When #DoH was being standardized, many of us warned the browser vendors pushing the technology that they were pushing a minor improvement in users’ privacy (over technologies like #DoT) at the expense of a major decrease in user security. And, well… here we are…

https://www.bleepingcomputer.com/news/security/chinese-hackers-use-dns-over-https-for-linux-malware-communication/

#DNS #DNSoverHTTPS #DNSoverTLS #security

@me @BleepingComputer that is a very serious and valid question that @mozilla @torproject need to answer.

Espechally since #DNSoverHTTPS can be abused to #leak shit if misconfigured.

I disabled #DNSoverHTTPS since I have my stuff in my network secured...

J'ai testé 5 minutes Windows 11 dans une VM VirtualBox pour essayer de voir comment y configurer #DNSoverHTTPS à l'échelle du système :
- Ça rame comme pas permis
- Impossible de d'améliorer ça (je pense que c'est la transparence qui fait ramer, mais faut une licence pour désactiver)
- Impossible de monter la résolution à plus de 1280×960 (licence toussa)
- Système en français, clavier en QWERTY, parce que
- Trouvé les paramètres DoH : marche pas, prend pas en compte les modifs

VM effacée

#DNS over #TLS:
➡️ #NextDNS
➡️ #Quad9

1️⃣ El primero es socio de #Mozilla y es un proveedor de #Firefox de DNS over #HTTPS (configuración en los parámetros de red del navegador). También puedes crearte una cuenta en https://www.nextdns.io con la que hacer perfiles con distintas listas de bloqueo ya preconfiguradas, generadas mediante IA y/o personalizadas. También admite controles parentales permitiendo establecier bloqueos por aplicación y horario. Gratis hasta un máximo de 300.000 consultas mensuales. Por 2€/mes o 20€/año consultas ilimitadas. Latencia desde red Orange de ~12 ms.

2️⃣ El segundo es totalmente gratuito e ilimitado. Es una fundación suiza con cuatro «sponsors» (IBM, Packet Clearing House, Global Cyber Alliance. SWITCH): https://en.wikipedia.org/wiki/Quad9
No permite personalización de la lista de bloqueo. Utilizan diversos proveedores de URLs maliciosas para sus listas internas. Esencialmente reemplaza el servidor DNS del ISP con #DoT y protección contra sitios web maliciosos (sin saber cuáles en concreto) y sin control parental. Latencia desde red #Orange de ~2'7 ms.

Ambos cumplen con la #GDPR (según ellos). También según ellos no envían información alguna a terceros salvo para confeccionar filtros.

No todos los routers enviados por los ISP permiten cambiar el servidor DNS de la red. El #LiveBox de Orange/Jazztel no lo permite. Así pues o configuras el servicio #DHCP en un aparato externo o tendrás que configurar los servidores DNS en cada dispositivo de la red de tu hogar.

#DoH #DNSoverTLS #DNSoverHTTPS

Die schwierige Suche nach Quantencomputer-sicherer Kryptografie

Quantencomputer der nächsten Generation würden asymmetrische kryptografische Schlüssel schnell knacken. Das gefährdet auch das weltweite Domain Name System.

https://www.heise.de/news/Die-schwierige-Suche-nach-Quantencomputer-sicherer-Kryptografie-7451979.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege

#Algorithmen #DNS #DNSoverHTTPs(DoH) #DNSSEC #GitHub #Internetprotokolle #Quantencomputer #Security #Verschlüsselung

@hermogenes I pretty much agree with you, actually. I have used #Firefox for years and appreciated what goes into it, and of course their recommendation is still... Firefox, with changed settings.

That said, I've recently tried out #LibreWolf, itself a Firefox fork. And, wow. The privacy game is so much nicer out of the box; I need far fewer plugins and it's all just... working. Very, very impressed.

Re #DNSoverHTTPS (#DoH), I guess it's: who's your adversary? Sketchy wifi or CloudFlare?

Slap This Big Red Button for an Instant Social Media Detox - Dangerous machines, like ones that can quickly reduce you to a fine red mist or a ... - https://hackaday.com/2022/09/30/slap-this-big-red-button-for-an-instant-social-media-detox/ #internethacks #dnsoverhttps #socialmedia #blocker #wemosd1 #detox #doh #iot #spi #vpn

Slap This Big Red Button for an Instant Social Media Detox

https://hackaday.com/2022/09/30/slap-this-big-red-button-for-an-instant-social-media-detox/

#internethacks #dnsoverhttps #SocialMedia #blocker #Wemosd1 #detox #doh #IoT #spi #vpn

@Iutech I saw this as well: on #brave turns out to be brave’s #dnsoverhttps was not working at the same time #cloudflare was down, coincidence unlikely.

2/2 Among his compelling #research is this #study on #webBrowsers.

Unfortunately, it seems to completely miss #cloudFlare as a privacy risk. In 2019, #Mozilla were classified as #InternetVillain Of The Year, for #Firefox’s DoH (#DNSOverHttps) (to cloudFlare).

He also restricts the study to six browsers, with the popular cross-platform #LibreWolf browser noticeably absent. A blind spot, perhaps? It finds that #Brave is the single "most private" of the bunch.

https://www.scss.tcd.ie/Doug.Leith/pubs/browser_privacy.pdf

If #Mozilla actually tried to make an implementation of #DNSOverHttps that was even a little bit #ethical the browser would be more usable.

Currently a user can only use one #DNSResolver at a time, and would need to manually change it away from the default, CloudFlare.

Its a bad implementation of (#DoH) and it only serves CloudFlare.

#technoFascists #bigData

Comment activer le DNS over HTTPS (DoH) sous Windows 11 pour plus de vie privée ? https://korben.info/dns-over-https-windows-11-doh.html #DNSoverHTTPS #windows11 #Windows #DoH

@samuraikid
How is #Firefox not in this list?

Location data, #DNSOverHttps to #Cloudflare, #GoogleSafeBrowsing that looks for words and phrases on the pages that you load for possible questionable content and then sends that site to bloody #Google.

Firefox connects to #Amazon a lot, too!

@DanGrayson
Congratulations and welcome to Fediverse, Daniel.

If you are concerned about tech giants you probably will want to find a server that is not Cloudflare-based. Cloudflare control and surviel a whopping 25-30% of the internet, host content designed to radicalise ppl (see Chan boards /Christchurch), they appear to be training autonomous drones via hCaptcha (see Project Maven) and finally have, in our opinion, perverted Mozilla so all #DNSOverHTTPS lookups go to them.

Welcome to Fedi.

@emanuele
@eff thankyou. An informative article.

We were informed that Google were supposedly dropping tracking users (next year) and wrote a post about it today.

Although we were not informed about their latest wheeze, we assumed that they were working on something to protect their vast profits and invasive strategies.

Its really unfortunate that #Mozilla are compromising #Firefox also.

Its time to #DeleteGoogle.

#DoNotWaitForGoogle #useTor #useI2P #antitrust #cloudflare #DNSOverHTTPS

@cybernomad
We have been interested in this problem for sometime also, see our #DNSOverHTTPS posts.

Basically we are looking for a tool that you install on the operating system that uses, three random resolvers from a list of resolvers you input, proxiable over #Tor (or #I2P), using exitNodes from the same nation for exitNodes for result consistency).

If two come back same you use it, if any conflict you retry.

#dns

@bortzmeyer @hyde

@tengu
Neat, the thing that really bothers us about #Firefox is that by default they channel all #DNSOverHTTPS traffic to #Cloudflare.

So rotten. They should use different services around the world, at a minimum.

@kzimmermann
Agree, this is a major petpeeve of ours.

#I2P has been around for so long and #Firefox has accomodated Tor's .onion TLD for sometime, despite not needing to.

We believe that its a deliberate choice by #Mozilla to not accommodate #I2P.

Mozilla are not good players anymore, the way they handed the keys to the internet to #Cloudflare unilaterally for #DNSoverHTTPS is disgraceful.

@tychi
#TorBrowser ergo #Firefox.

A big undertaking. Maybe two modes an auto-mode that fetches a list of instances from searx.space. And a manual mode with a button that says Add/remove searx instances?

On Firefox, there is another issue related to #DNSOverHTTPS (#DoH) being sent to a #centralised resolver, #Cloudflare. It can be switched off so…(1/4)

@alcinnz
If he was on Fedi we'd pick his brain on how to hack #DNSOverHttps so it is more #trustless and not dependent on a central resolver.

We haven't been able to find a definative resource/solution to this problem yet.