back to article Mozilla's opt-out Firefox DNS privacy test sparks, er, privacy outcry

Mozilla's plan to test a more secure method for resolving internet domain names – known as Trusted Recursive Resolver (TRR) via DNS over HTTPs (DoH) – in Firefox Nightly builds has met with objections from its user community due to privacy concerns. The browser maker's intentions appear to be beneficial for Firefox users. As …

  1. Orv Silver badge

    The problem with opt-in, other than lack of uptake, is it lets your sample self-select -- a no-no in serious research. It's not clear what kind of bias that would add in this type of study, but the answer probably isn't "none."

    1. Adam 1 Silver badge

      You are right in the general case*, however being a feature in the nightly builds (ie, your beta testers) there is already self selection going on. In this specific research, the specific addresses that they're searching DNS for would be unimportant. I'm guessing they're interested in performance/network overheads in different environments with different potential fail conditions.

      *Food for thought, some countries think that non compulsory voting gives an accurate indication of the wishes of their citizens and even pick their representatives with such self selection errors.

    2. Madf1ier

      Obviously one would select the control and the intervention groups from those who opt in (ideally without them knowing which group they were in), not compare opt in versus no response. Otherwise, yes, loads of confounding factors and selection bias. Sadly, the numbers would be tiny...

      1. DropBear Silver badge

        ...so when you don't like your chances you just decide the rules don't apply to you, innit. What exactly was the difference again between these clueless knobs and that other clueless knob leaking secrets on Facebook, other then the "leaked secrets" bit...?

  2. Anonymous Coward
    Anonymous Coward

    'We now return you to your regular social media surveillance and subjugation'

    Today's news and other recent announcements by Mozilla, has made me nervous enough to blank Server Fields for most everything in about:config.

    1. Anonymous Coward
      Anonymous Coward

      Other questionable shit from Mozilla

      https://www.theregister.co.uk/2017/10/09/mozilla_tests_cliqz_in_germany/

      https://www.theregister.co.uk/2017/12/18/mozilla_mr_robot_firefox_promotion/

      https://www.theregister.co.uk/2017/05/11/mozilla_wants_eu_to_slow_down_its_eprivacy_directive_process/

    2. Anonymous Coward
      Anonymous Coward

      Re: 'We now return you to your regular social media surveillance and subjugation'

      Doesn't that give you a fairly unique browser fingerprint, AC? You're better off masquerading as the most popular OS/version of Chrome with the most popular set of extensions.

  3. batfastad

    Interesting

    DoH is actually a very cool technology. Many people already ditch their ISP's DNS servers because they are unreliable. What do they replace them with? 8.8.8.8 or whatever the Cisco/OpenDNS ones are. But there is still huge scope for manipulation and interference of any unsecured DNS queries, regardless of who your resolver is. Using dnscrypt makes things slightly trickier for snooping but you're still putting trust on whoever runs the proxy.

    DNS over HTTPS means your ISP and anyone else in the path is not able to see your DNS lookups. and would bring some speed gains by re-using/multiplexing HTTP/2 connections.

    Considering that a decent chunk of many sites are already served by Cloudflare's CDN, and in many cases people are already putting regular DNS lookups through Google/Cisco, I don't have much of an issue with this in terms of privacy. You've already opted-in to the Nightly builds (and all its telemetry) so being opted-in to further studies within the browser is sort of expected I would guess.

    1. eldakka Silver badge

      Re: Interesting

      > What do they replace them with? 8.8.8.8 or whatever the Cisco/OpenDNS ones are.

      Can't speak for anyone else, but I have my own caching DNS recursive resolver installed on my NAS and I point to it.

      1. Blockchain commentard Silver badge

        Re: Interesting

        And the NSA just intercept the DNS requests from your NAS which talks to the internet in plain text.

        1. teknopaul Silver badge

          Re: Interesting

          Not likely , my caching dns is on the lan. I live in Spain. I know the NSA is _everywhere_, but this setup is better than shipping all my dns requests to the states who have no regard for privacy of Europeans.

          1. Anonymous Coward
            Anonymous Coward

            Re: Interesting

            I hope you don't have an interest in Catalan independence, because you won't be getting anything interesting resolved with a Spanish ISP's DNS.

