The problem with opt-in, other than lack of uptake, is it lets your sample self-select -- a no-no in serious research. It's not clear what kind of bias that would add in this type of study, but the answer probably isn't "none."
Mozilla's opt-out Firefox DNS privacy test sparks, er, privacy outcry
Mozilla's plan to test a more secure method for resolving internet domain names – known as Trusted Recursive Resolver (TRR) via DNS over HTTPs (DoH) – in Firefox Nightly builds has met with objections from its user community due to privacy concerns. The browser maker's intentions appear to be beneficial for Firefox users. As …
COMMENTS
-
-
Tuesday 20th March 2018 21:50 GMT Adam 1
You are right in the general case*, however being a feature in the nightly builds (ie, your beta testers) there is already self selection going on. In this specific research, the specific addresses that they're searching DNS for would be unimportant. I'm guessing they're interested in performance/network overheads in different environments with different potential fail conditions.
*Food for thought, some countries think that non compulsory voting gives an accurate indication of the wishes of their citizens and even pick their representatives with such self selection errors.
-
-
-
Tuesday 20th March 2018 21:26 GMT Anonymous Coward
Other questionable shit from Mozilla
https://www.theregister.co.uk/2017/10/09/mozilla_tests_cliqz_in_germany/
https://www.theregister.co.uk/2017/12/18/mozilla_mr_robot_firefox_promotion/
https://www.theregister.co.uk/2017/05/11/mozilla_wants_eu_to_slow_down_its_eprivacy_directive_process/
-
-
Tuesday 20th March 2018 22:35 GMT batfastad
Interesting
DoH is actually a very cool technology. Many people already ditch their ISP's DNS servers because they are unreliable. What do they replace them with? 8.8.8.8 or whatever the Cisco/OpenDNS ones are. But there is still huge scope for manipulation and interference of any unsecured DNS queries, regardless of who your resolver is. Using dnscrypt makes things slightly trickier for snooping but you're still putting trust on whoever runs the proxy.
DNS over HTTPS means your ISP and anyone else in the path is not able to see your DNS lookups. and would bring some speed gains by re-using/multiplexing HTTP/2 connections.
Considering that a decent chunk of many sites are already served by Cloudflare's CDN, and in many cases people are already putting regular DNS lookups through Google/Cisco, I don't have much of an issue with this in terms of privacy. You've already opted-in to the Nightly builds (and all its telemetry) so being opted-in to further studies within the browser is sort of expected I would guess.
-
Wednesday 21st March 2018 05:55 GMT Anonymous Coward
@batfastad
"DoH is actually a very cool technology. Many people already ditch their ISP's DNS servers because they are unreliable."
It can also be a dangerous technology because the single point of failure is now fully pointed as such a master cache. If, for whatever reason, that suddenly fails or get compromised then you'll get a really nasty situation on your hands.
Just take a look at how well creating a centralized advertisement service has worked for providers, including Google (if Google can't keep their ad service safe from virusses and malware, then who can?).
-
Wednesday 21st March 2018 11:06 GMT Steve Graham
Re: Interesting
"Many people already ditch their ISP's DNS servers because they are unreliable."
It's more than 10 years ago now, but I was head of software development for a very large UK ISP, and our DNS was bombproof. Literally. You'd have needed many widely-separated bombs (OK, or power failures or faulty software roll-outs) to even have a detectable impact on performance.
-
Wednesday 21st March 2018 12:00 GMT fuzzie
Re: Interesting
I posit that Google may well get more useful information from their DNS fleet than they get from "enticing" users to Android/Chrome. Sure, with Chrome you get URL query paths and such, but it can't capture what other applications are up to. DNS queries, on the other hand, must be a veritable jackpot.
ChromeCast, even some non-Google devices, use GoogleDNS in preference to whatever DHCP serves up. I explicitly drop GoogleDNS at my network boundary. Those devices inevitably fall back to my DNS to continue working.
FYI: There's also Quad9 as another alternative, i.e. 9.9.9.9
-
Wednesday 21st March 2018 12:11 GMT Ben Tasker
Re: Interesting
> I explicitly drop GoogleDNS at my network boundary. Those devices inevitably fall back to my DNS to continue working.
