Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Firefox Security

Firefox Extends Privacy and Security of Canadian Internet Users With By-default DNS-over-HTTPS Rollout in Canada (mozilla.org) 108

In a few weeks, Firefox will start the by-default rollout of DNS over HTTPS (or DoH for short) to its Canadian users in partnership with local DoH provider CIRA, the Canadian Internet Registration Authority. From a report: DoH will first become a default for 1% of Canadian Firefox users on July 20 and will gradually reach 100% of Canadian Firefox users in late September 2021 -- thereby further increasing their security and privacy online. This follows the by-default rollout of DoH to US users in February 2020. As part of the rollout, CIRA joins Mozilla's Trusted Recursive Resolver (TRR) Program and becomes the first internet registration authority and the first Canadian organization to provide Canadian Firefox users with private and secure encrypted Domain Name System (DNS) services.
This discussion has been archived. No new comments can be posted.

Firefox Extends Privacy and Security of Canadian Internet Users With By-default DNS-over-HTTPS Rollout in Canada

Comments Filter:
  • by CaptSlaq ( 1491233 ) on Thursday July 08, 2021 @12:39PM (#61562869)
    I'm unclear how DNS over HTTPS will help. Someone always gets the DNS request, and it must be read and serviced. This just means that the people running the servers at CIRA have access to that information, doesn't it?
    • Re: (Score:3, Insightful)

      by halltk1983 ( 855209 )
      Yes. It means CloudFlare or similar can track you individually everywhere with individual device IDs instead of your ISP and phone provider each being able to see part of it at the household or device level, and they can share it with, or sell it to, everyone. But hey, the coffee shop employees that don't have time to look can't see the contents of your DNS query, so definitely more secure, right?
      • by ArmoredDragon ( 3450605 ) on Thursday July 08, 2021 @01:27PM (#61563057)

        If your DNS queries are in the hands of somebody other than who your traffic is being routed through (whether that is your ISP or a VPN provider) then there's a lot less that they can glean about your usage habits.

        The traffic carrier just sees IP addresses and mostly encrypted traffic (unless you frequent non-tls protected sites and don't use extensions like HTTPS everywhere) which is basically useless given the way CDNs share IP addresses among multiple sites.

        The DNS provider just sees which sites you request an IP address for, but they don't know anything like how long you visited the site, whether it was just to fetch a single resource or several, etc. For example, they can't likely tell whether you went to Facebook, or you just visited another site that has a stupid like button on it that you just ignored. So on its own, not terribly useful, though the info that can be gleaned is so minimal that it's not likely to be worth anything to marketers unless they could somehow tie a physical address to your IP address.

        However, if you combine the two, you can glean a fair bit of info that marketers will like, encrypted or not. For example, are you spending a lot of time at Zillow? If so, realtors and lenders would gladly pay to know who you are. ISPs can also tie this to your billing address. They can and do monetize this in some countries. This is why they generally hate the idea of web browsers including DoH by default.

        • The initial HTTPS session established presents the hostname unencrypted, that's how you can have multiple websites on a single IP address, until TLS1.3 gets wide adoption *and* sysadmins know to enable the features *and* browsers use them. Then, just tracking the ports on each side of the connection will let you know at least how much traffic is sent and pulled from what hostname. They absolutely know how long you visited the site, because either the established session maintains on the established ports du
        • by MeNeXT ( 200840 )

          The ISP that cares enough to track you can easily implement a DoH request for every new IP you wish to visit. If the response generates a successful request they can then block that IP and your browser will revert to their provided DNS. If you don't trust your ISP use a VPN to a trusted network.

          DoH just monetizes DNS for a select few.

          • by dveditz ( 11090 )
            An ISP can disable Firefox DoH by simply blocking the canary domain [mozilla.org] we created for that purpose. That's discoverable though. An ISP going that route had better be sure that's what their paying customers want. DoH as implemented prevents passive undetectable surveillance by your ISP and forces them to make DNS tracking explicit. You could also turn on a strict mode that will "fail safe" in that case, but that's not the default.

            DoH just monetizes DNS for a select few.

            You lost me here.

            • by dskoll ( 99328 )

              Thanks for that. I will configure my Pihole box to block the canary domain use-application-dns.net. I do not want DNS-over-HTTPS forced on me.