      2. teknopaul Silver badge

        Re: Interesting

        Me too.

        Neither google borg nor cloudflare.

        My isp knows where I go anyway. So hitting their first dns does not add any more data leaks and probably does not go out to the Internet as much. Plus caching helps with that.

        Mozilla have really lost their way of late.

    2. Anonymous Coward
      Anonymous Coward

      @batfastad

      "DoH is actually a very cool technology. Many people already ditch their ISP's DNS servers because they are unreliable."

      It can also be a dangerous technology because the single point of failure is now fully pointed as such a master cache. If, for whatever reason, that suddenly fails or get compromised then you'll get a really nasty situation on your hands.

      Just take a look at how well creating a centralized advertisement service has worked for providers, including Google (if Google can't keep their ad service safe from virusses and malware, then who can?).

    3. Steve Graham

      Re: Interesting

      "Many people already ditch their ISP's DNS servers because they are unreliable."

      It's more than 10 years ago now, but I was head of software development for a very large UK ISP, and our DNS was bombproof. Literally. You'd have needed many widely-separated bombs (OK, or power failures or faulty software roll-outs) to even have a detectable impact on performance.

    4. fuzzie

      Re: Interesting

      I posit that Google may well get more useful information from their DNS fleet than they get from "enticing" users to Android/Chrome. Sure, with Chrome you get URL query paths and such, but it can't capture what other applications are up to. DNS queries, on the other hand, must be a veritable jackpot.

      ChromeCast, even some non-Google devices, use GoogleDNS in preference to whatever DHCP serves up. I explicitly drop GoogleDNS at my network boundary. Those devices inevitably fall back to my DNS to continue working.

      FYI: There's also Quad9 as another alternative, i.e. 9.9.9.9

      1. Ben Tasker Silver badge

        Re: Interesting

        > I explicitly drop GoogleDNS at my network boundary. Those devices inevitably fall back to my DNS to continue working.

        Me too, though with a slight difference (which is why I bothered to comment).

        Rather than just dropping them (as you've then got to wait for the client to decide it's timed out before trying the correct DNS), I re-route them via my DNS server which intercepts them and replies on Google's behalf.

        That way you don't get the performance penalty of waiting for the client to decide the thing's not responding.

        1. Charles 9 Silver badge

          Re: Interesting

          So what happens when the Chromecasts are updated to use DoH, meaning direct requests to Google can't be intercepted without a secure proxy setup (usually reserved for enterprises due to the certificate demands)?

          1. Ben Tasker Silver badge

            Re: Interesting

            > So what happens when the Chromecasts are updated to use DoH, meaning direct requests to Google can't be intercepted without a secure proxy setup

            At that point, you're probably left with three choices:

            * Accept it and go on with your life

            * Get rid of the Chromecast (though over time, the trashpile will grow as more stuff supports it)

            * Implement HTTPS interception and find a way to load your CA onto all manner of things

            Actually, no. There may be a fourth option.

            The DoH implementations I've seen so far use a hostname instead of an IP address for the resolver. That's obviously going to need to be looked up using traditional DNS.

            So if the chromecast is using dns.google.com, blackhole that in your DNS and *hopefully* the thing will just fall back to using ordinary DNS as before.

            No guarantee it'd work (I haven't tested), but it would certainly be the simplest solution

    5. Anonymous Coward
      Anonymous Coward

      Re: Interesting

      @batfastad

      Excellent points. Not that I condone any of it. DNS and Cloudflare are near the top of the list of problems for privacy and free speech, neither of which will be easily solved. (And Mozilla keeps moving up on that list, though their userbase is declining to the point of irrelevancy.)

      Also, it's unacceptable for Cloudflare (or similar) to be the default DoH provider when this quietly rolls out on the release channel. Which it will, if Mozilla's recent history is any guide.

      This is a band-aid fix for a disease that requires major surgery.

  4. Mayday Silver badge
    Big Brother

    Off the top of my head

    Now I haven't put much thought into this but anyway:

    Is there any reason why you can't use a "random" DNS server from a list of (say) 100's or 1000s? Reason being if you only use (for example) your ISP's, Google's 8.8.8.8 or OpenDNS then in theory you could be tracked by them. Randomising DNS servers over a very large pool could alleviate this to a degree.

