Over the past years, a lot of people touted Firefox as one of the most secure Web browsers in the market. But, as with other browsers, the security level offered really depends on the settings. Some of the features might need to be enabled manually by the user. Those particular Firefox privacy settings turned on by default should be double-checked too.
But, this user took his time and dug into Firefox’s privacy to reveal some flaws in their system. He talks about
- Controlling Firefox
- Blocking DoH via a firewall
- Alternative browsers
On Mozilla’s website, you can read the following writing “Mozilla puts people over profit in everything we say, build, and do”. And they also write “Walking Our Privacy Talk When the Facebook breach was revealed, Mozilla had an immediate response – and a Firefox product to support user privacy.”
They claim that “We put people over profit”. However, the user states that their decision to make Cloudflare the default DNS provider for DNS over HTTP doesn’t support their saying. “They’re definitely not supporting user privacy – or putting people over profit with this” – he stated.
DNS over HTTPS is bad enough and highly criticized for a good reason. And by combining it with a US-based company such as Cloudflare makes it even worse.
Here’s the agreement that Cloudflare has with Mozilla while acting as the default DNS resolver for Firefox:
- The total number of requests processed by each Cloudflare co-location facility.
- Aggregate list of all domain names requested.
- Samples of domain names queried along with the times of such queries.
- Information stored in Cloudflare’s permanent logs will be anonymized and may be held indefinitely by Cloudflare for its own internal research and development purposes.
If you’ve ever worked with DNS servers, you’ll know what goes into such logs. And in order for Cloudflare to ‘keep their promise’, they’ll have to delete the DNS requests information. But, at the same time – somehow – contain ‘anonymized’ logs of:
- The total number of requests
- A list of all domain names requested
- A so-called ‘sample’ of complete DNS queries (along with date and time)
What does this mean?
This means that, even if Cloudflare’s intentions could be trusted, they will still log everything the first 24 hours. If Cloudflare is ever compromised by a cyber-attack, all the said logs could be copied and distributed all over the internet.
Additionally, the actual wording of the agreement is such that the technical procedure for how they actually do this can only be guessed at.
How do they plan to anonymize the data? Is the ‘sample’ 99.9% of all the queries, or is it 1%?
Last, but not least, Cloudflare is an American company subject to American law – a law that pretty much undermines the foundation of any kind of privacy.
Cloudflare will not retain or sell or transfer to any third party (except as may be required by law) any personal information, IP addresses or other user identifiers from the DNS queries sent from the Firefox browser to the Cloudflare Resolver for Firefox;
Real privacy – in essence – means no data retention and no logging. Period!
“Mozilla should be ashamed! They are promoting Firefox as a product to support user privacy, yet at the same time they make Google the default search engine in the browser and Cloudflare the default DNS over HTTPS resolver” stated he.
The ‘Data Collection and Use’
Firefox, in itself, has long been submitting data to the Mozilla foundation via its “Data Collection and Use” gathering. Even though this data is “technical and interaction data”, it’s still opt-out. Roughly translated, it means that you have to remember to disable it rather than enable it.
This means that the first time you start up Firefox, it may have already have connected to the Mozilla foundation before you can disable the data collection.
And if you should forget to disable the data collection and do it later, you’ll get the following information from Firefox:
You’re no longer allowing Mozilla to capture technical and interaction data. All past data will be deleted within 30 days.
There is no option whatsoever in the browser to delete the last 30 days of data gathering. This is exactly why when Snowden revealed that we were all being watched, he strongly didn’t recommend Firefox but rather the Tor browser instead.
Mozilla has completely removed the option to disable automatic updates, which forces you to get automatic updates. This can get really annoying because if you’re in the middle of something important, Firefox just stops working until you have restarted the browser.
While this exists in order to ‘protect’ the users, most users are quite capable of jut letting Firefox remind them of an update and then do it manually.
And because many corporations need extensive control, Mozilla has created a thing called ‘policy support’ which can be integrated using a JSON file. This file is a cross-platform compatible file that makes it the preferred method for enterprise environments to control Firefox across them.
By using the JSON file, you can control a great amount of how Firefox works – including the DNS over HTTPS feature.
On Arch Linux, Firefox gets installed in /usr/lib/firefox, while on FreeBSD it does so on /usr/local/lib/firefox. If a subdirectory called distribution doesn’t exist, you’ll have to manually create it. Then, create a policies.json file in that directory. Here’s what you need to put inside the JSON file:
Then, restart Firefox so the new settings can take place. You can check the settings by typing about:policies in the address bar. It shows you all the Firefox privacy and policies.
And as long as the option to control Firefox, you should make sure that you have created the policies.json file before you open up Firefox the first time after a fresh installation. This is in order to prevent the telemetry from working the first time you use it.
Blocking DoH via a firewall
No matter what kind of firewall you’re using, the least you can do is block the known public DoH servers.
A great list with both domain names (for DNS blocking) and IP addresses (for firewall blocking) is available at https://github.com/oneoffdallas/dohservers
If you use the Packet Filter (PF) firewall from OpenBSD, which is also available on FreeBSD, you can drop packages without any delay in the response time.
Despite being popular, Google’s Chrome is not a particularly good alternative as it has its own privacy issues as well. But that’s another story.
Here are some alternative browsers, in no particular order:
- Otter Browser
- GNU IceCat
- Tor Browser
- Otter Browser
If you want to dig deeper, Wikipedia has a Comparison of web browsers.
The Brave browser is often recommended, but the “anonymously monitoring of user attention” and “rewards publishers accordingly with Basic Attention Token (BAT) cryptocurrency” is not something I can recommend.