keys and that's a whole new mess.
Better option is to use local DNS server that supports dns over tls or dns over https. This works for all apps and not just one browser. And, you get to decide which dns provider to use.
That just trains users to blindly click "use recommended settings" all the time. Within about a week of Microsoft rolling that screen out you started seeing malware requesting permissions from the user with "use recommended settings" or "accept (recommended)". Worst of all, having gone with the recommendation the next pop-up from Windows asking them to confirm if they are really really sure also becomes a blind click-through.
Besides which, I don't see any value in such a screen when the settings menu is two clicks away and power users are going in there anyway.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
I am on this stupid browser ver 60.1.0esr.
it has that entry in about:config "network.trr.mode"
if i set that value to "5" it cannot resolve anything anymore.
however on the same machine "dig slashdot.org" and "slashdot.org"
in chromium both work.
they force me to configure "0" value, so that in the next update it gets
defaulted to something evil behind my back, because i forgot about it.
i cannot pre-empt it NOW with value "5" because it doesnt work ... ...
maybe it's time for firefox to die
everybody know that l3tt3rs quantum relies on being able to intercept
dns request FASTER to be able to inject request.
also how is the admin going to configure the firewall to force a certain ... "the web", duh?
dns server, if the shit gets "tunneled via http", which is like
Ahw Shit. Whats APK gonna do now?
it is off by default. https://wiki.mozilla.org/Trust... "TRR is preffed OFF by default and you need to set a URI for an available DOH server to be able to use it."" Set `network.trr.mode` to 2 to make DNS Over HTTPS the browser's first choice but use regular DNS as a fallback (0 is "off by default", 1 lets Firefox pick whichever is faster, 3 for TRR only mode, 5 to explicitly turn it off)."
I am sorry, AGAIN, what is the problem ? People are simply throwing mud and getting angry because they want to.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
Never seen many meth smokers, have you... "fat" is not an applicable attribute.
> What about the remaining 0.9% of people?
Those are the ones still using Internet Explorer. Probably also using AOL's DNS servers, to find Geocities.
I too would turn it off. I use Quad9 for DNS. This does [some - it's not perfect] filtering of bad sites, refusing to return the ones it knows about. Cloudflare does not. So I'm less likely to get infected, get phished (already pretty low), or get to a tech support scam site with Quad9 than with Cloudflare. And I can change that network wide so the less technical users, the ones more likely to need the protection, get it for free. This change removes that protection in exchange for private DNS queries.
If this were a good idea, why would it be part of a web browser instead of the OS?
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
This is yet another in the laundry list of reasons never to use anything from Mozilla. From the Toxic SJW culture to the rampant abuse of its users and everything in between, there's no justification for supporting them. None at all.
Is this a step toward Mozilla being a "man in the middle" to all my network requests? They pipe all data before it reaches my machine for my own good? Sure feels like it, and feels..bad. How the machine resolves DNS requests I think should be outside the scope of the browser. Its the job of the OS network stack.
This is dns over HTTPS. Its not so much about preventing dns rewriting but about reading. Even if you have carefully decided to craft your personal dns configs, you still probably are getting your dns queries sniffed by your isp. They rammed through a law allowing them to do whatever they want with your browsing history so this is a pretty critical step in blocking isp's from being able to abuse that power. They can't sell what they can't see.
HTTPS DNS: GREAT. But to force us to use one DNS provider with all of information is bad. Why not select Google? Or Apple? Or Microsoft? Why Cloudfare?
$$$$$$$$$$$$$$$$ Cha-ching.
I will stop using Firefox very shortly. Might as well go back to Microsoft's browser as Google is even more corrupted with Chrome and Android.
99% of users don't use Firefox. Firefox seems to be basing their decisions on Chrome and IE users.
> How the machine resolves DNS requests I think should be outside the scope of the browser. Its the job of the OS network stack.
I'd mostly agree with that. A page may contain 20 thumbnail images from nerdporn.com, on a page loaded from nerporn.com. It would be silly for the browser to load that one page by asking the OS to look up nerdporn.com 21 times in one second. Better for the browser to remember the answer for a few seconds. Heck, if it changes while the page is loading that's probably a DNS rebinding attack.
So I'd say the browser should generally ask the system to resolve names, and the browser shouldn't be stupid about it. The browser uses a lot of names; it should be a little bit smart about how it does so.