    I personally use Open DNS because I'd prefer Cisco et al have an idea of my browsing compared to the world's biggest advertising company or my ISP or ASIO.

    1. gerdesj Silver badge

      Re: Off the top of my head

      "Now I haven't put much thought into this" - You sir win the internet for that comment.

      "I personally use Open DNS" - they work very well for many use cases but is yours one of those? ODNS will always respond with an IP address for a request for an A record - their webby server. Is that what you want (unlikely)?

      I'll recommend using 9.9.9.9 ie Quad9 for DNS instead. They will not respond with a default address on fail which is what should happen and easier to work with.

      1. Ben Tasker Silver badge

        Re: Off the top of my head

        > I'll recommend using 9.9.9.9 ie Quad9 for DNS instead. They will not respond with a default address on fail which is what should happen and easier to work with.

        Whilst this is true, the also (deliberately) do not support the EDNS Client Subnet extension, so if you're planning on making a request to a CDN, you will likely be routed to a node that close to the resolver, rather than one that's close to you. So video streaming may end up sucking (depending on where you're located in relation to the resolver).

        They see it as a feature, I see it as a glaring omission. The theory being there are privacy implications in them telling the authoritative that you're part of a given /24 (the last bits are masked in ECS). Which, arguably there is, but when you connect out to that service they'll have your /32 anyway (inserting other prefixes is an exercise left to any readers who actually have IPv6).

    2. joed

      Re: Off the top of my head

      I would not be so coy about Cisco - aren't they behind development of China firewall? Besides this, Cisco likely aggregates enough data about you at work, and there' really no reason to help them link your home browsing history (and maybe sell to HR/network team as value added of the security subscription they peddled).

      Also, while I can see reason why some nightly build users may feel unhappy, it's not like cloudflare didn't serve most of the content they consumed (for this reason alone they may be the best entity to run this kind of test). I'm not sure if possible or in scope of the project, but it'd be nice if "revolving" part of the DNS thing included option for multiple trusted provided queried at random (so none had full insight into traffic patterns) or research if such setup had any merit.

    3. Robert Carnegie Silver badge

      Re: Off the top of my head

      If the government, or just an IT technician who wants to blackmail porn users, wants to see which DNS calls you make - they can tap thousands of DNS servers as easily as one. Unless they only have access to their own DNS server to do it. So mainly I don't think your security is improved except by going full Tor.

      Incidentally, I'm not in the using nightly builds game but I'd guess that if you are using alpha or beta software then bugs such as accidentally tweeting all the URLs you visit while getting the DNS data is just to be expected. This software isn't expected to work right. So the question is, why use it, but I expect that is covered elsewhere.

  5. Hugh McIntyre

    Broken assumptions

    People using BIND as a DNS server can set up "views" so that DNS results depend on where the query comes from. For example the following can return different IP addresses for a query depending on where the query comes from:

    view from_internal_hosts { ... };

    view from_external_internet { ... };

    Seems like this would be fundamentally broken if Firefox ever makes TRR an official feature, quite apart from the privacy concerns. Better to just make DNSSEC enabled and secure?

    1. Chris King Silver badge

      Re: Broken assumptions

      Well put - some of us have lots of stuff sitting on private IP's and only accessible from internal private networks. TRR will break a lot of things for my users if it is turned on by default, because they won't be able to see the internal view of our DNS servers.

      Also, "one giant cache for all" means a lot of potential victims if someone manages to poison that cache - say, if another Kaminsky-type bug comes along.

  6. Anonymous Coward
    Linux

    Making DNS communication more secure

    What is such functionality doing in the browser. The same could be asked of the logic of disabling audio in Firefox unless PulseAudio is installed. Reason I don't use PulseAudio is, I can never get it to retain settings from one invocation to the next.

    1. myithingwontcharge

      Re: Making DNS communication more secure

      Disabling audio unless Pulse is installed! FFS! Thank you. You've just solved a long running issue of why I've had to run Chromium!