              • by dskoll ( 99328 )

                Oh, look at that! Pi-Hole already does that.

                # Prevent Firefox from automatically switching over to DNS-over-HTTPS
                # This follows https://support.mozilla.org/en... [mozilla.org]
                # (sourced 7th September 2019)
                add_dnsmasq_setting "server=/use-application-dns.net/"

            • by sabri ( 584428 )

              An ISP going that route had better be sure that's what their paying customers want. Did you ask your paying customers what they want?

              No. Because if you did, it would be opt-in.

              Fuck you, and fuck Firefox.

      • by dveditz ( 11090 ) on Thursday July 08, 2021 @01:35PM (#61563107)
        So far four resolvers have agreed to meet the Mozilla policy requirements for trusted resolvers [mozilla.org]. Privacy requirements are the main part of that policy, so no, CloudFlare and the others can't share or sell your data without breaching that agreement. Our lawyers are not afraid to defend privacy [wikipedia.org] when necessary.
        • Re: (Score:3, Insightful)

          You just admitted that the only real protection mozilla offers is that which mozilla's lawyers can make stick. The HTTP/S wrapped around DNS is merely an excuse to stick more HTTP/S everywhere (like it's XML), and only shuffles the problem around. It also takes more power away from the end-user, who typically relied on the recursors offered by his ISP.

          So from the benevolence of your ISP, whom you are paying so they are selling you out, to the benevolence of mozilla and its friends, whom you are not paying (

          • by dveditz ( 11090 )
            That's not the "only" protection, no. It was the one relevant to the comment I was responding to, about how the Mozilla-chosen resolver differed from their default DNS provider. The HTTPS part protects against passive surveillance on the wire and active redirection attempts, and that protection comes from from math, not lawyers.
            • Math as interpreted by people with "programmer" restrictions on their driver's licence. Heartbleed, anyone? Moreover, it takes away the assurances that DNSsec might give you (as broken as that is). And the only real protection you have against MITM is... that the SSL certificate issuers don't give the wrong kind of certificate to the wrong kind of people. As discerned by those same issuing companies. According to their own criteria, not even state law.

              I have a hard time discerning whether your attempts at r

              • by dveditz ( 11090 )

                I have a hard time discerning whether your attempts at reassurance are wilfully disingenious or misguided. I'm going to go with Hanlon's razor. You still think DoH is a good idea, after all.

                I do. I don't think its a perfect solution, but it's a good one that adds privacy and security improvements that will prevent real, documented abuses, and can be made functional on today's internet with reasonable tradeoffs.

                PKI problems are a separate mess, which obviously impact DoH but more importantly everything else. There have been a lot of improvements there, too, over the past few years in policy and enforcement. For example, CAs are now required to publish certs in auditable CT logs, and errors a

        • Is that anything like when CloudFlare promised not to use 1.1.1.1 for anything other than research projects?
          • by dveditz ( 11090 )

            Did they make that promise in a legal agreement with another company?

            Ultimately for a free market to work someone has to hold companies to account for the claims and promises they make. We have a long history that shows a fair number of people are happy to rip customers off with whatever false promises they can get away with. If you're unhappy that companies are getting away with fraud you should demand that your representatives fix that.

    • by Anonymous Coward

      So, Firefox is going to hijack my DNS and force me to use what *THEY* want rather than what *I* want.

      This is just more of the same old bullshit. "In order to be free you must allow us to be in complete control".

      • They are not forcing anything. It can be turned off.

        • And the DNS request is made on the server you select in your router or IP settings, nothing to do with Firefox.

          • AFAIK, that is not true. about:config does contain settings for which server to use for DoH. And the whole point is to circumvent the DNS server e.g. the ISP's router set for you. So what you are saying would make zero sense against that.

        • by QuietLagoon ( 813062 ) on Thursday July 08, 2021 @01:04PM (#61562955)
          It should be opt-in, not opt-out.
          • > It should be opt-in, not opt-out.

            Just ask the user on upgrade. There are too many pros and cons to pick a default.