Suppose the browser caches the answer for 30 seconds. After 40 seconds it asks for the fresh IP for Google.com to Slashdot.org and the OS says the DNS server is down. When the OS can't give an answer, should the browser go ahead and use the answer that the OS provided 40 seconds ago? Maybe so.
Firefox never totally secure.- Mr. A. Coward : }
Because DNS queries won't be resolved by my local ISP's recursive DNS servers, I won't gain the benefit of local CDNs that colocate at my local ISP (including Netflix, Google, Akamai, etc.). My streaming will resolve to IPs differently and not benefit any more. Thus slowing down sites that use those very network-nearby services.
So how will the GDPR affect this?
Below is a link to Cloudflare's FAQ regarding this...
https://developers.cloudflare....
Cloudflare will collect only the following information from Firefox users:
Timestamp
IP Version (IPv4 vs IPv6)
Resolver IP address + Port the Query Originated From
Protocol (TCP, UDP, TLS or HTTPS)
Query Name
Query Type
Query Class
Query Rd bit set
Query Do bit set
Query Size Query EDNS
EDNS Version
EDNS Payload
EDNS Nsid
Response Type (normal, timeout, blocked)
Response Code
Response Size
Response Count
Response Time in Milliseconds
Response Cached
DNSSEC Validation State (secure, insecure, bogus, indeterminate)
Colo ID
Server ID
Cloudflare claims they will only store that info for 24 hours... but there will be other info that will be stored long term... But in the world of collecting info I'd imagine the GDPR would have some sort of effect...right?
Or am I over thinking...? :-/
See subject & APK Hosts File Engine 2.0++ 64-bit for Linux h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r L i n u x . z i p (remove spaces between characters & download).
Yields more security/speed/reliability/anonymity vs. any SINGLE solution (99% of threats use hostnames vs. IP addresses most firewalls use) more efficiently/FASTER + NATIVELY 4 less!
(Vs. "Bolt on 'MoAr' illogic-logic" competitors slowing you, hosts speed you up 2 ways (adblocks + hardcodes u spend most time @) vs. competition loaded w/ security bugs (DNS/AntiVir) + overheads (messagepass ('souled-out' to advertiser addons) + filtering drivers) & their complexity leads to exploitation).
* ONLY 1 of its kind in GUI on Linux!
Better vs. Windows model in speed/efficiency/merge.
APK
P.S.=> See subject: Not only do I resolve FASTER vs. remote DNS but I also avoid its requestlog tracking & DNS poisoning 99++% of ISP aren't patched against... apk
Your software is just fine - well written, functional... I'm going to continue using the Host File Engine by mmell February 17, 2017
Your premise that hostfiles are a good way to deal with advertising and malvertising is quite valid - by JazzLad April 20, 2016
his hosts program is actually pretty good by xenotransplant August 10 2015
his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg September 25 2015
I like your host file system by Karmashock September 09 2015
that APK guy, I use his host file by rogoshen1 Tuesday March 03, 2015
I personally use a HOSTS file blocker produced from a genius called APK by 110010001000 October 27 2017
Linux model = faster/more efficient
APK
P.S.=> APK Hosts File Engine 9.0++ SR-1 32/64-bit for Windows https://www.google.com/search?...
So would you prefer to require everyone who runs a home LAN to buy (and continue to renew) a publicly visible domain for the devices on his or her LAN, instead of relying on multicast DNS (mDNS) over the reserved .local domain?
The whole reason I use firefox is for privacy, and if I gotta end some buried config variable I may as well just switch browsers (plus I was already irked for Firefox getting rid of RSS & too heavily pushing pocket)
What privacy focused alternatives do people recommend? Ideally a browser that:
* Has smart default settings privacy-wise
* Is quickly updated with security patches (doesn't lag days behind mainline chrome/firefox)
* Maintains compatibility for popular plugins
Settings should be available for the 0.1% who will use them.
The problem is that "settings" are only changeable after you run Firefox.
This shows up on every installation of Firefox, where the first thing it does is run back to home base to report the new installation. AFTER your installation is reported, you can change the home screen. And, IIRC, you get to have all the crap on the "blank page" active and call home before you can configure your blank page to be almost blank. You can't quite get all the way there -- the settings widget is always there to let you turn on useless crap.
That said, I'm not convinced that this particular choice is best for the 99% who don't know what we're talking about.