      1. Havin_it

        Re: Making DNS communication more secure

        You get a notification in Firefox whenever a page attempts to play audio, telling you to install pulseaudio. How did you miss that?

  7. Anonymous Coward
    Happy

    about:networking#dns

    I have made a bookmark, for Firefox (its Experimental) networking. it sits on my menu bar next to other icons. (go to the page and click the bookmark star).

    about:networking

    about:networking#dns - etc

    try about:about for everything - have look - but you knew this right.

    you can backup your config or create an extra profile to play where there may be dragons, it's the only way to really train them

    Oh and I lock in my DNS addresses into my firewall, and router - they go, where I tell them.

  8. Anonymous Coward
    Anonymous Coward

    > There's something endearingly quaint about fretting over a few thousand people's DNS queries being visible to a third-party like Cloudflare at a time when people are up in arms about Facebook's dispersal of data on 50 million users to data analytics firm Cambridge Analytica.

    Mocking people's privacy concerns by calling them quaint is how you get to places like Cambridge Analytica.

    The concerns are legit, not "quaint".

    1. Anonymous Coward
      Anonymous Coward

      Rather, the mocking is of people's understanding of risks.

      Similar to the lack of knowledge of cosmic rays and other natural radiation vs. the "Ahh, Chinese space station's gonna hit me!" there is a large mismatch in how people 'place' what is dangerous versus what is not nearly as dangerous.

      "FireFox gonna expose me to bad guys" is so much more understandable than "your vote was swayed somehow by nefarious guys". Which one had/has the greater affect? Which one is going to continue to corrode your freedoms?

      1. Anonymous Coward
        Anonymous Coward

        Mozilla was literally proposing to put your data under Trump's jurisdiction if you didn't opt out.

        If people choose to expose themselves to Facebook, or clean their dog's teeth with their genitals, that's entirely their stupidity, doesn't mean the rest of us have to do something similar.

      2. tiggity Silver badge

        Well if you do not use Facebook (and your contacts don't) but do use Moz nightly builds then the Moz risk is significant but the FB one less so.

        I don't use FB, I no longer use FF due to addons fiasco, but used to be a heavy FF user and understand peopels concerns.

        .. and yes, I block cloudflare by default when browsing

  9. Eddy Ito Silver badge
    Facepalm

    Did anyone else read that as "Trusted Recursive Revolver"? I immediately thought of old westerns where the good guy's single action army six-shooter managed to last for at least 30 shots while fending off a band of hoodlums, natives, and other supposed baddies.

    1. Tomato Krill

      I can only speak for myself, but no.

  10. Anonymous Coward
    Anonymous Coward

    Well, they need to get the data somehow...

    I can actually understand an opt-in for dev. builds, for the simple reason that people who grab those should know what the heck they're doing in the first place. If they have carefully documented this aspect then I really don't see the big problem; as mentioned in the header they need to get some kind of usage data. In the end it simply boils down to: "read & check what you're using before using it".

    However, I do have some concerns about the concept in general: "We posit that integrity and confidentiality protected access to well provisioned larger caches will help our users.". Help how? All I see happening here is that you create a larger single point of failure. Because as soon as those caches get compromised then many people will experience major issues at the same time.

    And just because you're grouping many people together basically marks such caches as a very feasible way to compromise. I'm pretty sure malware authors would have a field day here.

    Another issue is how this would really enhance security. Most users will use the DNS services from their direct uplink providers (so Internet providers). So how is this going to help them other than generating a bigger target?

    1. Anonymous Coward
      Anonymous Coward

      Re: Well, they need to get the data somehow...

      They need the data, yes. But they could always make a specially downloadable installer, and encourage people to use it for a week or three.

      Forcing it into the release cycle (beta or otherwise) doesn't sound very nice to those that miss the memo.

      That said, back in 2012 Telstra gave all its 3G data customers' metadata (and god knows how many others over the years) to a fledgling surveillance and subjugation biz. Their CEO promised never to do it again when mere mortal contstomers proved their managers did nothing but lie about it. Now they have a different CEO and quietly enabled third-party metadata surveillance (and an active censorship filter called Broadband Protect) in their broadband plans.

