Perhaps not a very new feature, but Firefox 3.5 prefetches de DNS results of all links on a page.
What does this mean? That firefox does a lot of DNS requests in cleartext(no encryption) for all links in a website, even if the page itself is encrypted, on a local network or is a local file. When viewing secure pages it then leaks information on what page you are looking at (e.a. if you do a lot of .indymedia.org dns requests, you’re probably looking at the indymedia.nl frontpage), same for pages on an intranet.
For people using webmail, this also means someone(for instance a spammer) can implement a callback/phonehome method by putting a domainname in the mail and whith a 0 cache value.
I’d consider this a bad policy, luckily you can turn it off, but not too easy.
A short howto:
go to the page “about:config”, it might give you a warning about voiding your waranty, I don’t think you have any anyway, so go ahead.
- Rightclick on something white in the page and select new->boolean
- Name the boolean: network.dns.disablePrefetch
- Set the value to True
- Rightclick again on something white and select again new->boolean
- Name the boolean: network.dns.disablePrefetchFromHTTPS
- set the value to True
If you now type network.dns in the filter you should see 2 entries in bold with the names you’ve given them (network.dns.disablePrefetch and network.dns.disablePrefetchFromHTTPS) of the type ‘boolean’ with the values set to ‘true’. Your firefox should now no longer try to fetch lots dns results and it’ll improve your privacy a little bit.
For those running apache webservers, you can control it from the server-side by doing the following:
- Enable mod_headers (a2enmod headers)
- Add this line to your apache or virtual host configuration: Header add x-dns-prefetch-control “off”
- Restart your webserver
For those only having control over the HTML you can add the following to your <head></head> section:
<meta http-equiv="x-dns-prefetch-control" content="off">
Note that this is, in fact, disabled for HTTPS per default – of course, being explicit about disabling it is never bad.
As for webmail – webmail developers are already protecting users against many threats, for example by making sure external images don\’t open by default. This is just another thing they should cover. I think it\’s bad that Thunderbird (apparently, I did not check) has this enabled by default; I thikn it\’s fine that Firefox has this enabled by default.
Also, webmail should always be HTTPS, so there is not, by default, an actual issue there.
or just run your own local caching dns…
Thanks for the heads-up. Now I have to find out how to disable this in Thunderbird!
found it in options, advanced, config editor :)
DNS prefetching didn’t happen in Thunderbird 2, only in early versions of Thunderbird 3. In the latest version of Thunderbird 3 it doesn’t happen. And as Habbie said, dns prefetching doesn’t happen in Firefox when the page is loaded via https. Rick: Using a caching dns server wouldn’t change anything…?
@habbie, indeed. must say it was a bit of late hacking so we didn’t check all well enough.
firefox3.5.9 here indeed doesn’t do it when viewing pages over HTTPS., but it DOES do it for local pages, which IMHO is still wrong. Also it could provide information of sites you might be visiting on an closed intranet, firefox has no real way to tell the difference.
webmail providers should indeed fix this, and squirrelmail has indeed released a new version with fix, the question is though, how many webmail apps have done this.
Thunderbird 2.0.0.4 also doesn’t do the dns queries (we got this information from https://secure.grepular.com/DNS_Prefetch_Exposure_on_Thunderbird_and_Webmail but didn’t get arround checking it), might still work for older versions though.
As for plain HTTP connections. yes letting someone else do the resolving for you helps, but usually this still gives a lot of information of the viewer, usually atleast who the ISP is. This could be used for say people looking at a post on indymedia.nl where a unique domain has been used for one of the posters to see where (perhaps only roughly) the viewers come from, and in some cases what the users IP’s are.
I try to use a trusted DNS server, which usually is my own, or used by very few people, which makes the pool of ‘suspects’ rather small.
Has anyone checked what the default in chrome is btw?
@mike ah, misunderstood the thunderbird version. The prefetching with non-https is still pretty bad though.