It isn't. People will be calling their ISP tech support wondering why Firefox can/cannot locate a page that IE cannot/can find, and someone will have to recognize that Firefox is ignoring the ISP-configured DNS server (which may have local names installed) in preference to Cloudflare.
"We know better how to configure your computer than you do" is not a good marketing tactic.
I am APK the great "LORD of HOSTS", a.k.a. AlecStaar or Alexander Peter Kowalski.
See subject & APK Hosts File Engine 2.0++ 64-bit for Linux h t t p : / / I . a m . a . f u c k i n g / a s s h o l e . r e t a r d . z i p (remove spaces between characters & download).
I am the godlike creator of various GUI front-ends for other people's configuration files.
Watch as I claim I win every argument when in reality I know I lost but that won't stop me from proclaiming my victory.
When presented with facts I rebut them with wild speculations, false support, and out of context quotes
All of my accomplishments revolve around me being proven to be an annoying spamming asshole
See me be proud of my inability to be a functional adult
Bask in my debilitating mental illness
Hear me tell stories about me living large drinking miller lite in my ramshackle duplex with a roommate at age 54.
Watch me spew some word salad because I can't string 2 words together in a coherent manner.
I just don't understand why every site I post on everyone makes fun of me, it can't be because I am a shit stick but instead because they are all Ne'er-do-well SOYboy Jealous JOWIEs.
Witness my descent into madness
APK
Obligatory XKCD that you need to read and understand.
Oh, sure thing guy. This is, after all, the official way to send us queries and since you've clearly gave us a way to contact you, you'll be hearing an official reply soon.
/. chatter will be enough to get my attention. As it was in this case.
The point, while unspoken, was that Firefox is open source and many people will notice and scream when things go against privacy or security. The proprietary alternatives will still hide things we deserve to know about.
You'll never understand 1 thing: Others saying anything good about what you do since you never do anything good, least of all from our /. peers (registered ones as I have & IF YOU NEED MORE? ASK - I've got them by the DOZENS saying my work's good &/or that they like & use it + that it's effective for more speed/security)
All that, vs. UNIDENTIFIABLE anonymous NOBODY you & "your kind"'s BULLSHIT "opinions" that aren't worth shit like you!
Why? Simple - Your kind's LOSERS that have to HIDE from me since I've obviously BLOWN YOU AWAY BEFORE (under your MANY SOCKPUPPETS you have here).
* That's what I understand about YOU specifically & know it's true!
APK
P.S.=> ... & so do YOU about your LOSER no good self... apk
See my subject & answer that: & Why do you also STALK me by UNIDENTIFIABLE anonymous posts as well? AFRAID to stand behind your lies??
* THIS I have to hear, lol - it WILL truly be a classic I'm sure!
(CAT GOT YOUR TONGUE SUDDENLY? You wouldn't answer LAST TIME I ASKED IT + YOU DOWNMOD "HID" IT (the sure sign of YOUR total SELF-defeat) https://it.slashdot.org/commen... )
Plus, since you say I'm the "Lord of Hosts"? My "portrait & themesong" https://www.youtube.com/watch?... so SATAN, get thee behind me.
APK
P.S.=> Grow up you obsessed loon who not only IMPERSONATES me but also STALKS me by UNIDENTIFIABLE anonymous posts constantly... apk
Yes, thank you.
It is their written privacy policy.
As I stated in my original comment: *IF* they live up to it and continue to deliver on that promise, it's the safest DNS out there, with the possible exception of OpenDNS... but faster.
Citation?
That doesn't matter if they have no logs to turn over.
That's the whole point, man.
https://slashdot.org/comments....
The first hit in this google search.
Users that are that stupid are beyond help, it won't matter what security features you implement they will do brain dead shit like that, you can't design software for those people as the only solution them is take away their computer. The value in the screen is information front and center for what has changed
Do you even HAVE a home (as I do fully paid off) or do you live in the local rescue mission or under a bridge like the troll you are? Nothing to show for yourself either in the way of accomplishment in computing either (prove otherwise - oh, that's right - you CAN'T when you don't have a damn thing to show like you).
* You're a JEALOUS "Lil' Jowie" loser that STALKS me via UNIDENTIFIABLE anonymous posts since you are AFRAID of me, no questions asked.
APK
P.S.=> Your JEALOUS is SHOWING "Lil' Jowie" but nothing else to show for yourself @ all - hahahaha... apk
Comment removed based on user account deletion
Comment removed based on user account deletion
Bloody good link, thanks!!!
You sound insane.