Slashdot Mirror
Security Researchers Express Concerns Over Mozilla's New DNS Resolution For Firefox (ungleich.ch)
With their next patch Mozilla will introduce two new features to their Firefox browser they call "DNS over HTTPs" (DoH) and Trusted Recursive Resolver (TRR). Mozilla says this is an additional feature which enables security. Researchers think otherwise. From a report: So let's get to the new Firefox feature called "Trusted Recursive Resolver" (TRR). When Mozilla turns this on by default, the DNS changes you configured in your network won't have any effect anymore. At least for browsing with Firefox, because Mozilla has partnered up with Cloudflare, and will resolve the domain names from the application itself via a DNS server from Cloudflare based in the United States. Cloudflare will then be able to read everyone's DNS requests.
From our point of view, us being security geeks, advertising this feature with slogans like "increases security" is rather misleading because in many cases the opposite is the case. While it is true that with TRR you may not expose the websites you call to a random DNS server in an untrustworthy network you don't know, it is not true that this increases security in general. It is true when you are somewhere in a network you don't know, i. e. a public WiFi network, you could automatically use the DNS server configured by the network. This could cause a security issue, because that unknown DNS server might have been compromised. In the worst case it could lead you to a phishing site pretending to be the website of your bank: as soon as you enter your personal banking information, it will be sent straight to the attackers.
But on the other hand Mozilla withholds that using their Trusted Recursive Resolver would cause a security issue in the first place for users who are indeed in a trustworthy network where they know their resolvers, or use the ISP's default one. Because sharing data or information with any third party, which is Cloudflare in this case, is a security issue itself.
From our point of view, us being security geeks, advertising this feature with slogans like "increases security" is rather misleading because in many cases the opposite is the case. While it is true that with TRR you may not expose the websites you call to a random DNS server in an untrustworthy network you don't know, it is not true that this increases security in general. It is true when you are somewhere in a network you don't know, i. e. a public WiFi network, you could automatically use the DNS server configured by the network. This could cause a security issue, because that unknown DNS server might have been compromised. In the worst case it could lead you to a phishing site pretending to be the website of your bank: as soon as you enter your personal banking information, it will be sent straight to the attackers.
But on the other hand Mozilla withholds that using their Trusted Recursive Resolver would cause a security issue in the first place for users who are indeed in a trustworthy network where they know their resolvers, or use the ISP's default one. Because sharing data or information with any third party, which is Cloudflare in this case, is a security issue itself.
I run my own local recursorsive nameservers even on my portable devices. totally not interested in using anyone's resolvers but my own. I hope they publish instructions on how to bypass the behavior.
Sorry I'll have to pass how Firefox these days. They are making to many decisions that really should be mine not there's. This should be a opt in if it happens at all. A lot of us use chosen DNS servers thank you very much Mozilla but no thanks.
... need this feature a lot.
And since the Firefox developer team has a big subset of that demographic, is quite clear why this was included.
All the rest of us, who carefully configured our DNS resolvers (or set up our own DNS servers), get screwed by default. Please tell me how to turn this off in Firefox for Mac/Android...
All the hipster developers using wifi in starbucks and other hipster coffee shops should be thanking Mozilla right now. All the rest of us, not so much.
PS: How does this work when one needs to go to a captive web portal in order to authenticate on the Wifi?
*** Suerte a todos y Feliz dia!
once again, this is a bad idea!
browsers are not the only things using DNS, additionally, it is just one more attack vector on an already sizable surface area.
And if FF enforces this feature... they will only risk losing market share in the browser space every time their "vision" is used to attack systems.
Everytime Firefox updates, I have to find a new way to disable the latest cruft. Even getting a totally blankk new tab anymore requires an addon. And of course the totally undocumented cruft of about:config is another nightmare in itself.
After several noteworthy attempts, Firefox has finally jumped the shark. I've got to find a new browser. Messing with my DNS is totally unacceptable.
