Slashdot Mirror
Security Researchers Express Concerns Over Mozilla's New DNS Resolution For Firefox (ungleich.ch)
With their next patch Mozilla will introduce two new features to their Firefox browser they call "DNS over HTTPs" (DoH) and Trusted Recursive Resolver (TRR). Mozilla says this is an additional feature which enables security. Researchers think otherwise. From a report: So let's get to the new Firefox feature called "Trusted Recursive Resolver" (TRR). When Mozilla turns this on by default, the DNS changes you configured in your network won't have any effect anymore. At least for browsing with Firefox, because Mozilla has partnered up with Cloudflare, and will resolve the domain names from the application itself via a DNS server from Cloudflare based in the United States. Cloudflare will then be able to read everyone's DNS requests.
From our point of view, us being security geeks, advertising this feature with slogans like "increases security" is rather misleading because in many cases the opposite is the case. While it is true that with TRR you may not expose the websites you call to a random DNS server in an untrustworthy network you don't know, it is not true that this increases security in general. It is true when you are somewhere in a network you don't know, i. e. a public WiFi network, you could automatically use the DNS server configured by the network. This could cause a security issue, because that unknown DNS server might have been compromised. In the worst case it could lead you to a phishing site pretending to be the website of your bank: as soon as you enter your personal banking information, it will be sent straight to the attackers.
But on the other hand Mozilla withholds that using their Trusted Recursive Resolver would cause a security issue in the first place for users who are indeed in a trustworthy network where they know their resolvers, or use the ISP's default one. Because sharing data or information with any third party, which is Cloudflare in this case, is a security issue itself.
From our point of view, us being security geeks, advertising this feature with slogans like "increases security" is rather misleading because in many cases the opposite is the case. While it is true that with TRR you may not expose the websites you call to a random DNS server in an untrustworthy network you don't know, it is not true that this increases security in general. It is true when you are somewhere in a network you don't know, i. e. a public WiFi network, you could automatically use the DNS server configured by the network. This could cause a security issue, because that unknown DNS server might have been compromised. In the worst case it could lead you to a phishing site pretending to be the website of your bank: as soon as you enter your personal banking information, it will be sent straight to the attackers.
But on the other hand Mozilla withholds that using their Trusted Recursive Resolver would cause a security issue in the first place for users who are indeed in a trustworthy network where they know their resolvers, or use the ISP's default one. Because sharing data or information with any third party, which is Cloudflare in this case, is a security issue itself.
about:config
network.trr.mode=5
Stop updating.
Block javascript by default.(noscript)
Block cross-site scripting by default. (uMatrix)
Block tracking cookies. (Privacy Badger)
Block advertising. (uBlock Origin)
Feature thrash does not solve security problems. If you can't get updates that are separate from new features, you can't trust them to reduce the attack surface.
They did. Well someone did. I believe this came from documentation on the feature when it was in beta:
https://www.ghacks.net/2018/04/02/configure-dns-over-https-in-firefox/
"Oh my God. This is terrible. This is the end of my Presidency. I'm fucked."; ~ Donald J. Trump
>"The summary didn't mention if this "feature" was possible to disable."
about:config
network.trr.mode = 5 to completely disable it
0 Off. To use operating system resolver.
1 Race native against TRR. Do both in parallel and go with the one that returns a result first. Most likely the native one will win.
2 First. Use TRR first, and only if the secure resolution fails use the operating system resolver.
3 Only. Only use TRR. Never use the native (after the initial setup).
4 Shadow. Runs the TRR resolves in parallel with the native for timing and measurements but uses only the native resolver results.
5 Off by choice This is the same as 0 but marks it as done by choice and not done by default.
https://blog.usejournal.com/ge...
You might consider switching to DNS Watch. Instead of providing Google or Cloudflare all your DNS query data (they have fingers in plenty enough other places in my opinion), DNS Watch favors privacy, security, and anonymity.
Preffered DNS server: 84.200.69.80
Alternate DNS server: 84.200.70.40
"What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
/)
https://blog.nightly.mozilla.o...
https://wiki.mozilla.org/Trust...
I imagine the setting we're all looking for is: user_pref("network.trr.mode", 5);
It must have been something you assimilated. . . .
This is what is currently on the 1.1.1.1 site (which I'm assuming that's what Firefox is using since it's owned by Cloudflare)
Privacy First: Guaranteed.
We will never sell your data or use it to target ads. Period.
We will never log your IP address (the way other companies identify you). And we’re not just saying that. We’ve retained KPMG to audit our systems annually to ensure that we're doing what we say.
Frankly, we don’t want to know what you do on the Internet—it’s none of our business—and we’ve taken the technical steps to ensure we can’t
Of course, like any other DNS Resolver, you have to trust what they're saying is true, but vs. your ISP DNS (which most firefox users are using by default) or Google Public DNS, Cloudflare would be a privacy improvement. Not sure if it's better than Quad9 security wise though.
The biggest issue I have is that the settings aren't exposed by the settings menu and has to be configured using about:config. I would like to see better controls for it and possibly a list of supported DNS providers to choose like how I can choose Search engines.
In Soviet Russia, Trojan exploits YOU!