            • I'm OK with asking the user on upgrade. For me, that is a close equivalent to "opt-in." What it should not be, however, is automatically turning it on without presenting to the user that is has been turned on, and the user having the option to stop it from being turned on. Mozilla has a history of doing things like that, the "we know better than you what you want" approach (one time turning on telemetry during an update without me knowing), and I view such behavior as a significant privacy breach.
      • by PPH ( 736903 )

        It appears that you can turn it on or off. And you can enter your preferred DoH provider. According to this: https://cleanbrowsing.org/guides/configure-dns-over-https-doh-firefox/ [cleanbrowsing.org] Although I am going to hold out for the dirtybrowsing.org option.

    • by fred6666 ( 4718031 ) on Thursday July 08, 2021 @12:57PM (#61562933)

      If you are on a public hotspot, hotel or whatever, it means nobody between you and the DNS server will be able to sniff your DNS requests.

      At home, or on a network you trust, the benefit is less clear. It depends if you trust Cloudflare/NextDNS/CIRA more or less than your ISP. You are free to select your own DoH provider.
      If you do not trust your ISP, it make sense to encrypt as much stuff as possible, including DNS requests.

      • by hjf ( 703092 )

        Not only sniff. The thing with DNS is that anyone can HIJACK it. Just redirect te request at router level, and boom - you're served a different website, unlesss the domain owner used HSTS.

      • I have a pi-hole that uses DoH for its upstream server. If Firefox were to talk to the DoH server directly, it would circumvent my pi-hole blocking.

        • if you can configure your own pi-hole surely you can configure firefox as well to use your DNS server.

        • by dskoll ( 99328 )

          Recent (>= ~2019) versions of Pi-Hole block the canary domain used by Firefox, thereby disabling Firefox's use of DoH.

      • by MeNeXT ( 200840 )

        If you are in a public hot spot that monetizes DNS then DoH will be blocked. You are the product. They can just test the IP you request for DoH and if they have a successful response they just block it.

        • If you are in a public hot spot that monetizes DNS then DoH will be blocked.

          Maybe at some point, but the point is currently, we do not know if they are doing that, and if they do, DoH is a simple thing to enable and is worth it.
          The other option is to use a full VPN, which is usually not free, not reliable, or not trusable, except if you run your own.

          They can just test the IP you request for DoH and if they have a successful response they just block it.

          Then I hope Google, Facebook, and other majors send a successful response. Good luck blocking half the Internet.

    • I'm unclear how DNS over HTTPS will help. Someone always gets the DNS request, and it must be read and serviced. This just means that the people running the servers at CIRA have access to that information, doesn't it?

      It means you get to choose who sees your DNS requests instead of every router owner along the way.

      • Every router owner?

        It's called DNS over TLS.

        Going over HTTPS is batshit insane, and can only come from people who come up with bad wheel reinventions like WebSockets and entire OSes running as applications inside other OSes, aka "modern" browsers.
        Why not go all the way, and do DNS over JSON over HTTPS over TCP over IP over webSockets over HTTPS over TCP over actual sockets? Maybe with JSLinux somewhere in-between. And put our pants on our hats and toot a funnel while jumping like we're in the house that sen

        • Re: (Score:3, Interesting)

          DNS over HTTPS has the advantage of being harder to block because it uses a port and transport protocol which must usually be allowed for a network connection to be useful. You could use DNS over TLS on port 443, but this would clash with many middle-boxes. DNS over TLS on any other port is easily blocked, and with a fallback to plain DNS, that would defeat the purpose. The problem here isn't the protocol. The problem is that a browser overrules the OS, and that it does that by default.
          • The right way to do this - along with everything else like certificate checking, etc, is to delegate it to a separate application.

            Firefox, the browser (all browsers), should have none of this, possibly not even HTTPS.

            It should then talk to a "proxy" on the local box (this can be bundled with firefox and started by default)

            That way there is a single place to configure all of these security settings and changing browser doesn't change how things are configured.

            The "proxy" on the local box can then potentially

          • The problem with everything jumping on "use HTTPS because it's harder to block" is that all the bad stuff out there is doing the same thing.

            If knowing who on your network was talking to what was designed into the system from the start then many of these apps that steal credentials would be found very quickly.

    • I'm unclear how DNS over HTTPS will help. Someone always gets the DNS request, and it must be read and serviced. This just means that the people running the servers at CIRA have access to that information, doesn't it?