And even if anyone thought Mozilla's idea is a good one, which it isn't, why so much trust in Cloudflare?
Did everyone completely forget "Cloudbleed" of early 2017?
When my work VPN is up, dnsmasq redirects some (not all) DNS queries to the resolvers at work. Sounds like FF is going to break my work VPN.
http://forums.dds6qkxpwdeubwuc...
https://bugzilla.mozilla.org/s...
https://trac.torproject.org/pr...
FYI
Because if it does, I think I can overall live with it.
Liberty - Security - Laziness - Pick any two.
They should be allowed to do so, at the OS level.
The summary didn't mention if this "feature" was possible to disable.
I DO NOT want every freaking app to use a different DNS to resolve my queries.
this is arguably more of a privacy issue than security issue. while cloudflare represents a large attack vector, they are certainly have better security than you ISP. as to where all that DNS information goes, whether it be google or cloudffare, it is not hard to guess.
Hmmm. I haven't looked at this... but it sounds like it'll break any host names I've set up locally (for development) and not published to global DNS...
Ah! Hark the days of Netscape Navigator 2.0, and the little Lizard Throbber on the corner!
(can you install the old lizard throbber back? Firefox 61/Linux here.)
Please tell me that this will break internal DNS for non-existent top level domains. I've recently encountered several business partners who insisted on inventing their own internal top level domains, and simply accepting that there is no HTTPS signatory for those top level domains.
#1 This better be able to be disabled and end-users cannot turn back on. We use DNS filtering for a lot of things in our corporate networks. If someone can use Firefox with Cloudfare's DNS then they will be bypassing all our DNS servers, filtering and security! #2 I use DNS filtering at home to keep my teenagers off sites I do not approve. Again this better be able to be disabled without my kids being able turn it on. This is a very very very bad idea and will really piss me off because we just standardize on Firefox for over 50,000 machines.
Good Job, Mozilla, in making an unexcusable privacy-raping tool..
Fuck off,
Signed,
The majority of reality, faggots.
And I'm gay, so I can call you faggots all day long without repercussion, dick-suckers.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
This whole so-called "security issue" ignores the fact that Cloudflare already offers its own DNS resolvers, at 1.1.1.1 and 1.0.0.1.
AND -- this is the big point -- they guarantee that they keep no records and do not even log the traffic going through those servers.
Frankly, I trust that a whole lot more than any promise from Google.
And yes... as long as cloudflare continues the same policy, and live up to it, it is a heck of a lot more secure than going through some random DNS resolver you don't even know.
> They are making to many decisions that really should be mine not there's. A lot of us use chosen DNS servers
Like you, I would turn it off. I also recognize that 99.9% of users don't know what DNS is. So that goes to the question of "they [Firefox] are making too many decisions that should be mine, not theirs". I would say the *defaults* should be selected based on what is best for the 99% of users who can't and won't make a choice. Settings should be available for the 0.1% who will use them.
That said, I'm not convinced that this particular choice is best for the 99% who don't know what we're talking about. That's an entirely separate question.
Two them CloudFlare is pwned by the NSA.
-- I ignore anonymous replies to my comments and postings.
Proof that even non-profit turns evil.
It doesn't have to be black and white. Take an approach similar to Microsoft's where they show a screen on first use with all the defaults set but the ability to select your own, clueless users get to click next and keep what Mozilla thinks is best while knowledgeable users can make whatever choice that they see fit as they are being informed.
First off your ISP guarantees they sell your browser history to advertisers and some EVEN INSERT ads into your browsing experience. Cloudflare who is behind 1.1.1.1 guarantees your privacy as well as gives you the lowest latency if you read the agreement at www.1111.com.
