Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Sunday September 08 2019, @10:18PM   Printer-friendly
from the Who-do-YOU-trust? dept.

Firefox is enabling DNS-over-HTTPS (DoH) for some users starting this month, and it will use Cloudflare by default:

DoH (IETF RFC8484) allows Firefox to send DNS requests as normal-looking HTTPS traffic to special DoH-compatible DNS servers (called DoH resolvers). Basically, it hides DNS requests inside the normal deluge of HTTPS data. [DoH doesn't encrypt DNS requests. That's a different protocol, namely DNS-over-TLS, aka DoT].

By default, Firefox ships with support for relaying encrypted DoH requests via Cloudflare's DoH resolver, but users can change it to any DoH resolver they want [see here].

When DoH support is enabled in Firefox, the browser will ignore DNS settings set in the operating system, and use the browser-set DoH resolver. By moving DNS server settings from the OS to the browser level, and by encrypting the DNS traffic, DoH effectively hides DNS traffic from internet service providers (ISPs), local parental control software, antivirus software, enterprise firewalls and traffic filters, and about any other third-party that tries to intercept and sniff a user's traffic.

Firefox Plans Controversial New Encryption Setting For Millions, And Update Starts This Month

A presentation from BT on the "Potential ISP Challenges with DNS over HTTPS" earlier this year warned that DoH will reduce the ability to derive cybersecurity intelligence from malware activity and DNS insight, open new attack opportunities to hackers, and result in an inability to [fulfill] government mandated regulation or court orders as potential concerns. And so the change will foster serious debate. [...] The U.S. is first, but the rest of the world will follow. A spokesperson for the U.K. Internet Services Providers' Association told me that "the debate on DNS over HTTPS (DoH) is evidently a topic that polarizes opinion. However, our position is clear. ISPA believes that bringing in DoH by default would be harmful for online safety, cyber security and consumer choice."

DNS-over-HTTPS is the next default protection coming to Firefox

Mozilla will be rolling out DoH in what it calls "fallback mode" later this month. This means that if domain name look-ups using DoH fail, Firefox will revert back to using the default operating system DNS. Similarly, if Firefox detects that parental controls or enterprise policies are in effect, Firefox will disable DoH.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Interesting) by Runaway1956 on Monday September 09 2019, @09:21AM (2 children)

    by Runaway1956 (2926) Subscriber Badge on Monday September 09 2019, @09:21AM (#891602) Journal

    Good point. Not all sites work as well with all browsers. At some point, you have to make compromises.

    As I've pointed out before, I have several browsers installed. Half a dozen Firefox derivatives, half a dozen more Chrome-likes, and a couple ancient oddballs that have their own peculiarities.

    Only one of those browsers has any persistent data in it's settings. When I have to visit a financial page, I use that browser, so that I can access my long-ass passwords, etc. I don't use that browser to browse, to listen to videos, or much of anything else. It's there to deal with "official" sites. No other browser knows where to look for financial information, or those passwords, or even user names for those sites. What's more, using multiple browsers makes it more difficult to be fingerprinted, or tracked via other methods. I have little idea if my bank makes any attempt to track my browsing and shopping online, but if none of that data is contained within my browser used for banking, then that browser cannot give them that data.

    All of that may sound a bit paranoid, huh? Well, yeah, I think we have reason to be paranoid. If you aren't at least a 3 paranoid on a scale of 1 to 10, then you're not paying attention to the world around you. :^)

    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 3, Interesting) by legont on Monday September 09 2019, @06:45PM (1 child)

    by legont (4179) on Monday September 09 2019, @06:45PM (#891805)

    I use virtual machines for different purposes. For finance and such, I have a dedicated one that I use for nothing else. Even then, I don't trust my browser with passwords. I wrote my own little password generator many years ago and I use it. Not that it is better then others available, but I am protected by obscurity here.

    Other virtual machines I typically have are the main one for general browsing and work, and one for visiting dangerous places. The host OS is just lightly used - mostly to show something to the border agents.

    I do need a better DNS solution though.

    --
    "Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
    • (Score: 2) by Runaway1956 on Monday September 09 2019, @07:38PM

      by Runaway1956 (2926) Subscriber Badge on Monday September 09 2019, @07:38PM (#891837) Journal

      mostly to show something to the border agents.

      I like that. ;^)