      It is wrong, but also sad that legitimate players trying to protect users from our digital Armageddon cop such bad PR, esp. while predatory Corporations just do it and collect our habits on the sly for whatever purpose they want from hereon in.

      That said, Moz are hardly babes in the woods, and mistakes like this aren't just be about shortages of resources. Are their priorities being well set?

  11. JakeMS
    Go

    For DNS..

    So, if you want secure DNS why doesn't everyone just run the following commands on their PC?

    systemctl enable dnscrypt-proxy

    systemctl start dnscrypt-proxy

    or if they've not got systemd:

    chkconfig dnscrypt-proxy on

    service dnscrypt-proxy start

    (Not sure on the commands for Windows, not used it in years but I'm sure their probably similar)

    Finally, switch their resolvers to point to 127.0.0.1.

    At least this way everyone's DNS data isn't flying off to cloudflare or wherever. Honestly I thought everyone switched to this method years ago when this all came out? I know I did.

    DNS should be controlled on the OS level, not the browser level. It's all well and good "securing" one browsers DNS, but what about all the other applications such as evolution mail and such? If you're going to secure your DNS, you should do it system wide so that all applications are protected.

    Just my 2c.

    1. Charles 9 Silver badge

      Re: For DNS..

      Except some applications (like Windows X) don't play ball and use their own resolvers to get around strategies like yours. And because of things like SNI, it's tricky to block at the IP level without risking collateral damage (telemetry updates can use the same IP as security updates).

      Plus you overestimate the intelligence of the average computer user.

  12. Anonymous Coward
    Anonymous Coward

    Mozilla turned bad anyway

    Mozilla used to be good and the Firefox browser great. It all started with Brandan Eich, the Javascript inventor, and than CEO, forced to leave Mozilla.

    Then clueless management took over. They stopped Thunderbird development, it's basically vacant for several years, beside shitty experiments on its UI by one of their designers. Then they stopped Firefox OS, when it still had a chance and was used in all LG SmartTV. Then they stopped Servo, the new render engine to replace Gecko(Firefox) and its ugly XML based XUL and XPCOM warts.

    And now they focus entirely on slurping, like Chrome and Edge, and forcing their Firefox 57 down the throat. Guess what, the multi-process support is still bad, it consumes a lot more resources and is still slower than Chrome. And Firefox doesn't support all the beloved Addons anymore, because they broke the API on purpose, while XUL is still used for Firefox user interface and internal addons. Just a political decision made by the board. Is Mozilla nowadays just a shell company, paid by Google or some other big advertiser? Looking from who pays their bills and how bad the default security and privacy settings lean against user privacy, it looks like that. And the days are gone, I no longer recommend Firefox to anyone, and install open source Chromium (with custom settings) on family and friend computers.

  13. Anonymous Coward
    Anonymous Coward

    My localhosts file is used to block malware and ads

    Bad sites redirect to nothing (127.0.0.1) so the request never leaves the PC and nothing from these bad sites is shown.

    Bypassing my localhosts file is very bad indeed.

    http://winhelp2002.mvps.org/hosts.htm

    1. Blockchain commentard Silver badge

      Re: My localhosts file is used to block malware and ads

      winhelp2002 has for years now pointed bad sites to 0.0.0.0 which tells your machine not to even bother with a lookup.

  14. Mage Silver badge

    Mozilla … want to understand how these protocols affect network performance

    Reasonable question.

    Putting it in browser or researching it with a browser is not.

    I'd expect my OS to provide an api for the browser.

    More proof that Mozilla have lost the plot: Building a secure browser that uses the desktop / system GUI settings and the OS communication stack. Having it that it can't run extra code/scripts from Internet except for sandboxed web page functionality.

  15. Blockchain commentard Silver badge
    Facepalm

    The Homer Principle

    Doh !!!!

    1. Anonymous Coward
      Anonymous Coward

      Re: The Homer Principle

      It had to be said...

      Guys, you're slipping... I shouldn't have had to scroll to the bottom of the page to get to the obvious comment!

  16. teknopaul Silver badge

    Dns is heirachical no reason the world police should know about any lookups to .es or .uk. I'm sure they are interested in .ru and .cn but neither is that their business.