Cloudflare is used for companies that have been hacked for security as well as CDN services. Experia consulted with them after the scandal.
http://saveie6.com/
Yep so the answer is to use your ISP who tells you in the agreement they will sell your information and history to advertisers instead
http://saveie6.com/
Yep
The trustworthiness of an ISPs DNS is not really significant, if you canâ(TM)t trust their DNS server your canâ(TM)t trust their routers either, and if thats true no IP address you use is safe from redirection. Only an an external authenticated connection is safe and DNS doesnt work like that. If Mozilla is using a public key encryption mechanism between the browser and their name resolution server it will be far more secure than current DNS servers, whether you use your own, an know external, or your ISPs.
A lot of websites now are going HTTPS with Google banning HTTP already in canary releases in Chrome. This will make it harder with transport layer security. FOr example your ISP will know you went to Amazon but not much else.
However, true pornhub will still be a record if they track each ISP unless you do a proxy with a securre connection.
http://saveie6.com/
And loudflare answers to US law enforcement. See any problem with sovereignty issues? I do.
They all answer to US authorities. I thought CLoudflare was European but I could be wrong. Your American service provider is no exception.
http://saveie6.com/
It's a shame you're reaching such a radical decision with no clear indication of how you'll achieve this desired end. The other popular browsers (Edge, Safari, Chrome, or Opera) are proprietary (nonfree software, user-subjugating software). So without more information it seems like you're likely going to choose a browser that will, ironically, give you considerably less control over your browser and you'll end up making a choice to have fewer "decisions that really should be mine not [theirs]". You're overreacting in response to something that is literally a preference change away (as far as we know now). Encrypted DNS lookups could be a very good thing, but pushing users into using a particular DNS server is bad and choosing an organization with a track record for going back on their promises (as Cloudflare is famous for doing) makes this decision worse.
But regardless of the change or how easy it is to switch the behavior back to using only your preferred DNS server and never informing an unwanted third-party about your browsing, the saving grace of Firefox remains the same: Firefox is licensed such that one can make a free derivative browser (as others have done). We're all allowed to inspect the code, make changes, run the now-trusted version, and help others by distributing a derivative browser. You can't legally do any of that with other popular browsers.
We make free software better by improving it and using the improved versions, not abandoning free software when it becomes inconvenient or undesirable. The privacy you obviously, and rightly, want to keep depends on software freedom.
Digital Citizen
they guarantee that they keep no records and do not even log the traffic going through those servers.
And what immutable, legally-binding contract enforces this guarantee? A pinky swear? Amd what legal reparations do I get when they break the guarantee?
zero visibility to internal DNS resolution for corporate networks
Ham handed is the kindest thing I can say about this.
This would be a neat feature for the .1% as well, if you could explicitly define what service back-end provides the TRR. Then it is just a redundant failsafe DNS alternative that you can still control.
The issue is not that there is an alternative resolver that can work even when DNS is down; the issue is that it makes a decision for you that you don't like-- specifically, the choice of who is providing the resolution services. If they give you that control too, then this "issue" disappears completely.
https://developers.cloudflare....
Eh I'll just post this link here and you can draw your own conclusions.
Whoops meant to post this here.
https://developers.cloudflare....
You can draw your own conclusions.
90% people who don't even know what DNS is, and who wouldn't be able to select this security feature in the first place (since they don't understand it) do welcome the feature, unknowingly.
Slashdot, fix the reply notifications... You won't get away with it...
And if this is disabled by default why is everybody so pissed off ?
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
DNS is one of the few remaining services yet to be totally centralized. Assertions centralized systems (Mozilla) are more trustworthy and privacy preserving than federated ones is doublespeak.
Mozilla is basically asserting without evidence everyone's DNS servers are untrustworthy and therefore for users own good only theirs can be trusted.
It is not even clear what even practical theoretical benefit to the end user would be given anyone in data path can see destination address, SNI, PKI Identity and TLS session identifiers. It isn't ever any secret where you are going unless you use an overlay network like Tor.
Mozilla's unilateral decision to bypass name service administrative policy including DNS based filtering of harmful domains greatly reduces user privacy and security for no reason.