      Maybe Firefox (et al) need to implement a round-robin / random DNS query scheme that works with the user's DoH or regular DNS option selection. The browser can switch between a list of DNS servers so each only gets a part of your history...

    • Someone always gets every piece of information whenever you do anything. That doesn't automatically mean you trust *everyone* equally.

      Alice trusts Bob, but not Eve.

    • by sconeu ( 64226 )

      Exactly. WTF is wrong with DNSSEC?

      • by fahrbot-bot ( 874524 ) on Thursday July 08, 2021 @01:48PM (#61563159)

        Exactly. WTF is wrong with DNSSEC?

        Nothing, but it addresses different aspects of DNS security than DoH.
        From DNS Security: Threat Modeling DNSSEC, DoT, and DoH [netmeister.org]:

        But DNSSEC doesn't protect against all of the threats noted above. Specifically, DNSSEC only addresses the question of data integrity and authenticity, but does not in any way concern itself with the aspects of confidentiality.

        Presumably, the DoH servers could implement DNSSEC ...

        I'm not supporting DoH, just commenting. I'm actually not in favor of my browser using a different DNS source than my OS -- you know, the old "Someone with one watch knows the time, someone with two is never sure" thing ...

        • by sconeu ( 64226 )

          My bad. I get it. DNSSEC is vulnerable to metadata attacks, since it's clearly a DNS request, while DoH appears to be innocent HTTPS traffic.

          I thought, however that DNSSEC was encrypted, and so "they" can tell that you're DNS'ing, but not what you're DNS'ing.

          • by jonwil ( 467024 )

            DNSSEC is not about encryption.
            DNSSEC is about digitally signing DNS records so that you can detect if they have been tampered with by the owner of whatever DNS server you are talking to.

    • It helps privacy by ensuring only google get the benefit of collecting and sharing your information for profit.
    • It helps only in that man-in-the-middle monitoring becomes more difficult. It makes a wealth of data available to the managers of the DNS servers, who are very likely to harvest and sell that data.

  • One could make many arguments why what Firefox is doing is less secure and potentially opening person to privacy breaches or single point of failure.

    Let me handle my own damn DNS my way, I don't need a goodie-goodie company trying to cram their ignorant worldview and way of doing something down my throat.

    • Let me handle my own damn DNS my way

      And what makes you think you can't do that with Firefox?
      Not everybody likes the default option. You can still use your OS DNS server if you want.

    • One could make many arguments why what Firefox is doing is less secure and potentially opening person to privacy breaches or single point of failure.

      Such as...?

      Me? I know my way around a router configuration and I can't think of any.

    • Re: (Score:2, Informative)

      by thegarbz ( 1787294 )

      One could make many arguments why what Firefox is doing is less secure and potentially opening person to privacy breaches or single point of failure.

      By offering the user the ability to use DNS over HTTPS in a completely optional way?

      Let me handle my own damn DNS my way

      You do you man. You have that power. Firefox is here for you with ample configuration options to do whatever you want. Don't want DoH, happy with your ISP harvesting every DNS request and selling it to anyone with a credit card, don't use it. Just don't spoil positive developments for the rest of us.

      • wrong, it's by default, and hard to charge for most, and might not even be a choice in future, depending on mood of Mozilla.

        You're shilling for a bad thing that we don't want.

        • wrong, it's by default, and hard to charge for most

          If you want to compare the nefarious world around you then "default and hard to charge [sic] for most" is to use your ISP's DNS resolver, and your ISPs if you are in the USA has flat out sold your data wholesale without at least anonymising it. They have admitted it multiple times.

          I'll take my "wrong" over whatever you think is "right", as clearly "wrong" is better for privacy for most. Your entire post is predicated on "handling DNS your own way" so if someone is unable to manage the default here then the

    • Let me handle my own damn DNS my way, I don't need a goodie-goodie company trying to cram their ignorant worldview and way of doing something down my throat.

      The problem though is you're not smart enough to configure your own DNS so firefox has to do it for you. If you were smart enough you'd know some of the many ways to configure it so firefox uses it.

      • You seem to be confused, I'm talking both about the annoyance firefox makes for expert like me and the risks for the common person. Dumb asses like you that just take it in the ass from Mozilla are the problem.

