With their next patch Mozilla will introduce two new features to their Firefox browser they call "DNS over HTTPs" (DoH) and Trusted Recursive Resolver (TRR). In this article we want to talk especially…
Article word count: 888
HN Discussion: https://news.ycombinator.com/item?id=17690534
Posted by chipsdujour
(karma: 22)Post stats: Points: 72 - Comments: 66 - 2018-08-05T09:53:49Z
With their next patch Mozilla will introduce two new features to their Firefox browser they call "DNS over HTTPs" (DoH) and Trusted Recursive Resolver (TRR). In this article we want to talk especially about the TRR. They advertise it as an additional feature which enables security. We think quite the opposite: we think itʼs dangerous, and hereʼs why.
DNS? What is DNS?
The Domain Name System (DNS) is a service used in converting a computer’s host name or a Top-Level Domain (TLD) into an IP address. When you enter the domain of a website in your browser, you automatically send a request to the DNS server you have configured. The DNS server then looks up the host name and returns an IP address so your browser knows where exactly to connect to.
But here begins the problem. Not only your browser knows where exactly to connect to, but also the DNS server knows where YOU connect to. This must not be a problem in every case. Basically most of the ISPs have their own DNS server that is automatically configured. And your ISP knows where you connect to anyways. So the data or information generated by their DNS server provides no additional information to them.
Why would you replace your ISPʼs DNS server with another one?
There are a variety of problems with the DNS protocol ("the language of DNS"). DNS requests are usually sent unencrypted and potentially everyone between you and the DNS server can read your DNS requests. Mozilla is using a new technique to transport requests over https, which encrypts the data. That is generally speaking a good thing. However usually the DNS servers that you use are local DNS servers (from your ISP) and thus the attack vector (i.e. who can spy on you) is local.
Mozilla wants to override any configured DNS server with Cloudflare
So let’s get to the new Firefox feature called "Trusted Recursive Resolver" (TRR). With the next Mozilla patch in September any DNS change you configure in your network wonʼt have any effect anymore, at least for browsing with Firefox, because Mozilla has partnered up with Cloudflare and will resolve the domain names from the application itself via a DNS server from Cloudflare based in the United States. Cloudflare will then be able to read everyoneʼs DNS requests.
From our point of view, us being security geeks, advertising this feature with slogans like "increases security" is rather misleading because in many cases the opposite is the case. While it is true that with TRR you may not expose the websites you call to a random DNS server in an untrustworthy network you don’t know, it is not true that this increases security in general.
It is true when you are somewhere in a network you don’t know, i. e. a public WiFi network, you could automatically use the DNS server configured by the network. This could cause a security issue, because that unknown DNS server might have been compromised. In the worst case it could lead you to a phishing site pretending to be the website of your bank: as soon as you enter your personal banking information, it will be sent straight to the attackers.
Sharing data with third parties bears risks
Single point of failure (SPOF)
If you are in IT, you have likely heard already about the SPOF, the single point of failure. If the SPOF breaks (like a router), the whole infrastructure will collapse. What Mozilla effectively does is adding a SPOF for all of their users. But the main problem is not that if cloudflare is down that nobody can surf anymore. No, the real problem is that it fully disables anonymity. Think about a whistleblowler who wants to send information to a newspaper. In the days before Mozillaʼs change, the DNS resolution was local and could be attacked. However with Mozillaʼs change, all DNS requests are seen by Cloudflare and in turn also by any government agency that has legal right to request data from Cloudflare.
Letʼs stop here for the moment and repeat: With Mozillaʼs change, any (US) government agency can basically trace you down.
If there is anything wrong with your government (for instance corruption, collusion or fraud) and you have information to publish about it, the government will be able to trace you down. This puts any whistleblower at risk.
What you can do is, you can configure your Firefox not to use this feature. However, it is configured to use the Cloudflare resolver as default. It’s up to you to decide, who you want to trust your data with. My local ISP seems more trustworthy to me than a big US-based corporate which acts under the guise of a selfless privacy rights defender.
HackerNewsBot debug: Calculated post rank: 70 - Loop: 20 - Rank min: 60 - Author rank: 22