ThreatLocker

Mozilla Is Testing "DNS over HTTPS" Support in Firefox

  • March 20, 2018
  • 07:00 AM
  • 6

Firefox logo

Mozilla Foundation engineers announced plans over the weekend to test the "DNS over HTTPS" (DoH) fledgling security standard in Firefox Nightly distributions.

The feature will be tested as a Firefox shield study —a browser mechanism that allows engineers to roll out and roll back experimental features at a moment's notice.

High hopes for DoH protocol

DNS over HTTPS is a web protocol that argues for sending DNS requests and receiving DNS responses via HTTPS connections, hence providing query confidentiality.

image

The standard is still under discussion at the Internet Engineering Task Force (IETF), and should not be confused with DNSSEC, a standard that uses encryption, but not for "confidentiality" but instead for "origin authentication" between DNS client and server.

DNSSEC was developed to combat DNS-based DDoS attacks and origin IP spoofing, while DoH was created to provide query confidentiality against third-party observers —such as ISPs.

Despite being less than a year old, many view DOH as the encrypted version of the DNS standard, similar to how HTTPS is to HTTP [1, 2].

Mozilla tests DoH even before protocol's approval

But even if Mozilla engineers don't have a final version of the DOH standard, they have decided to test-run the protocol and see how it would fare in the real world.

"Soon we'll be launching a Nightly-based pref-flip shield study to confirm the feasibility of doing DNS over HTTPs (DoH)," said Patrick McManus, a Mozilla engineer.

"If all goes well the study will launch Monday (and if not, probably the following Monday)," he added. "It will run <= 1 week. If you're running Nightly and you want to see if you're in the study check about:studies."

If a user has been selected to participate in the Firefox shield study, a new entry will appear in the about:studies page and new preferences will show up in the about:config section.

Unfortunately, Bleeping Computer was not selected for the DoH shield study, but you can check out a list of all the new DoH-related preferences on GitHub or in this Ghacks article.

To keep track of how the experiment goes, you can bookmark this Google Groups discussion and this Mozilla bug tracker entry.

article image

Test every layer before attackers do

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Get the whitepaper

Related Articles:

New Prinz Eugen ransomware prioritizes recent files for encryption

Tired of trackers & pop-ups? This $25 AdGuard DNS setup can filter them out

Discord rolls out end-to-end encryption on voice, video calls

West Pharmaceutical says hackers stole data, encrypted systems

Critrical cPanel flaw mass-exploited in "Sorry" ransomware attacks

Catalin Cimpanu
Catalin Cimpanu is the Security News Editor for Bleeping Computer, where he covers topics such as malware, breaches, vulnerabilities, exploits, hacking news, the Dark Web, and a few more. Catalin previously covered Web & Security news for Softpedia between May 2015 and October 2016. The easiest way to reach Catalin is via his XMPP/Jabber address at campuscodi@xmpp.is. For other contact methods, please visit Catalin's author page.

Comments

  • Occasional Photo
    Occasional - 8 years ago

    Interesting. Thanks CC for marking the distinction between DoH and DNSSEC. Would seem that their is a rationale for seeking the benefits of each (confidentiality from the former, authenticity from the latter). Are the mechanisms mutually exclusive?

  • JohnC_21 Photo
    JohnC_21 - 8 years ago

    There has already been some blowback.

    "Nightly build fans' hostname lookups piped to Cloudflare in limited security feature trial"

    https://www.theregister.co.uk/2018/03/20/mozilla_firefox_test_of_privacy_mechanism_prompts_privacy_worries/

  • campuscodi Photo
    campuscodi - 8 years ago

    Study participation is disabled by default.

    No offense, but you have to be a pretty big moron to purposely enable Firefox studies and then complain about having your browser used for these experiments.

  • muesli Photo
    muesli - 8 years ago

    Catalin, there are limits as to what is allowed in experiments. Firefox sending user data to third parties is the equivalent of me asking your car for a day, extracting your GPS history and sharing it on Facebook (sic). Firefox is not new to this stunts: after receiving a big grant from Google they had included a fingerprinted beacon towards Google's "secure browsing" servers on browser startup for years.

  • campuscodi Photo
    campuscodi - 8 years ago

    Data is anonymized. Firefox studies is off by default. Don't enable it and you'll be just fine.

  • forum11 Photo
    forum11 - 8 years ago

    DoH vs. DNSSEC, also not to be confused with DNSCrypt. There's probably another one we're still not mentioning.

Post a Comment Community Rules
You need to login in order to post a comment

Not a member yet? Register Now

You may also like:

Login

Reporter

Help us understand the problem. What is going on with this comment?
SUBMIT