Me too, though with a slight difference (which is why I bothered to comment).
Rather than just dropping them (as you've then got to wait for the client to decide it's timed out before trying the correct DNS), I re-route them via my DNS server which intercepts them and replies on Google's behalf.
That way you don't get the performance penalty of waiting for the client to decide the thing's not responding.
-
-
Thursday 22nd March 2018 09:09 GMT Ben Tasker
Re: Interesting
> So what happens when the Chromecasts are updated to use DoH, meaning direct requests to Google can't be intercepted without a secure proxy setup
At that point, you're probably left with three choices:
* Accept it and go on with your life
* Get rid of the Chromecast (though over time, the trashpile will grow as more stuff supports it)
* Implement HTTPS interception and find a way to load your CA onto all manner of things
Actually, no. There may be a fourth option.
The DoH implementations I've seen so far use a hostname instead of an IP address for the resolver. That's obviously going to need to be looked up using traditional DNS.
So if the chromecast is using dns.google.com, blackhole that in your DNS and *hopefully* the thing will just fall back to using ordinary DNS as before.
No guarantee it'd work (I haven't tested), but it would certainly be the simplest solution
-
-
-
-
Wednesday 21st March 2018 18:34 GMT Anonymous Coward
Re: Interesting
@batfastad
Excellent points. Not that I condone any of it. DNS and Cloudflare are near the top of the list of problems for privacy and free speech, neither of which will be easily solved. (And Mozilla keeps moving up on that list, though their userbase is declining to the point of irrelevancy.)
Also, it's unacceptable for Cloudflare (or similar) to be the default DoH provider when this quietly rolls out on the release channel. Which it will, if Mozilla's recent history is any guide.
This is a band-aid fix for a disease that requires major surgery.
-
Tuesday 20th March 2018 22:41 GMT Mayday
Off the top of my head
Now I haven't put much thought into this but anyway:
Is there any reason why you can't use a "random" DNS server from a list of (say) 100's or 1000s? Reason being if you only use (for example) your ISP's, Google's 8.8.8.8 or OpenDNS then in theory you could be tracked by them. Randomising DNS servers over a very large pool could alleviate this to a degree.
I personally use Open DNS because I'd prefer Cisco et al have an idea of my browsing compared to the world's biggest advertising company or my ISP or ASIO.
-
Wednesday 21st March 2018 01:15 GMT Anonymous Coward
Re: Off the top of my head
"Now I haven't put much thought into this" - You sir win the internet for that comment.
"I personally use Open DNS" - they work very well for many use cases but is yours one of those? ODNS will always respond with an IP address for a request for an A record - their webby server. Is that what you want (unlikely)?
I'll recommend using 9.9.9.9 ie Quad9 for DNS instead. They will not respond with a default address on fail which is what should happen and easier to work with.
-
Wednesday 21st March 2018 12:14 GMT Ben Tasker
Re: Off the top of my head
> I'll recommend using 9.9.9.9 ie Quad9 for DNS instead. They will not respond with a default address on fail which is what should happen and easier to work with.
Whilst this is true, the also (deliberately) do not support the EDNS Client Subnet extension, so if you're planning on making a request to a CDN, you will likely be routed to a node that close to the resolver, rather than one that's close to you. So video streaming may end up sucking (depending on where you're located in relation to the resolver).
They see it as a feature, I see it as a glaring omission. The theory being there are privacy implications in them telling the authoritative that you're part of a given /24 (the last bits are masked in ECS). Which, arguably there is, but when you connect out to that service they'll have your /32 anyway (inserting other prefixes is an exercise left to any readers who actually have IPv6).
-
-
Wednesday 21st March 2018 02:58 GMT joed
Re: Off the top of my head
I would not be so coy about Cisco - aren't they behind development of China firewall? Besides this, Cisco likely aggregates enough data about you at work, and there' really no reason to help them link your home browsing history (and maybe sell to HR/network team as value added of the security subscription they peddled).
