Firefox 60 might get the ability to send all DNS queries to Cloudflare

What Martin Brinkmann didn’t wrote in his post is that Firefox 60 new possible feature isn’t there to secure the browser, it’s there to submit the telemetry directly to Cloudflare which is a in my eyes a no-go. This would act like a Man-in-the-Middle (MITM) in order to collect which pages you visited and would reveal a lot of more information to Mozilla than Google ever did in Chrome.

Another Study in Firefox 60+

Daniel Stenberg & Patrick McManus are the owner of this study and they would have the data, it’s unclear if those people can be trusted or not. Integrating such option would lose a lot of trust in Mozilla and it would have the opposite effect, people would switch to another Browser and that’s what Mozilla don’t want.

It’s unclear if it will be integrated into the stable releases one day or not, but normally telemetry already made it into Firefox so I think it’s only a matter of time until we see more of these things.

What does Trusted Recursive Resolver (TRR) really mean?

DNS header revealing a lot about you, which pages you visit among other meta-data. I see this as very critical and it shouldn’t be (in my opinion) revealed to 3rd-party providers. The sad fact is that most if not all current implementation somewhat leak such sensitive information by default.

First of all TRR is OFF by default and I only can warn you to enable it and I do pray that this will never be activated under any circumstances.

The mechanism is right now optional and TRR offers resolving of host names using a dedicated DNS-over-HTTPS server, in order to do this a HTTPS supported server/domain is required. The TRR system manages a dynamic persistent blacklist for host names that can’t be resolved over DoH but works with the native resolver.

Blacklisted entries will not be retried over DoH for a couple of days. “localhost” and names in the “.local” TLD will never be resolved via DOH. In other words you would lose control over this blacklist since you can’t interference into it which also would disallow to block all telemetry or to change the blacklist mechanism! This is a big thing.

Even if you use a private browsing session those study would still be active which totally is what people not want, otherwise why you call it ‘private’?

What does the Study collects?

The following telemetry probes are analyzed in the telemetry study and directly submitted to Cloudflare.

• DNS_LOOKUP_DISPOSITION
• DNS_NATIVE_LOOKUP_TIME
• DNS_TRR_RACE
• DNS_LOOKUP_ALGORITHM
• DNS_TRR_LOOKUP_TIME
• DNS_BLACKLIST_COUNT
• DNS_TRR_BLACKLISTED
• DNS_CLEANUP_AGE
• IPV4_AND_IPV6_ADDRESS_CONNECTIVITY
• HTTP_RESPONSE_STATUS_CODE

About:config changes

All preferences for the DNS-over-HTTPS (DoH) functionality in Firefox are located under the “network.trr” prefix which you can change manually.

• network.trr.mode
• network.trr.uri
• network.trr.credentials
• network.trr.wait-for-portal
• network.trr.allow-rfc1918
• network.trr.useGET
• network.trr.confirmationNS
• network.trr.bootstrapAddress
• network.trr.blacklist-duration
• network.trr.request-timeout
• network.trr.early-AAAA

Problems

• BUG#1440563
• These DoH study leaks definitely private browsing history to the 3rd-parties DoH provider such as Cloudflare. The problem is that even DoH leaks it.
• No control over the blacklist or it’s mechanism.
• No opt-out (if enabled) in a private browser session because there is no toggle for this and there should not be one integrated because private browsing session should be private.
• WHY THE FUCK NEEDS A BROWSER ANY PRIVATE DATA? Please explain this to me Mozilla, this has nothing to do with security nor anything here. These problems which you try to solve with experiences are only solvable in the first place with new protocols. Period. Everyone knows that, you don’t need to spy in order to see which pages are trying to spy on us – what is the logic Mozilla?

Closing Words

Little minded people trying to integrate a mechanism which spy even more in order to defeat the spying. I only can laugh about such ignorance, it’s as stupid as Snowdens app and of course pointless. Every study I saw and tested from Mozilla suck and it doesn’t improved anything except that I revealed more data to unknown people or like in this case to Cloudlfare (which I don’t fully trust due several reasons).

If anyone ever tells me Chrome collects more data, then please re-read this article and the other articles I wrote about Mozilla studies…. It’s ridiculous and Mozilla finally lost me with it. No one in his right mind want such studies in the Browser, normal want an integrated ad-blocker, less annoying popups or things which compromise our security and not useless 💩 like this.

What I suggest?

1. Don’t support any of these studies and don’t install nightly or other test builds unless you are a developer and want to contribute to Mozilla directly, it’s not even worth to install any nightly’s since every new changes are mostly mentioned within the bugtracker.
2. Show Mozilla you disrespect for this, by calling them out and point that this, it’s a no-go. Henri Sivonen already did this, and no one was listening because it was already clear that it gets integrated (as already in the latest nightly build) – so this brings me yet again to the questions why people can open a ticket when it’s already clear that it gets anyway will be integrated? Sadly Chrome’s bugtracker is seems to have same “logic”.
3. Don’t enable any network.ttr.* toggles and ensure there off (default).
4. (Optional) Ban the guys from Mozilla bugtracker which coming every time with new telemetry tricks, because of those pricks we need to waste our time with more about:config mess in order to get a minimum chance to remove or undo the things they did to the Browser.

Sorry for speaking so rude here about Mozilla but sometimes you have to hit the table in order to get attention about something which affects at the end all of us and especially after what Mozilla did in the past with their troll ‘studies’.

It’s a shame that some people can ruin the trust of Mozilla with their stupid ideas.

Resource

• DNS-over-TLS specs (tools.ietf.org)
• CloudFlare DNS (dns.cloudflare.com)
• Google Experimental DNS (dns.google.com)
• BUG1446404 (bugzilla.mozilla.org)
• BUG1434852 (bugzilla.mozilla.org)
• Firefox Telemetry (mozilla.org)
• Firefox SHIELD studies (support.mozilla.org)