AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Firefox vs chrome privacy11/23/2023 Google replied a day later, on April 14.įirefox failed to respond, despite a reminder sent by the researcher on May 13, but a bug report was opened on Bugzilla on June 2.Most of us use web browsers out of habit. The researcher alerted Mozilla and Google to the problem on April 13. He told The Daily Swig that the problem didn’t affect Tor or Microsoft Edge browsers. Offering advice to users who might be worried about the privacy leak, Khuong recommended eschewing DHCP and set IP addresses manually, while ensuring that DNS suffixes do not include “unusual” addresses. “I doubt that this bug will be fixed any time soon in Chrome,” said the researcher. The latest entry, from the Chromium team on April 14, said Covid-19 and the departure of an employee who had been working on the bug had delayed a remedy. ![]() Interestingly, the issue has been merged with a similar bug in the Chromium bug-tracker, dating back to 2015, that has also not been fixed. INSIGHT A guide to DNS-over-HTTPS – how a new web protocol aims to protect your privacy online Google has yet to respond to The Daily Swig’s query about their own plans to address the flaw. “Longer term, we hope to identify reliable heuristics to limit the use of these DNS lookups.” ![]() “As a short-term mitigation, we plan to add a preference for users to control this behaviour in Firefox 78,” she said. However, he advised that “users should be informed of the risks” and be given the option of avoiding the problem.ĭeckelmann indicated that this was Mozilla’s plan. Khuong told The Daily Swig that fixing the problem might impact users’ ability to visit “local, single-word websites”. The researcher successfully exploited the flaw in April on Firefox 75, the latest version, and Chrome 81, since succeeded by Chrome 83, but suspects later versions will be “most likely affected, too”. “These sites will never be found in external DNS or through DNS-over-HTTPS resolvers, which is why we fall back to consulting local DNS.” YOU MIGHT ALSO LIKE Firefox bug bounty: Mozilla raises payouts and abandons ‘first reporter wins’ policy She added: “When a user types a single word into the address bar, Firefox needs to determine whether the user is intending to search, or to visit one of these local, single word websites. Selena Deckelmann, vice president of Firefox Desktop, told The Daily Swig that the flaw was the legacy of “a decades-old feature built into the ”, in which “single word website names are still used by private and enterprise networks”. ![]() ![]() Malicious actors could also potentially track users’ search history by setting up “a rogue Dynamic Host Configuration Protocol (DHCP) server” and setting “the user’s DNS suffixes to” their own server, the researcher warned in his GitHub post. ISPs do generally track which web pages users visit (although this can be circumvented through the use of virtual private networks), but the major browsers don’t deliberately share users’ search habits. Users can verify the data leak by checking their DNS logs. (The search term ‘words-without-spaces’ would trigger the flaw ‘words with spaces’ would not).Īs well as generating search engine results, the search term is erroneously relayed to a domain name system ( DNS) server belonging to the user’s ISP. The vulnerability arises when users types a single word, or multiple words separated by hyphens, into the browser address bar and presses enter. The researcher told The Daily Swig that browsing in Chrome’s Incognito Mode or Firefox’s Private Browsing mode did not prevent the privacy leak either. Malicious attackers could also exploit the bug, which remains unpatched in both web browsers, to track users’ online behavior, Duy Khuong claimed in a GitHub post that was first published in April.Įven the implementation of privacy-protecting measures like DNS-over-HTTPS (DoH) or using the pro-privacy DuckDuckGo search engine fail to protect users, he added. Neither Private Browsing mode nor DNS-over-HTTPS will shield you from this decades-old DNS quirkįirefox and Chrome have a serious privacy flaw that sends users’ search terms to their internet service providers (ISPs) without their consent, a security researcher has discovered.
0 Comments
Read More
Leave a Reply. |