Also, while I can see reason why some nightly build users may feel unhappy, it's not like cloudflare didn't serve most of the content they consumed (for this reason alone they may be the best entity to run this kind of test). I'm not sure if possible or in scope of the project, but it'd be nice if "revolving" part of the DNS thing included option for multiple trusted provided queried at random (so none had full insight into traffic patterns) or research if such setup had any merit.
-
Wednesday 21st March 2018 13:40 GMT Robert Carnegie
Re: Off the top of my head
If the government, or just an IT technician who wants to blackmail porn users, wants to see which DNS calls you make - they can tap thousands of DNS servers as easily as one. Unless they only have access to their own DNS server to do it. So mainly I don't think your security is improved except by going full Tor.
Incidentally, I'm not in the using nightly builds game but I'd guess that if you are using alpha or beta software then bugs such as accidentally tweeting all the URLs you visit while getting the DNS data is just to be expected. This software isn't expected to work right. So the question is, why use it, but I expect that is covered elsewhere.
-
-
Tuesday 20th March 2018 22:42 GMT Hugh McIntyre
Broken assumptions
People using BIND as a DNS server can set up "views" so that DNS results depend on where the query comes from. For example the following can return different IP addresses for a query depending on where the query comes from:
view from_internal_hosts { ... };
view from_external_internet { ... };
Seems like this would be fundamentally broken if Firefox ever makes TRR an official feature, quite apart from the privacy concerns. Better to just make DNSSEC enabled and secure?
-
Wednesday 21st March 2018 08:33 GMT Chris King
Re: Broken assumptions
Well put - some of us have lots of stuff sitting on private IP's and only accessible from internal private networks. TRR will break a lot of things for my users if it is turned on by default, because they won't be able to see the internal view of our DNS servers.
Also, "one giant cache for all" means a lot of potential victims if someone manages to poison that cache - say, if another Kaminsky-type bug comes along.
-
-
Tuesday 20th March 2018 23:25 GMT Anonymous Coward
about:networking#dns
I have made a bookmark, for Firefox (its Experimental) networking. it sits on my menu bar next to other icons. (go to the page and click the bookmark star).
about:networking
about:networking#dns - etc
try about:about for everything - have look - but you knew this right.
you can backup your config or create an extra profile to play where there may be dragons, it's the only way to really train them
Oh and I lock in my DNS addresses into my firewall, and router - they go, where I tell them.
-
Tuesday 20th March 2018 23:29 GMT Anonymous Coward
> There's something endearingly quaint about fretting over a few thousand people's DNS queries being visible to a third-party like Cloudflare at a time when people are up in arms about Facebook's dispersal of data on 50 million users to data analytics firm Cambridge Analytica.
Mocking people's privacy concerns by calling them quaint is how you get to places like Cambridge Analytica.
The concerns are legit, not "quaint".
-
Wednesday 21st March 2018 03:28 GMT Anonymous Coward
Rather, the mocking is of people's understanding of risks.
Similar to the lack of knowledge of cosmic rays and other natural radiation vs. the "Ahh, Chinese space station's gonna hit me!" there is a large mismatch in how people 'place' what is dangerous versus what is not nearly as dangerous.
"FireFox gonna expose me to bad guys" is so much more understandable than "your vote was swayed somehow by nefarious guys". Which one had/has the greater affect? Which one is going to continue to corrode your freedoms?
-
Wednesday 21st March 2018 10:05 GMT tiggity
Well if you do not use Facebook (and your contacts don't) but do use Moz nightly builds then the Moz risk is significant but the FB one less so.
I don't use FB, I no longer use FF due to addons fiasco, but used to be a heavy FF user and understand peopels concerns.
.. and yes, I block cloudflare by default when browsing
-
-
-
Wednesday 21st March 2018 05:52 GMT Anonymous Coward
Well, they need to get the data somehow...
I can actually understand an opt-in for dev. builds, for the simple reason that people who grab those should know what the heck they're doing in the first place. If they have carefully documented this aspect then I really don't see the big problem; as mentioned in the header they need to get some kind of usage data. In the end it simply boils down to: "read & check what you're using before using it".