It also creates unnecessary administrative problems accessing resources using naming services not globally resolvable from cloudflare in addition to TFA's points.
Enabling this by default is unconscionable. Mozilla should be boycotted if they actually go through with it. I'm tired of them falling all over themselves asserting they care so much about privacy when reality is Firefox by default is an endless parade of excuses to call home. It requires an unreasonable amount of effort screwing around in about:config to actually stop it.
In security world, changing DNS servers being used without notifying the owner of the machine is known as "hijacking DNS".
How on earth is Mozilla getting away with hijacking DNS?
-- this is the big point -- they guarantee that they keep no records and do not even log the traffic going through those servers.
LOL...
Cloudflare will collect only the following information from Firefox users:
âTimestamp
âIP Version (IPv4 vs IPv6)
âResolver IP address + Port the Query Originated From
âProtocol (TCP, UDP, TLS or HTTPS)
âQuery Name
âQuery Type
âQuery Class
âQuery Rd bit set
âQuery Do bit set
âQuery Size Query EDNS
âEDNS Version
âEDNS Payload
âEDNS Nsid
âResponse Type (normal, timeout, blocked)
âResponse Code
âResponse Size
âResponse Count
âResponse Time in Milliseconds
âResponse Cached
âDNSSEC Validation State (secure, insecure, bogus, indeterminate)
âColo ID
âServer ID
Cloudfare doesn't log your requests, so using cloudfare DNS is not a privacy problem (even if law-enforcement requests your DNS lookups from them, they have no log to provide).
Their own site explicitly says otherwise.
Cloudflare will collect only the following information from Firefox users:
âTimestamp
âIP Version (IPv4 vs IPv6)
âResolver IP address + Port the Query Originated From
âProtocol (TCP, UDP, TLS or HTTPS)
âQuery Name
âQuery Type
âQuery Class
âQuery Rd bit set
âQuery Do bit set
âQuery Size Query EDNS
âEDNS Version
âEDNS Payload
âEDNS Nsid
âResponse Type (normal, timeout, blocked)
âResponse Code
âResponse Size
âResponse Count
âResponse Time in Milliseconds
âResponse Cached
âDNSSEC Validation State (secure, insecure, bogus, indeterminate)
âColo ID
âServer ID
Because Google is not just untrustworthy due to their weird actions, but it's their entire business model.
(Google is an ad company. And when was the last time you saw an ad that was not lying to you? Especially fraudulent concealment. In a sane world, advertisement would be a crime by definition.)
Got any other suggestions? Vivaldi? Pale Moon?
"While it is true that with TRR you may not expose the websites you call to a random DNS server in an untrustworthy network you don't know(...)"
I don't use random DNS servers and I don't trust Cloudfare at all. Why in the world should they choose that for me? I see so many problems (performance and security for starters) with this approach that find it hard to believe how this idea got this far.
This reminds me the time Network Solutions wanted to resolve all unknown hosts to his own IP's to show a friendly message (and maybe gather some data in the process).
Hope it's possible to change this behavior and sincerely hope Mozilla invest their resources in optimizing Firefox performance rather than this nonsense.
The author mixes up issues of security and privacy in the article.
I use Cloudflare's 1.1.1.1 DNS server because it saves me up to 8 digits on each look request!
#DeleteFacebook
Dude, DO NOT write their name as "Mozi//a", that's SJW and/or hipster crap. Mozi//a reads as "Mozi slash slash A". They're called Mozilla, in all letters.
#DeleteFacebook
It gives us extra overhead. Maybe Mozilla thinks the Web is not slow enough with all the current crap, maybe they want to make it even slower.
#DeleteFacebook
Oh, sure thing guy. This is, after all, the official way to send us queries and since you've clearly gave us a way to contact you, you'll be hearing an official reply soon.
#DeleteFacebook
Exposing data to a particular party is an issue iff the security model treats that data as confidential and not intended for that party. In the current model of things, DNS queries are sent in the clear and so there is no confidentiality with respect to any party that happens to be eavesdropping.