    Its important _users_ can choose who they trust. Not Mozilla.

    This will lead to tit for tat changes in chrome, safari, yandex browser and others until finally the Internet has dns lines draw exactly along national lines and you will need a passport to get out.

    1. Charles 9 Silver badge

      "Its important _users_ can choose who they trust. Not Mozilla."

      It's ALSO important to protect Stupid Users from themselves or they'll take the rest of us with them.

  17. arobertson1

    I’m a self proclaimed security and privacy nut job - I have never trusted DNS as it’s too easily manipulated and tampered with. Currently I use DNSCrypt and DNSSEC. DNSCrypt resolves with OpenDNS and is now owned by Cisco. Since Firefox 57 DNSSEC has stopped working as it was an addon and an extension was never developed for Quantum. However, DNSSEC is still working with Opera Developer.

    I don’t have a problem with Cisco knowing all the websites that I visit as I’m not expecting DNSCrypt or DNSSEC to offer anonymity - use Tor if you require anonymity. There is *no difference* between using your ISP’s DNS resolver or Google or OpenDNS or Cloudflare - at the end of the day they can see which websites you have visited.

    Where DNSCrypt and DNSSEC become useful is:

    1) It’s encrypted! Ordinary DNS is not. This prevents simple network traffic sniffing. How many times do you think your local coffee shop has had someone sniff the traffic? And if your DNS requests are not encrypted... Well they at least know which websites your device is accessing - kind of makes it easier to use social engineering attacks if they know which bank you use wouldn’t you say?

    2) It stops your ISP from auto logging your web usage and selling it to advertisers. Regardless of whether you pay for the service or not they are selling your usage details to 3rd parties with or without your knowledge. If on the other hand all that appears is DNS resolver blah, blah, blah Cloudflare then it’s not much use to them. Bear in mind your ISP also knows your phone number, email address, physical address, your bank / card details, you date of birth etc. An alternative DNS provider only knows your IP address.

    3) It prevents man in the middle attacks and cross site forgeries. If you cannot break the encryption then you cannot inject code - currently there is nothing to stop this with ordinary DNS.

    4) It stops ISP’s from injecting code - such as advertising and tracking (particularly mobile). It was not that long ago that “Super Cookies” were used which tracked all users. Encrypted DNS stops this.

    5) Cisco / OpenDNS actively block bad web sites at source and will not resolve them preventing malware attacks. Isn’t it far more useful to prevent malware at the source rather than having antivirus software try to deal with it after it has downloaded?

    6) DNSSEC helps to prevent cache poisoning and because it relies on digital signatures it can tell whether a DNS entry has been spoofed. It is an excellent way to detect whether you are actually at the genuine website or not - you will be surprised just how many websites are using cached versions rather than the real website. This prevents login credentials from being stolen.

    Although they will not protect your privacy, the above reasons are so useful that I have often wished that DNSCrypt and DNSSEC were baked into the browser.

    Am I bothered about Cloudflare gathering this data from Mozilla Firefox - not really as *DNS has never been anonymous nor will it ever be*. Use Tor if you want that.

    As ever the devil is in the detail, but if Mozilla would care to outline how they are implementing this and if this looks like a combination of DNSCrypt / DNSSEC all rolled into one then I personally will be using it, as the security benefits are massive - this technology could be used to prevent DDoS attacks, stop malware, prevent man in the middle attacks, verify genuine websites, prevent phishing, stop credential theft, prevent cross site scripting… Why wouldn’t you want that? It’s been a long time coming and DNS definitely needs improving - kudos to Mozilla for leading the way and I would expect Google will follow shortly and do the same with Chrome too.

    1. Ben Tasker Silver badge

      > As ever the devil is in the detail, but if Mozilla would care to outline how they are implementing this and if this looks like a combination of DNSCrypt / DNSSEC all rolled into one then I personally will be using it,

      The answer is in the article.

      It's DNS over HTTPS - https://tools.ietf.org/html/draft-hoffman-dns-over-https-01

      So you've got on-the-wire encryption (courtesy of HTTPS) to your resolver. The far end, could at it's simplest, be a translation proxy to a traditional DNS server. Read the HTTPS request and send a UDP DNS query.