        • You seem to be confused, I'm talking both about the annoyance firefox makes for expert like me and the risks for the common person.

          Did you fail to read your own post or something? You said:

          Let me handle my own damn DNS my way,

          They do. You can set it to always use the system resolver or Firefox's DOH resolver. You can easily make it default to DoH, but use the system resolver on your home network.

          They do let you handle it your own way. So what you are complaining about literally does not exist. So I can only

  • Wasn't DNS designed to be distributed? This is exactly opposite of the original design of the internet... This is worse than the constant merging of corporations into one big monopolistic behemoth. Instead of an interconnected network, we are working toward a single DNS, single CDN, and single cloud host... This is just great.

    -Don't put all your eggs in one basket, etc.
    • Wasn't DNS designed to be distributed?

      Um, yes, many people have a copy of the DNS data, it's distributed.

      OTOH you have to put a specific DNS server IP address in your IP settings. You always use the exact same address that's configured there. If that server goes down you're screwed.

      (OK, normally you put a backup server address, too, but if both of them go down then you'll have no DNS)

    • Wasn't DNS designed to be distributed?

      What about this isn't distributed? DoH works no differently than DNS in the way it's distributed. It has primary servers, and fallback servers, and if the servers don't have the information you requested they pass it up the chain. Heck the action is even more configurable and more distributed (look up Trusted Recursive Resolvers).

      This is worse than

      Let me stop you right there. Since you don't seem to understand how DoH works you have no basis for declaring it worse or better than anything. Do some research before your next co

  • Not Cool. (Score:2, Insightful)

    That's actually bad news.
    It doesn't increase privacy. What it does increase is dependency on a single entity.
    They're redirecting queries to their partners while bypassing the local DNS configuration.
    Mozilla centralizes the net. Not cool.

    • Hey they are just trying to keep up with Google in the centralized internet category. Hell google even wants to move _your_ passwords onto their centralized systems now...

      -This won't end well.
    • What it does increase is dependency on a single entity.

      It does nothing of the sort. You're 100% allowed to set whatever server you want as your DoH resolver or you can disable it altogether. Or hell run your own DoH server. This is Slashdot. Linux that motherf***er, and prove to us you deserve to not have your geek card revoked after your post.

  • by Arnonyrnous Covvard ( 7286638 ) on Thursday July 08, 2021 @01:16PM (#61562997)
    The browser is not the OS. If you want people to use DNS-over-HTTPS, provide a resolver they can install and use for all their DNS needs. I'll have to put Firefox in a jail with a decrypting ALG as its only way to communicate with the world if it keeps second-guessing my OS setup. The list of "innovations" I have to turn off to make Firefox tolerable is getting too long.
    • as its only way to communicate with the world if it keeps second-guessing my OS setup.

      Or just disable DoH if you're so hell bent on using your OS's resolver. The option is right there, no need to go all stupid with rage. The Windows 10 fast ring has support for OS level DoH. As does Linux via various clients.

      You have the power. You have more options than ever. Instead of complaining, RTFM and embrace all the additional options you have at your fingertips.

      • The usual progression is:

        1) add it to the browser but disable it,
        2) create an UI option to enable it but leave it disabled by default,
        3) switch it from default-off to default-on,
        4) remove the UI option but leave the about:config option,
        5) remove the choice altogether.

        We are now at stage 3. I am well aware that I can still turn that usurpation of DNS resolution off, but it won't stay that way. And besides that, it sets a bad precedent. I absolutely do not want every "app" to come with its own DNS resol

    • Exactly. This will be a security nightmare for big organizations.
      Every damn browser will circumvent their DNS.

      Oh wait, Firefox already committed suicide!
      Nevermind

      • by jonwil ( 467024 )

        Corporations will be running their own DNS server (usually) and can easily have that server return the valid canary domain record which will cause Firefox to disable DoH.

        Oh and people running a pihole or other similar thing could also implement the canary domain and turn off DoH across all the machines on that network.

    • by GlennC ( 96879 )

      You can simply disable the feature if you're that upset about it.

      As an alternative, you can set the DNS over HTTPS provider to 127.0.0.1 in about:preferences if it isn't too much of a problem for you.