However, I do have some concerns about the concept in general: "We posit that integrity and confidentiality protected access to well provisioned larger caches will help our users.". Help how? All I see happening here is that you create a larger single point of failure. Because as soon as those caches get compromised then many people will experience major issues at the same time.
And just because you're grouping many people together basically marks such caches as a very feasible way to compromise. I'm pretty sure malware authors would have a field day here.
Another issue is how this would really enhance security. Most users will use the DNS services from their direct uplink providers (so Internet providers). So how is this going to help them other than generating a bigger target?
-
Wednesday 21st March 2018 06:35 GMT Anonymous Coward
Re: Well, they need to get the data somehow...
They need the data, yes. But they could always make a specially downloadable installer, and encourage people to use it for a week or three.
Forcing it into the release cycle (beta or otherwise) doesn't sound very nice to those that miss the memo.
That said, back in 2012 Telstra gave all its 3G data customers' metadata (and god knows how many others over the years) to a fledgling surveillance and subjugation biz. Their CEO promised never to do it again when mere mortal contstomers proved their managers did nothing but lie about it. Now they have a different CEO and quietly enabled third-party metadata surveillance (and an active censorship filter called Broadband Protect) in their broadband plans.
It is wrong, but also sad that legitimate players trying to protect users from our digital Armageddon cop such bad PR, esp. while predatory Corporations just do it and collect our habits on the sly for whatever purpose they want from hereon in.
That said, Moz are hardly babes in the woods, and mistakes like this aren't just be about shortages of resources. Are their priorities being well set?
-
-
Wednesday 21st March 2018 06:19 GMT JakeMS
For DNS..
So, if you want secure DNS why doesn't everyone just run the following commands on their PC?
systemctl enable dnscrypt-proxy
systemctl start dnscrypt-proxy
or if they've not got systemd:
chkconfig dnscrypt-proxy on
service dnscrypt-proxy start
(Not sure on the commands for Windows, not used it in years but I'm sure their probably similar)
Finally, switch their resolvers to point to 127.0.0.1.
At least this way everyone's DNS data isn't flying off to cloudflare or wherever. Honestly I thought everyone switched to this method years ago when this all came out? I know I did.
DNS should be controlled on the OS level, not the browser level. It's all well and good "securing" one browsers DNS, but what about all the other applications such as evolution mail and such? If you're going to secure your DNS, you should do it system wide so that all applications are protected.
Just my 2c.
-
Wednesday 21st March 2018 18:09 GMT Charles 9
Re: For DNS..
Except some applications (like Windows X) don't play ball and use their own resolvers to get around strategies like yours. And because of things like SNI, it's tricky to block at the IP level without risking collateral damage (telemetry updates can use the same IP as security updates).
Plus you overestimate the intelligence of the average computer user.
-
-
Wednesday 21st March 2018 07:47 GMT Anonymous Coward
Mozilla turned bad anyway
Mozilla used to be good and the Firefox browser great. It all started with Brandan Eich, the Javascript inventor, and than CEO, forced to leave Mozilla.
Then clueless management took over. They stopped Thunderbird development, it's basically vacant for several years, beside shitty experiments on its UI by one of their designers. Then they stopped Firefox OS, when it still had a chance and was used in all LG SmartTV. Then they stopped Servo, the new render engine to replace Gecko(Firefox) and its ugly XML based XUL and XPCOM warts.
And now they focus entirely on slurping, like Chrome and Edge, and forcing their Firefox 57 down the throat. Guess what, the multi-process support is still bad, it consumes a lot more resources and is still slower than Chrome. And Firefox doesn't support all the beloved Addons anymore, because they broke the API on purpose, while XUL is still used for Firefox user interface and internal addons. Just a political decision made by the board. Is Mozilla nowadays just a shell company, paid by Google or some other big advertiser? Looking from who pays their bills and how bad the default security and privacy settings lean against user privacy, it looks like that. And the days are gone, I no longer recommend Firefox to anyone, and install open source Chromium (with custom settings) on family and friend computers.
-
Wednesday 21st March 2018 09:18 GMT Mage
Mozilla … want to understand how these protocols affect network performance
Reasonable question.
Putting it in browser or researching it with a browser is not.
I'd expect my OS to provide an api for the browser.