So then thinking for a bit, we could have some transport layer security for DNS, this would provide confidentiality and integrity over the wire. We still have to share the domains we need with the service that resolves them though, so it literally cannot be kept confidential from that service. Or to put it another way, we want to receive a particular piece of information X, we can't keep it a secret that we requested X.
So then we are into distributed networks (aka TOR) and other sort of services where we accept that we cannot hide the nature of our request to the network (or else it wouldn't be able to return the requested resource) but we try to smear it out so that requests are all over the place. This would have major implications for authenticity though -- nodes in a 'mesh' DNS resolver could maliciously substitute their own resolutions.
To resolve that you need an authority like DNSSec, which means some root-level keys and that's a whole new mess.
Better option is to use local DNS server that supports dns over tls or dns over https. This works for all apps and not just one browser. And, you get to decide which dns provider to use.
That just trains users to blindly click "use recommended settings" all the time. Within about a week of Microsoft rolling that screen out you started seeing malware requesting permissions from the user with "use recommended settings" or "accept (recommended)". Worst of all, having gone with the recommendation the next pop-up from Windows asking them to confirm if they are really really sure also becomes a blind click-through.
Besides which, I don't see any value in such a screen when the settings menu is two clicks away and power users are going in there anyway.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
it is off by default. https://wiki.mozilla.org/Trust... "TRR is preffed OFF by default and you need to set a URI for an available DOH server to be able to use it."" Set `network.trr.mode` to 2 to make DNS Over HTTPS the browser's first choice but use regular DNS as a fallback (0 is "off by default", 1 lets Firefox pick whichever is faster, 3 for TRR only mode, 5 to explicitly turn it off)."
I am sorry, AGAIN, what is the problem ? People are simply throwing mud and getting angry because they want to.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
> What about the remaining 0.9% of people?
Those are the ones still using Internet Explorer. Probably also using AOL's DNS servers, to find Geocities.
If this were a good idea, why would it be part of a web browser instead of the OS?
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Is this a step toward Mozilla being a "man in the middle" to all my network requests? They pipe all data before it reaches my machine for my own good? Sure feels like it, and feels..bad. How the machine resolves DNS requests I think should be outside the scope of the browser. Its the job of the OS network stack.
> How the machine resolves DNS requests I think should be outside the scope of the browser. Its the job of the OS network stack.
I'd mostly agree with that. A page may contain 20 thumbnail images from nerdporn.com, on a page loaded from nerporn.com. It would be silly for the browser to load that one page by asking the OS to look up nerdporn.com 21 times in one second. Better for the browser to remember the answer for a few seconds. Heck, if it changes while the page is loading that's probably a DNS rebinding attack.
So I'd say the browser should generally ask the system to resolve names, and the browser shouldn't be stupid about it. The browser uses a lot of names; it should be a little bit smart about how it does so.
Suppose the browser caches the answer for 30 seconds. After 40 seconds it asks for the fresh IP for Google.com to Slashdot.org and the OS says the DNS server is down. When the OS can't give an answer, should the browser go ahead and use the answer that the OS provided 40 seconds ago? Maybe so.
So how will the GDPR affect this?
Below is a link to Cloudflare's FAQ regarding this...
https://developers.cloudflare....
Cloudflare will collect only the following information from Firefox users:
Timestamp
IP Version (IPv4 vs IPv6)
Resolver IP address + Port the Query Originated From
Protocol (TCP, UDP, TLS or HTTPS)
Query Name
Query Type
Query Class
Query Rd bit set
Query Do bit set
Query Size Query EDNS
EDNS Version
EDNS Payload
EDNS Nsid
Response Type (normal, timeout, blocked)
Response Code
Response Size
Response Count
Response Time in Milliseconds
Response Cached
DNSSEC Validation State (secure, insecure, bogus, indeterminate)
Colo ID
Server ID
Cloudflare claims they will only store that info for 24 hours... but there will be other info that will be stored long term... But in the world of collecting info I'd imagine the GDPR would have some sort of effect...right?
