Slashdot Mirror


Security Researchers Express Concerns Over Mozilla's New DNS Resolution For Firefox (ungleich.ch)

With their next patch Mozilla will introduce two new features to their Firefox browser they call "DNS over HTTPs" (DoH) and Trusted Recursive Resolver (TRR). Mozilla says this is an additional feature which enables security. Researchers think otherwise. From a report: So let's get to the new Firefox feature called "Trusted Recursive Resolver" (TRR). When Mozilla turns this on by default, the DNS changes you configured in your network won't have any effect anymore. At least for browsing with Firefox, because Mozilla has partnered up with Cloudflare, and will resolve the domain names from the application itself via a DNS server from Cloudflare based in the United States. Cloudflare will then be able to read everyone's DNS requests.

From our point of view, us being security geeks, advertising this feature with slogans like "increases security" is rather misleading because in many cases the opposite is the case. While it is true that with TRR you may not expose the websites you call to a random DNS server in an untrustworthy network you don't know, it is not true that this increases security in general. It is true when you are somewhere in a network you don't know, i. e. a public WiFi network, you could automatically use the DNS server configured by the network. This could cause a security issue, because that unknown DNS server might have been compromised. In the worst case it could lead you to a phishing site pretending to be the website of your bank: as soon as you enter your personal banking information, it will be sent straight to the attackers.

But on the other hand Mozilla withholds that using their Trusted Recursive Resolver would cause a security issue in the first place for users who are indeed in a trustworthy network where they know their resolvers, or use the ISP's default one. Because sharing data or information with any third party, which is Cloudflare in this case, is a security issue itself.

3 of 301 comments (clear)

  1. GOOD, HOLD MOZILLA RESPONSIBLE by Khyber · · Score: -1, Flamebait

    "When Mozilla turns this on by default, the DNS changes you configured in your network won't have any effect anymore"

    AKA We'll put child pornography on your line when we fucking feel like it.

    You've demonstrated that you can control HTTP traffic. You no longer have protection. Time to tell EVERYONE your pedophile tendencies.

    Mozilla is a GROUP OF PEDOPHILES.

    Prove otherwise by their actions - you won't.

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
  2. Re: I'd want to know how to disable the sexbot by Khyber · · Score: -1, Flamebait

    I literally just middle-clicked the link and went right to it, you fucking moron. Shut your fucking mouth and don't post on this site again, you lying sack of shit.

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
  3. Re: I'd want to know how to disable the sexbot by Khyber · · Score: -1, Flamebait

    Easily demonstrated to be bullshit with just a simple middle-click.

    HCS_$Reboot is a fucking lying sack of shit that knows nothing. You may safely ignore the fucktard.

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.