[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Mozilla's DNS over HTTPS does not complement Tor

Recently Mozilla has pushed an update to their product Firefox that enables DNS over HTTPS in the United States. However this is not the privacy or anti-censorship tech they claim it to be. Mozilla added a simple test to decide whether to allow DNS over HTTPS to run. If an unencrypted query to use-application-dns.net returns NXDOMAIN or SERVFAIL then Firefox will disable the DNS over HTTPS system. They claim this is to allow parental controls and corporate networks to remain secure. However this negates the security benefits of DNS over HTTPS altogether. At will a network operator, government, or hacker at a coffeeshop on public wifi - could block requests to the canary domain name and disable DNS over HTTPS. There is no security warning when this occurs. Unlike Tor, there are no bridges, no obfuscated protocols. You are just censored and lose privacy benefits, oh and you don't get to know about it.

I've seen a lot of chat online that DNS over HTTPS and TLS 1.3 with Encrypted SNI could end online censorship. This is not the case and is a risky line of thinking to say the least.

If there is one key take away from all of this Mozilla's DNS over HTTPS does not replace or complement Tor. Mozilla is not developing anti-censorship tech and has built-in backdoors into both their implementation of DNS over HTTPS and Encrypted SNI Extensions for TLS 1.3. We should be keeping a close eye on Mozilla, as there's no telling what will happen next!

Attachment: signature.asc
Description: OpenPGP digital signature

tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to