Or am I over thinking...? :-/
So would you prefer to require everyone who runs a home LAN to buy (and continue to renew) a publicly visible domain for the devices on his or her LAN, instead of relying on multicast DNS (mDNS) over the reserved .local domain?
I'd love to understand why this post got modded down.
I'm with you though -- our private network uses a private DNS. For a reason.
First and foremost there are private internal servers which should never resolve on the Internet. It's our Intranet. Firefox will therefor be removed from all clients very shortly apparently.
And then there is one exception -- our Internet facing web server is not properly resolvable from the Intranet. If the Internet DNS is used then the local user ends up at the damn Comcast modem login page. Useless to them.
It is for our domain (only) that on the Intranet DNS it is ALSO configured authoritatively and will resolve to local Intranet address' accordingly. Mozilla just broke this too.
Chrome it is.
The whole reason I use firefox is for privacy, and if I gotta end some buried config variable I may as well just switch browsers (plus I was already irked for Firefox getting rid of RSS & too heavily pushing pocket)
What privacy focused alternatives do people recommend? Ideally a browser that:
* Has smart default settings privacy-wise
* Is quickly updated with security patches (doesn't lag days behind mainline chrome/firefox)
* Maintains compatibility for popular plugins
Settings should be available for the 0.1% who will use them.
The problem is that "settings" are only changeable after you run Firefox.
This shows up on every installation of Firefox, where the first thing it does is run back to home base to report the new installation. AFTER your installation is reported, you can change the home screen. And, IIRC, you get to have all the crap on the "blank page" active and call home before you can configure your blank page to be almost blank. You can't quite get all the way there -- the settings widget is always there to let you turn on useless crap.
That said, I'm not convinced that this particular choice is best for the 99% who don't know what we're talking about.
It isn't. People will be calling their ISP tech support wondering why Firefox can/cannot locate a page that IE cannot/can find, and someone will have to recognize that Firefox is ignoring the ISP-configured DNS server (which may have local names installed) in preference to Cloudflare.
"We know better how to configure your computer than you do" is not a good marketing tactic.
I am APK the great "LORD of HOSTS", a.k.a. AlecStaar or Alexander Peter Kowalski.
See subject & APK Hosts File Engine 2.0++ 64-bit for Linux h t t p : / / I . a m . a . f u c k i n g / a s s h o l e . r e t a r d . z i p (remove spaces between characters & download).
I am the godlike creator of various GUI front-ends for other people's configuration files.
Watch as I claim I win every argument when in reality I know I lost but that won't stop me from proclaiming my victory.
When presented with facts I rebut them with wild speculations, false support, and out of context quotes
All of my accomplishments revolve around me being proven to be an annoying spamming asshole
See me be proud of my inability to be a functional adult
Bask in my debilitating mental illness
Hear me tell stories about me living large drinking miller lite in my ramshackle duplex with a roommate at age 54.
Watch me spew some word salad because I can't string 2 words together in a coherent manner.
I just don't understand why every site I post on everyone makes fun of me, it can't be because I am a shit stick but instead because they are all Ne'er-do-well SOYboy Jealous JOWIEs.
Witness my descent into madness
APK
Yes, thank you.
It is their written privacy policy.
As I stated in my original comment: *IF* they live up to it and continue to deliver on that promise, it's the safest DNS out there, with the possible exception of OpenDNS... but faster.
Citation?
That doesn't matter if they have no logs to turn over.
That's the whole point, man.
https://slashdot.org/comments....
Users that are that stupid are beyond help, it won't matter what security features you implement they will do brain dead shit like that, you can't design software for those people as the only solution them is take away their computer. The value in the screen is information front and center for what has changed
Comment removed based on user account deletion
Comment removed based on user account deletion