      As far as DNSSEC within DoH goes, AFAIK that's down to the recursor you use. They can validate DNSSEC and include a flag to note that it validated correctly, or they can just not bother. I may be wrong, but I don't think the browser itself currently supports verifying DNSSEC on the returned records

      > kudos to Mozilla for leading the way and I would expect Google will follow shortly and do the same with Chrome too.

      It doesn't appear to be in Chrome yet, but Google are ahead in the sense that they offer DNSSEC validating recursors over DoH already: https://developers.google.com/speed/public-dns/docs/dns-over-https

      1. arobertson1

        The details that I was curious about include the cipher used (hopefully not RC4), the key length and also (more importantly) what happens when the encrypted DNS request fails - does it just default to ordinary DNS? If so, then surely this could become a downgrade attack? How would the user be made aware of this in a meaningful way without inducing panic or for that matter not resolving any web page at all - that's a tricky one for Mozilla.

    2. the spectacularly refined chap

      Where DNSCrypt and DNSSEC become useful is:

      1) It’s encrypted! Ordinary DNS is not.

      Neither is DNSSEC. You would have known that even if you read the article. DNSCrypt is but is nonstandard and brings massive performance costs, both through TCP dependency and the default/recommended non-caching client-side trim which is frankly retarded to the point it itself makes me suspicious: why does my DNS provider need to see evidence of every single connection to every single site?

      2) It stops your ISP from auto logging your web usage and selling it to advertisers.

      To some extent with multihomed sites and assuming deep packet inspection (DPI) is not in use. If either of those assumptions break down the assertion is meaningless. It is anyway strictly speaking since a DNS request is not evidence of specifically web traffic.

      3) It prevents man in the middle attacks and cross site forgeries. If you cannot break the encryption then you cannot inject code - currently there is nothing to stop this with ordinary DNS.

      You do understand what DNS actually does, don't you? It does absolutely nothing to protect a connection once established. With DNSCrypt you are still vulnerable to MITM because of the way it gets the address in the first place, the only difference is you have moved the weak point.

      4) It stops ISP’s from injecting code - such as advertising and tracking (particularly mobile).

      Done via DPI, it doesn't work on a DNS level for reasons I can't be arsed explaining on my phone keyboard.

      5) Cisco / OpenDNS actively block bad web sites at source and will not resolve them preventing malware attacks. Isn’t it far more useful to prevent malware at the source ...

      Right, so you clearly don't understand even the role of DNS. The baddies can still contact YOU and you can respond without a DNS request. You can still contact them via IP address: the really dodgy sites tend to be linked to in that very manner.

      If you want to describe yourself as a "privacy nut" and proffer advice it would help to understand even the basics of computer networking.

      1. arobertson1

        Ha, Ha, Ha. You made me laugh. I thought this was a wind up then I realised you're deadly serious! Oh well, you can't please everyone. Still, very funny though... lol. Stay off the disco biscuits!!

  18. Anonymous Coward
    Anonymous Coward

    Off-path

    "Sending information about what is browsed to an off-path party will erode trust in Mozilla due to people getting upset about privacy-sensitive information ... getting sent to an off-path party without explicit consent ..."

    Errm... https://wiki.mozilla.org/Security/Safe_Browsing.

    (to completely disable the thing requires changing about half a dozen settings in about:config)

  19. Warlord-Lestat

    how can you believe in Mozilla when they are...

    ... discriminates their target user group (geeks and nerds) since 2013 with removing features to support simple users only (because of Mozilla's unhealthy addiction with battling Chrome, no matter what).

    There is zero guarantee that Mozilla - who shamelessly betrayed their own users will also not fall into the back of their new beloved user group (simple/Chrome users).

    Mozilla is even worse as Google from their mentality today. Same like Opera who are the same betrayers. Enough reason to stay FAR away from that sell-outs!

    At that point, believing in what Mozilla spits out to the public is like playing russian roulette!

  20. onebignerd

    Mozilla/Firefox jumping on the data sucking bandwagon. Not surprised!

    Stopped using Firefox, too many problems.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019