Security News

In theory DNS over HTTPS does not hide the "Fact" of the request transmission, "When" or "Length" of the request from a "Third party" evesdropper only the request "Contents". That is whilst DNS over HTTPS might hide the request contents it does not hide the request or the time it happened at, nore does it hide the traffic to the site the DNS request was for.

Starting today, Mozilla is activating the DNS-over-HTTPS security feature by default for all Firefox users in the U.S. by automatically changing their DNS server configuration in the settings. That means, from now onwards, Firefox will send all your DNS queries to the Cloudflare DNS servers instead of the default DNS servers set by your operating system, router, or network provider.

Firefox version 73 has only been out for a week but already Mozilla has had to update it to version 73.0.1 to fix a range of browser problems and crashes, including when running on Linux machines. In an issue known about for some weeks, users running third-party security programs with anti-exploit protection, including the 0patch 'guerrilla' patching agent, were being affected by crashes.

Rather than patching once a calendar month, Mozilla goes for every sixth Tuesday - or every 42 days, which we call Fortytwosday in a hat-tip to HHGttG. This update takes the regular build of Firefox to 73.0, while the long-term release, which includes security fixes but not feature updates, goes to 68.5.0esr. The good news is that none of the security holes fixed in this update seem to be what are known as zero-day vulnerabilities, which is the industry term for bugs that the crooks figure out first.

The patched version of Mozilla's browser, launched on Tuesday, is Firefox 73 and Firefox ESR 68.5. One of the vulnerabilities, tracked as CVE-2020-6800, was fixed in a previous release of Firefox 72 and the current Firefox ESR 68.5 update on Tuesday.

An improvement over the Secure Sockets Layer protocol, TLS is meant to improve the security of the Web, but flaws and weaknesses in older iterations, specifically TLS 1.0 and TLS 1.1, render connections vulnerable to attacks such as BEAST, CRIME and POODLE. The newer TLS 1.2 and TLS 1.3 versions are both faster and safer, and major browser vendors have already laid out plans to deprecate the older releases to ensure the security of their users. Mozilla has already introduced the change in Firefox Beta 73, in which the minimum TLS version allowable by default is TLS 1.2.

Mozilla Firefox will require user intervention to connect to websites using the TLS 1.0 or 1.1 protocol from March 2020 - and plans to eventually block those weak HTTPS connections entirely. Web servers should really be using TLS 1.2 or 1.3 for their encrypted and secure HTTPS connections.

Mozilla offers users a service that will send alerts for account breaches associated with email addresses. The service compares any email address you setup to monitor against known data breaches and reports back if any of those breaches has exposed your info and how many of your passwords have been compromised across the breaches.

Mozilla offers users a service that will send alerts for account breaches associated with email addresses. Find out how to use Firefox Monitor.

The nature of the banned extensions is difficult to say - Mozilla lists them on Bugzilla using only the IDs they used on addons. The hard ban on extensions that execute remote code seems to have happened around the time pre-release versions of Firefox 72 hove into view, but this was only noticed by some developers and users when the company abruptly banned several page translation extensions in November.