More proof that Mozilla have lost the plot: Building a secure browser that uses the desktop / system GUI settings and the OS communication stack. Having it that it can't run extra code/scripts from Internet except for sandboxed web page functionality.
-
Wednesday 21st March 2018 10:32 GMT teknopaul
Dns is heirachical no reason the world police should know about any lookups to .es or .uk. I'm sure they are interested in .ru and .cn but neither is that their business.
Its important _users_ can choose who they trust. Not Mozilla.
This will lead to tit for tat changes in chrome, safari, yandex browser and others until finally the Internet has dns lines draw exactly along national lines and you will need a passport to get out.
-
Wednesday 21st March 2018 11:32 GMT arobertson1
I’m a self proclaimed security and privacy nut job - I have never trusted DNS as it’s too easily manipulated and tampered with. Currently I use DNSCrypt and DNSSEC. DNSCrypt resolves with OpenDNS and is now owned by Cisco. Since Firefox 57 DNSSEC has stopped working as it was an addon and an extension was never developed for Quantum. However, DNSSEC is still working with Opera Developer.
I don’t have a problem with Cisco knowing all the websites that I visit as I’m not expecting DNSCrypt or DNSSEC to offer anonymity - use Tor if you require anonymity. There is *no difference* between using your ISP’s DNS resolver or Google or OpenDNS or Cloudflare - at the end of the day they can see which websites you have visited.
Where DNSCrypt and DNSSEC become useful is:
1) It’s encrypted! Ordinary DNS is not. This prevents simple network traffic sniffing. How many times do you think your local coffee shop has had someone sniff the traffic? And if your DNS requests are not encrypted... Well they at least know which websites your device is accessing - kind of makes it easier to use social engineering attacks if they know which bank you use wouldn’t you say?
2) It stops your ISP from auto logging your web usage and selling it to advertisers. Regardless of whether you pay for the service or not they are selling your usage details to 3rd parties with or without your knowledge. If on the other hand all that appears is DNS resolver blah, blah, blah Cloudflare then it’s not much use to them. Bear in mind your ISP also knows your phone number, email address, physical address, your bank / card details, you date of birth etc. An alternative DNS provider only knows your IP address.
3) It prevents man in the middle attacks and cross site forgeries. If you cannot break the encryption then you cannot inject code - currently there is nothing to stop this with ordinary DNS.
4) It stops ISP’s from injecting code - such as advertising and tracking (particularly mobile). It was not that long ago that “Super Cookies” were used which tracked all users. Encrypted DNS stops this.
5) Cisco / OpenDNS actively block bad web sites at source and will not resolve them preventing malware attacks. Isn’t it far more useful to prevent malware at the source rather than having antivirus software try to deal with it after it has downloaded?
6) DNSSEC helps to prevent cache poisoning and because it relies on digital signatures it can tell whether a DNS entry has been spoofed. It is an excellent way to detect whether you are actually at the genuine website or not - you will be surprised just how many websites are using cached versions rather than the real website. This prevents login credentials from being stolen.
Although they will not protect your privacy, the above reasons are so useful that I have often wished that DNSCrypt and DNSSEC were baked into the browser.
Am I bothered about Cloudflare gathering this data from Mozilla Firefox - not really as *DNS has never been anonymous nor will it ever be*. Use Tor if you want that.
As ever the devil is in the detail, but if Mozilla would care to outline how they are implementing this and if this looks like a combination of DNSCrypt / DNSSEC all rolled into one then I personally will be using it, as the security benefits are massive - this technology could be used to prevent DDoS attacks, stop malware, prevent man in the middle attacks, verify genuine websites, prevent phishing, stop credential theft, prevent cross site scripting… Why wouldn’t you want that? It’s been a long time coming and DNS definitely needs improving - kudos to Mozilla for leading the way and I would expect Google will follow shortly and do the same with Chrome too.
-
Wednesday 21st March 2018 12:24 GMT Ben Tasker
> As ever the devil is in the detail, but if Mozilla would care to outline how they are implementing this and if this looks like a combination of DNSCrypt / DNSSEC all rolled into one then I personally will be using it,
The answer is in the article.
