Slashdot Mirror
Security Researchers Express Concerns Over Mozilla's New DNS Resolution For Firefox (ungleich.ch)
With their next patch Mozilla will introduce two new features to their Firefox browser they call "DNS over HTTPs" (DoH) and Trusted Recursive Resolver (TRR). Mozilla says this is an additional feature which enables security. Researchers think otherwise. From a report: So let's get to the new Firefox feature called "Trusted Recursive Resolver" (TRR). When Mozilla turns this on by default, the DNS changes you configured in your network won't have any effect anymore. At least for browsing with Firefox, because Mozilla has partnered up with Cloudflare, and will resolve the domain names from the application itself via a DNS server from Cloudflare based in the United States. Cloudflare will then be able to read everyone's DNS requests.
From our point of view, us being security geeks, advertising this feature with slogans like "increases security" is rather misleading because in many cases the opposite is the case. While it is true that with TRR you may not expose the websites you call to a random DNS server in an untrustworthy network you don't know, it is not true that this increases security in general. It is true when you are somewhere in a network you don't know, i. e. a public WiFi network, you could automatically use the DNS server configured by the network. This could cause a security issue, because that unknown DNS server might have been compromised. In the worst case it could lead you to a phishing site pretending to be the website of your bank: as soon as you enter your personal banking information, it will be sent straight to the attackers.
But on the other hand Mozilla withholds that using their Trusted Recursive Resolver would cause a security issue in the first place for users who are indeed in a trustworthy network where they know their resolvers, or use the ISP's default one. Because sharing data or information with any third party, which is Cloudflare in this case, is a security issue itself.
From our point of view, us being security geeks, advertising this feature with slogans like "increases security" is rather misleading because in many cases the opposite is the case. While it is true that with TRR you may not expose the websites you call to a random DNS server in an untrustworthy network you don't know, it is not true that this increases security in general. It is true when you are somewhere in a network you don't know, i. e. a public WiFi network, you could automatically use the DNS server configured by the network. This could cause a security issue, because that unknown DNS server might have been compromised. In the worst case it could lead you to a phishing site pretending to be the website of your bank: as soon as you enter your personal banking information, it will be sent straight to the attackers.
But on the other hand Mozilla withholds that using their Trusted Recursive Resolver would cause a security issue in the first place for users who are indeed in a trustworthy network where they know their resolvers, or use the ISP's default one. Because sharing data or information with any third party, which is Cloudflare in this case, is a security issue itself.
As I stated on my original post, I use Firefox ESR 60 on a mac. And Firefox on my android (KeyOne).
At home I use 9.9.9.9, 8.8.8.8 and 208.67.222.222 since I have better things to do than to set up my Synology to be my DNS server.
But when I travel, I use public wifi whenever I can get it, be that my hotel, the training centers were I teach, or, god forbid, a hipster coffee shop. And many of those need a captive portal to autenticate to the Wifi, and that depends on using the Network's DNS servers. So, I configured an "Automatic" setting on the network locales of my mac to handle those cases.
So, as a user of Firefox, I am not happy with this. I am capable enough to configure my DNS settings (or, if push comes to shove, set up a DNS from scratch, not even touching my nas).
So thank you for the inconvenience mozilla. I hope you guys enjoy the backslash when hipsters start to realize that they can not connect to the net in their favourite hipster watering spot because they can not get to the captive portals...
At least, the guys who use Mozilla in corporate networks will get this assinine setting turned off in group policies... as for the rest of us, a quick google and a trip to about::settings shal suffice
*** Suerte a todos y Feliz dia!
UK spook team would say 'This is bad'
How will we block British Users from using our censored lists or logging persons of interest who reference very bad extreme religious sites?
China: Eeek - our firewall will need fixing again. We just block and force it to fallback - no probs.
Me: I use a VPN and it will get over this, only I dont trust my AV software from poking
its beak in - such as dangerous sites.
The winners will lbe PirateBay and banned chat apps in oppressed countries - and cloudflare, Microsoft, Bing and 3rd party want-to-be's just lost significantly.
I suppose you prefer to do yoru forwarding requests to your ISP DNS who sells your browsing information instead hu?
FYI cloudflare's business model is to help business customers secure their connections. You can read it here which is a plus for grandma. But if you're technical like most of us then I am sure you can disable it.
http://saveie6.com/
Mozilla employee here, though not involved with this project.
The hipsters will be fine, as the most likely setting falls back to the system DNS when TRR fails. For a little more detail see: https://wiki.mozilla.org/Trust...
I hope you guys enjoy the backslash when hipsters start to realize that they can not connect to the net in their favourite hipster watering spot because they can not get to the captive portals...
I take it you don't realise that Firefox detects captive portals and brings up a bar across the top asking you to sign in, and that since Firefox is in control of when and how it makes requests this functionality is not affected?
May I recommend another slashdot story, the one suggesting we need more people studying liberal arts because the concept of "critical thinking" seems to be lost.
Mozilla employee here, though not involved with this project.
Will Mozilla be disclosing its financial relationship with cloudflare and provide a full accounting of funds it receives as a result of this insanity?
So when I'm using an internal nameserver that resolves local servers with their local IP address, this thing will force resolve the external address from an external DNS and break local access, won't it? (split brained DNS)
Why trust them? A lot of dead links on their website, GitHub, Facebook, their "network", even their other website ideal-hosting.com isn't resolving.
All I can find is that they are some IT/Media company from Munich, Germany.
That just trains users to blindly click "use recommended settings" all the time. Within about a week of Microsoft rolling that screen out you started seeing malware requesting permissions from the user with "use recommended settings" or "accept (recommended)". Worst of all, having gone with the recommendation the next pop-up from Windows asking them to confirm if they are really really sure also becomes a blind click-through.
Besides which, I don't see any value in such a screen when the settings menu is two clicks away and power users are going in there anyway.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC