Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Sun 16 Dec 2018, 16:02
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Firefox and Trusted Recursive Resolver
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 1 [11 Posts]  
Author Message
labbe5

Joined: 13 Nov 2013
Posts: 1539
Location: Canada

PostPosted: Wed 20 Jun 2018, 19:22    Post subject:  Firefox and Trusted Recursive Resolver
Subject description: more privacy than ever with TRR and DNS over HTTPS
 

Configure DNS Over HTTPS in Firefox (tutorial) :
https://www.ghacks.net/2018/04/02/configure-dns-over-https-in-firefox/

https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/

Networks can get away with providing untrustworthy resolvers that steal your data or spoof DNS because very few users know the risks or how to protect themselves.

Even for users who do know the risks, it’s hard for an individual user to negotiate with their ISP or other entity to ensure that their DNS data is handled responsibly.

However, we’ve spent time studying these risks… and we have negotiating power. We worked hard to find a company to work with us to protect users’ DNS data. And we found one: Cloudflare.

Cloudflare is providing a recursive resolution service with a pro-user privacy policy. They have committed to throwing away all personally identifiable data after 24 hours, and to never pass that data along to third-parties. And there will be regular audits to ensure that data is being cleared as expected.

With this, we have a resolver that we can trust to protect users’ privacy. This means Firefox can ignore the resolver that the network provides and just go straight to Cloudflare. With this trusted resolver in place, we don’t have to worry about rogue resolvers selling our users’ data or tricking our users with spoofed DNS.


Firefox is on the forefront with its Trusted Recursive Resolver.

Further reading :
https://www.ghacks.net/2018/08/18/browsers-have-cookie-and-anti-tracking-enforcement-issues/
Firefox's Add-ons blocklist :
https://blocked.cdn.mozilla.net/
https://www.ghacks.net/2018/08/17/mozilla-bans-23-snooping-firefox-extensions/
Intra : DNS-over-HTTPS services on Android
Intra is an experimental tool that allows you to test new DNS-over-HTTPS services that encrypt domain name lookups and prevent manipulation by your network. It currently supports services from Cloudflare and Google.
https://github.com/Jigsaw-Code/intra

Last edited by labbe5 on Thu 18 Oct 2018, 10:09; edited 4 times in total
Back to top
View user's profile Send private message 
upnorth


Joined: 11 Jan 2010
Posts: 286
Location: Wisconsin UTC-6 (-5 DST)

PostPosted: Fri 22 Jun 2018, 16:53    Post subject:
Subject description: trr settings in firefox 60 +
 

That is awesome.
Was already using 1.1.1.1(non DoH), anyway. But, this is a convenient way to set and use secure DNS right in the browser.
Seems to work now on v60 as well.
about:networking#dns
--------------------------------------------
btw, here are the two parameters to set under about:config
network.trr.mode;2
network.trr.uri;https://mozilla.cloudflare-dns.com/dns-query

added: This can be set as well to avoid any initial resolving:

network.trr.bootstrapAddress : 1.1.1.1

Added 20181110: One important caveat is that trr mode bypasses /etc/hosts

Full info is here from the main author of ff trr mode:
https://www.tuicool.com/articles/V77j2yN

Last edited by upnorth on Sat 10 Nov 2018, 21:19; edited 3 times in total
Back to top
View user's profile Send private message Visit poster's website 
nosystemdthanks

Joined: 03 May 2018
Posts: 545

PostPosted: Sat 23 Jun 2018, 20:08    Post subject:  

gee, thanks to mozilla i cant even trust my laptop speakers to stay muted.

i literally just clipped the wires to them-- i dont need laptop speakers, i do want them to stay quiet though. unfortunately mozilla requires pulseaudio these days, which in turn unmutes the speakers every time i pull the headphones out.

sure, lennart has hidden some setting somewhere on the system, however these things worked fine for about 15 years before the little douche came and broke them.

ive tried enabling and disabling auto-mute, that setting is no longer respected.

i wish there was a wire i could clip to stop this sort of regular sabotage to the software i use. like one that would drop an anvil on his fingers or something, but i dont trust mozilla to protect me from mozilla these days; im certainly not going to trust them to protect me from anybody else.

they stopped being a real organisation over a year ago. i dont let mozilla handle dns anyway. just be a browser; you use way more resources than any other functionality of my entire computer setup, including running other operating systems using kvm, its ridiculous.

i dont even trust mozilla to run updates on its own plugins anymore-- last time i trusted it with that, it turned off stuff i wanted left on-- not when i restarted the browser and could do something about it, it just decided to be dynamic about it. i wouldnt trust firefox farther than i could smack its developers.

_________________
teaching computing via learning applications is like teaching cooking via going to a restaurant.
Back to top
View user's profile Send private message Visit poster's website 
rcrsn51


Joined: 05 Sep 2006
Posts: 12392
Location: Stratford, Ontario

PostPosted: Sun 24 Jun 2018, 09:55    Post subject:  

nosystemdthanks wrote:
unfortunately mozilla requires pulseaudio these days, which in turn unmutes the speakers every time i pull the headphones out.

Just out of curiosity, I checked this in Firefox+apulse. There was no such bad behaviour.
Back to top
View user's profile Send private message 
labbe5

Joined: 13 Nov 2013
Posts: 1539
Location: Canada

PostPosted: Tue 07 Aug 2018, 17:47    Post subject: Mozilla's new DNS resolution is dangerous
Subject description: All your DNS traffic will be sent to Cloudflare
 

https://blog.ungleich.ch/en-us/cms/blog/2018/08/04/mozillas-new-dns-resolution-is-dangerous/

With their next patch Mozilla will introduce two new features to their Firefox browser they call "DNS over HTTPs" (DoH) and Trusted Recursive Resolver (TRR). In this article we want to talk especially about the TRR. They advertise it as an additional feature which enables security. We think quite the opposite: we think it's dangerous, and here's why.
Back to top
View user's profile Send private message 
upnorth


Joined: 11 Jan 2010
Posts: 286
Location: Wisconsin UTC-6 (-5 DST)

PostPosted: Thu 09 Aug 2018, 18:52    Post subject:  

That article made for good comedy reading Smile
Too bad it didn't have a comment section Twisted Evil

added:
Here is cloudflare's info:
https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/firefox/

New article today 20 August on thereg:
https://www.theregister.co.uk/2018/08/20/dns_interception/
Back to top
View user's profile Send private message Visit poster's website 
labbe5

Joined: 13 Nov 2013
Posts: 1539
Location: Canada

PostPosted: Fri 31 Aug 2018, 18:27    Post subject: Mozilla to Block Tracking Cookies in Firefox
Subject description: blocking tracking cookies by default in the name of consumer privacy
 

https://threatpost.com/bucking-the-norm-mozilla-to-block-tracking-cookies-in-firefox/137110/

Web tracking has long been in the cross-hairs of privacy advocates, who say that marketers know entirely too much about individuals’ online activities. And to add insult to injury, the ubiquitous cookie system used to enable tracking also presents potential security threats, including cross-site request forgeries (CSRF). To combat these bugbears, Mozilla is planning to disable cross-site tracking by default in its Firefox browser.

“In the physical world, users wouldn’t expect hundreds of vendors to follow them from store to store, spying on the products they look at or purchase,” Mozilla’s Nick Nguyen pointed out, in a posting on Thursday. “Users have the same expectations of privacy on the web, and yet in reality, they are tracked wherever they go.”

Further reading :
https://teachmehacking.com/footprinting-reconnaissance-techniques
https://teachmehacking.com/internet-knows-about-you/
https://www.ghacks.net/2018/09/03/save-any-webpage-as-a-single-file-in-chrome-or-firefox/
https://www.bleepingcomputer.com/news/software/firefox-to-recommend-extensions-related-to-sites-you-visit/
https://nakedsecurity.sophos.com/2018/09/07/firefox-finally-casts-windows-xp-users-adrift/

Last edited by labbe5 on Sun 09 Sep 2018, 15:33; edited 5 times in total
Back to top
View user's profile Send private message 
mikeslr


Joined: 16 Jun 2008
Posts: 2847
Location: 500 seconds from Sol

PostPosted: Fri 31 Aug 2018, 21:22    Post subject: Thanks, labbe5, for the report  

See title.
Back to top
View user's profile Send private message 
8Geee


Joined: 12 May 2008
Posts: 1752
Location: N.E. USA

PostPosted: Mon 03 Sep 2018, 20:13    Post subject:  

The problem in the USA is that the ISP's have been granted an exception to place ads in the e-mail. This opens the door to have the e-mail 'intercepted'. See this article.

*** Edited to correct location in the article. ***

Regards
8Geee

_________________
Linux user #498913

Some people need to reimagine their thinking.
Back to top
View user's profile Send private message 
labbe5

Joined: 13 Nov 2013
Posts: 1539
Location: Canada

PostPosted: Thu 27 Sep 2018, 16:08    Post subject: How to create Firefox Account Recovery Keys
Subject description: if you forget your password, use your recovery key
 

https://blog.mozilla.org/firefox/firefox-accounts-offer-recovery-key-option/

Your Firefox Account is end-to-end encrypted, which means your password protects and secures all of your Firefox Account data. Even the Firefox Accounts team can’t read the data in your account. It’s all between you and your synced devices.

Firefox Accounts are different from many other kinds of accounts as your Firefox Account data is locked and encrypted with your password. This encryption provides you with complete privacy and control over your data, but it also means you, and only you, have the code to access it.

We know how easy it is to forget your password, so to prevent you from losing all your data, we have a new, optional, feature to help you regain access to your data. You will now be able to generate a recovery key. This is a series of numbers and letters that will help you, and only you, get your Firefox Account back if you forget your password.

To ensure protection of the data stored with your Firefox Account, recovery keys can only be used once. Every time you use a recovery key, you will have to create a new one.

Tutorial : Reset your Firefox Account password with Recovery Keys
https://support.mozilla.org/en-US/kb/reset-your-firefox-account-password-recovery-keys
Back to top
View user's profile Send private message 
labbe5

Joined: 13 Nov 2013
Posts: 1539
Location: Canada

PostPosted: Mon 01 Oct 2018, 14:04    Post subject: Symantec certificates will be flagged as untrusted
Subject description: A final call for replacing security certificates using Symantec roots
 

Certificate issued by a authority belonging to Symantec

After a number of irregularities with certificates issued by Symantec root authorities came to light, browser vendors including Mozilla are gradually removing trust from these certificates in their products. In a first step, Firefox 60 will no longer trust certificates chaining up to Symantec root authorities (including all Symantec brands GeoTrust, RapidSSL, Thawte, and VeriSign) which were issued before 2016-06-01. In Firefox 63 this removal of trust will be extended to all Symantec certificates regardless of their issuing date.
Source : https://support.mozilla.org/en-US/kb/error-codes-secure-websites?as=u&utm_source=inproduct

https://www.helpnetsecurity.com/2018/10/01/replacing-security-certificates-using-symantec-roots/

In 2017, Google and Mozilla deemed Symantec’s controls over their PKI insufficient to continued operation within the browser root store and put in place a plan for gradual distrust of Symantec roots. Other browsers followed suit. On Oct. 31, 2017, DigiCert completed its acquisition of Symantec Website Security and put in place a plan, approved by browsers, to issue new certificates for Symantec brands and replace those to be distrusted by reissuing them on our trusted roots. Google’s plans included three critical dates, and we are now in the final stage of Google’s plan with the release of Chrome 70.

October 2018 – Chrome 70 stable will distrust all certificates issued from the Symantec PKI. When released, the stable version of Chrome will feature untrusted warnings for any certificates still using Symantec roots.

Trusted Certificate Authorities
First, we need to discuss how the certificate system works. Certificates around the web tell your browser if a site is genuine and they are managed by a group of “root certificates” from organizations around the world. These organizations vouch for the security of their own root certificate and vouch for the validity of all certificates that are made from it. This means that when Typhoon (fake name used for example) creates a certificate for a website, they are telling your browser “this site is genuine because Typhoon says it is.” You are relying on the reputation of Typhoon to keep your browser safe from spoofing.

There’s some inherent problems with this system. How do we know that Typhoon’s security standards are perfect? How do we know that Typhoon would never create an invalid certificate for someone else accidentally? How do we know that Typhoon would never create a fake certificate for a law enforcement agency or spy organization?

Therein lies a large problem. Firefox (and all browsers and operating systems) trust hundreds of these root certificates by default, and for most users around the world, you don’t encounter most of these root certificates in your day to day web use.


You can remove many of these root certificates from Firefox to make it so that you trust far fewer authorities. To access the certificate manager, you go to the settings menu in Firefox, and click on the Privacy and Security pane on the left side. Then you scroll to the bottom of the page and click on “View Certificates…” In the window that opens up, you can scroll through all of the possible certificate authorities and remove trust (by clicking on the Delete or Distrust… button) from all of the authorities for sites that you do not visit or do not trust for ethical reasons.

This step does require some research, you have to find out which certificates are used by the sites you visit, and limit your trusted certificates to those. Also, many of the big American certificate authorities (such as the Amazon Root CAs, DigiTrust, RapidSSL, GeoTrust, GlobalSign) will break a majority of the Internet if you mistrust them.

Personally I tend to mistrust all certificates from languages that I do not speak (which means it is unlikely that i’ll ever run into those certificates around the web) and also eliminate any certificates that cater to local regions such as Taiwan, Switzerland, the Netherlands, etc.

If you accidentally mistrust a certificate that you want to trust once again, you can click on the “edit trust” button in the certificate manager window, and check the boxes for the services that should trust this certificate authority.

Source : https://www.privateinternetaccess.com/blog/2018/09/firefox-hardening-guide/

Further reading :
https://www.bleepingcomputer.com/news/security/tls-10-and-tls-11-being-retired-in-2020-by-all-major-browsers/
https://gizmodo.com/do-not-track-the-privacy-tool-used-by-millions-of-peop-1828868324

Good to know :
https://lifehacker.com/5687850/speed-up-firefox-by-moving-your-cache-to-ram-no-ram-disk-required
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 1 [11 Posts]  
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0722s ][ Queries: 12 (0.0152s) ][ GZIP on ]