It's DNS over HTTPS - https://tools.ietf.org/html/draft-hoffman-dns-over-https-01
So you've got on-the-wire encryption (courtesy of HTTPS) to your resolver. The far end, could at it's simplest, be a translation proxy to a traditional DNS server. Read the HTTPS request and send a UDP DNS query.
As far as DNSSEC within DoH goes, AFAIK that's down to the recursor you use. They can validate DNSSEC and include a flag to note that it validated correctly, or they can just not bother. I may be wrong, but I don't think the browser itself currently supports verifying DNSSEC on the returned records
> kudos to Mozilla for leading the way and I would expect Google will follow shortly and do the same with Chrome too.
It doesn't appear to be in Chrome yet, but Google are ahead in the sense that they offer DNSSEC validating recursors over DoH already: https://developers.google.com/speed/public-dns/docs/dns-over-https
-
Wednesday 21st March 2018 13:43 GMT arobertson1
The details that I was curious about include the cipher used (hopefully not RC4), the key length and also (more importantly) what happens when the encrypted DNS request fails - does it just default to ordinary DNS? If so, then surely this could become a downgrade attack? How would the user be made aware of this in a meaningful way without inducing panic or for that matter not resolving any web page at all - that's a tricky one for Mozilla.
-
-
Wednesday 21st March 2018 19:24 GMT the spectacularly refined chap
Where DNSCrypt and DNSSEC become useful is:
1) It’s encrypted! Ordinary DNS is not.
Neither is DNSSEC. You would have known that even if you read the article. DNSCrypt is but is nonstandard and brings massive performance costs, both through TCP dependency and the default/recommended non-caching client-side trim which is frankly retarded to the point it itself makes me suspicious: why does my DNS provider need to see evidence of every single connection to every single site?
2) It stops your ISP from auto logging your web usage and selling it to advertisers.
To some extent with multihomed sites and assuming deep packet inspection (DPI) is not in use. If either of those assumptions break down the assertion is meaningless. It is anyway strictly speaking since a DNS request is not evidence of specifically web traffic.
3) It prevents man in the middle attacks and cross site forgeries. If you cannot break the encryption then you cannot inject code - currently there is nothing to stop this with ordinary DNS.
You do understand what DNS actually does, don't you? It does absolutely nothing to protect a connection once established. With DNSCrypt you are still vulnerable to MITM because of the way it gets the address in the first place, the only difference is you have moved the weak point.
4) It stops ISP’s from injecting code - such as advertising and tracking (particularly mobile).
Done via DPI, it doesn't work on a DNS level for reasons I can't be arsed explaining on my phone keyboard.
5) Cisco / OpenDNS actively block bad web sites at source and will not resolve them preventing malware attacks. Isn’t it far more useful to prevent malware at the source ...
Right, so you clearly don't understand even the role of DNS. The baddies can still contact YOU and you can respond without a DNS request. You can still contact them via IP address: the really dodgy sites tend to be linked to in that very manner.
If you want to describe yourself as a "privacy nut" and proffer advice it would help to understand even the basics of computer networking.
-
-
Wednesday 21st March 2018 16:25 GMT Anonymous Coward
Off-path
"Sending information about what is browsed to an off-path party will erode trust in Mozilla due to people getting upset about privacy-sensitive information ... getting sent to an off-path party without explicit consent ..."
Errm... https://wiki.mozilla.org/Security/Safe_Browsing.
(to completely disable the thing requires changing about half a dozen settings in about:config)
-
Friday 23rd March 2018 14:03 GMT Warlord-Lestat
how can you believe in Mozilla when they are...
... discriminates their target user group (geeks and nerds) since 2013 with removing features to support simple users only (because of Mozilla's unhealthy addiction with battling Chrome, no matter what).
There is zero guarantee that Mozilla - who shamelessly betrayed their own users will also not fall into the back of their new beloved user group (simple/Chrome users).
Mozilla is even worse as Google from their mentality today. Same like Opera who are the same betrayers. Enough reason to stay FAR away from that sell-outs!
At that point, believing in what Mozilla spits out to the public is like playing russian roulette!