  • coffin lid. Selling the DNS data of those who don't know enough to turn it off. Tick Tick Tick Expect the sell out to the advertising/marketing company to come soon.
    • Selling the DNS data

      I know. Everything went downhill when Linux went closed source and BSD implemented systemd. https://wiki.mozilla.org/Secur...

  • It's quite easy on Linux.
    Install bind,
    don't set it to forwarding or anything other than resolving things itself, which I think is the default,
    set it so only localhost can access it (may be the default too),
    enable the init script,
    set your DHCP client to ignore any DNS servers it is given,
    and put "nameserver 127.0.0.1" and nothing else into /etc/resolv.conf.

    If you run systemd, you need to switch to GNU first, of course.

  • by Retired ICS ( 6159680 ) on Thursday July 08, 2021 @01:44PM (#61563135)

    Of course, one can always (and should by default) disable remote configuration capabilities if you do not want "just any unwashed miscreant" changing your configuration without permission. There is an option in Firefox to disable "remote configuration" diddling, and it works quite well.

  • by chrisvdb ( 149510 ) on Thursday July 08, 2021 @01:58PM (#61563189)

    Judging from the comments, quite a few of you are skeptical about the usefulness. I have a different perspective based on my work experience.

    I used to work for a large telco in the APAC region (100s millions of users in multiple countries) where I was part of the team that developed a system to mine as much data as possible from users: location data (triangulation), call records, web data. From this data individual profiles were created which were then (only) sold in an aggregated/anonymized way (things might have changed of course). The tools we developed were licensed to telcos all over the world.

    Analyzing DNS requests was definitely part of the arsenal of tools used for HTTPS requests (other techniques are connecting to the server and analyzing the certificate presented).

    In my opinion, Firefox's DNS over HTTPS will at least partially help against this type of unwarranted snooping by telcos.

    • I don't care if they snoop on me. Granted, I'm a security person; I have always known how insecure the internet is.

      I take no special precautions to protect my privacy, because quite frankly, almost nothing I do online requires privacy. I do require *security*, _sometimes_, such as for completing financial transactions or submitting sensitive information (tax records, etc). But for 99% of what I do? I don't care who sees it or who's making money off it. The only risk there is to me is of potentially getting

      • by tepples ( 727027 )

        almost nothing I do online requires privacy.

        Until someone runs a fishing expedition that implicates you in a crime that you didn't commit. A hostile law enforcement agency can more easily establish guilt by association if you don't use basic privacy measures. Or an insurer can buy your interests, deem you a risk based on those interests, and give you a quote that's high enough to be considered a "go away" quote.

    • by MeNeXT ( 200840 )

      It's useless for the purpose of hiding DNS queries from unscrupulous ISPs.

      https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https

      Is this a tech forum? Google also provides countless how-tos for the complete clueless. How hard would it be for you?

      The true benefit for DoH has nothing to do with protecting the user. The true benefit is monetizing DNS requests.

  • I have a script on my pi-hole resolving random hosts to different DNS servers all day long. I block dns queries to hard-coded servers on my IoT vlan, and manage them on all other vlans. I like my system better than any of the other alternatives, and I imagine there are less paranoid reasons to keep from using dns-over-https.

    • by MeNeXT ( 200840 )

      It will only break shit for people who are ignorant. You can disable it for your whole network.

      https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https

      The same way that any ISP can. This is just a means to monetize DNS.

      • Following your link and supporting documents you come across this gem:

        Note: The canary domain only applies to users who have DoH enabled as the default option. It does not apply for users who have made the choice to turn on DoH by themselves.

    • by dskoll ( 99328 )

      If your pi-hole is recent (newer than ~2019) it already blocks the canary domain and disables DoH on Firefox.

  • by making it easier to capture and circumvent in a single place.

    Yes, your ISP may be making money off of your traffic. But at least they aren't turning it into a vendor lock-in device for the whole Internet.

    DNS over HTTPS lowers web performance, breaks compatibility with existing services (like CDNs), doesn't support private DNS records, doesn't do end-to-end integrity checking (ala DNSSEC), increases the likelihood of failure, and provides a much larger target for attackers to sniff or compromise the recor

We are each entitled to our own opinion, but no one is entitled to his own facts. -- Patrick Moynihan

Working...