Waterfox G6.0 ships with DNS over Oblivious HTTP support and performance optimizations
A new version of Waterfox is now available. The Firefox-based web browser is already available for new and existing users.
Waterfox G6.0 introduces a number of new and interesting features. Besides DNS over Oblivious HTTP, polyhedral optimization, DRM support on Linux and more.
The last major Waterfox browser release dates back to September 2022 and the release of Waterfox G5.0. The project was associated with System1 back then, but has become independent in the meantime.
Existing Waterfox users may select Menu > Help > About Waterfox to run a check for updates. The update should be found and installed. New users find the Waterfox G6.0 download on the official project website. Please note that it may be necessary to install a VC redistribution if the installer is throwing errors.
Waterfox G6.0
One of the main new features in the ne Waterfox version is DNS over Oblivious HTTP. The lead developer Alex Kontos describes it as a privacy preserving way to handle DNS queries.
DNS over Oblivious HTTP uses DNS over HTTPS to encrypt DNS queries, but it also redirects requests through proxy servers, so that the DNS provider can't link domain queries to the specific user. The release notes do not provide information on the proxy servers that Waterfox uses.
A look in the settings suggests that Cloudflare is being used. The default DNS over HTTPS provider is dooh.cloudflare-dns.com.
Waterfox is not the only browser that uses proxies to hide user IP addresses and thus their identity. Brave Browser uses proxies for certain operations, for instance when running Safe Browsing queries.
Waterfox G6.0 is configured to do better when it comes to repeating tasks. Kontos explains that the browser uses polyhedral optimization to "make maximum use of the CPU and memory". The optimizations speed up "repetitive tasks like rendering, scrolling, and video playback that rely on loops".
The release notes mention three additional improvements. First, that Waterfox on Linux supports DRM now, which means that content can be accessed that requires it. Second, that users may move and remove the extensions button in the main toolbar, and third, that the maintainer of Betterfox.js has helped go through the preferences "with a fine tooth comb". The release notes reveal nothing about the changes made to the preferences, which is unfortunate.
Betterfox.js is a user.js template for Firefox to improve "speed, privacy and security" of the browser.
In an outlook, Kontos reveals that Waterfox for Android will be released soon and that iOS is in the pipeline as well. Privacy enhancements are coming for "some of the most popular search engines", but no information has been revealed apart from that.
Now You: do you use Waterfox?
“DNS over Oblivious HTTP uses DNS over HTTPS to encrypt DNS queries, but it also redirects requests through proxy servers, so that the DNS provider can’t link domain queries to the specific user. The release notes do not provide information on the proxy servers that Waterfox uses.”
“Waterfox is not the only browser that uses proxies to hide user IP addresses and thus their identity. Brave Browser uses proxies for certain operations, for instance when running Safe Browsing queries.”
Oblivious DNS is more than just proxying requests, which would mean that, like in Brave which only proxies, the privacy problem would simply be transfered from the end point (Google servers) to the proxy (Brave servers).
Oblivious DNS encrypts requests so that the proxy can’t see them, only the end point. So the proxy knows who requests but doesn’t know what domain is requested, and the end point knows what domain is requested but doesn’t know by whom. This is much more private because it does not require trust in the DNS provider and neither in the proxy.
But all this is assuming that the proxy and the DNS provider do not collude, otherwise it’s not better than ordinary DoH. A little worse, even, because with two-way collusion up to three independent entities (DNS provider, proxy, ISP) are now spying on browsing instead of two (DNS provider and ISP). If there is no collusion, with oblivious DNS we are finally back to the old privacy situation of ISP-provided unencrypted DNS, where only the ISP could spy (and those on your local network).
Cloudflare partnered with three big proxy companies. I don’t know why I would trust Cloudflare not to collude with those business partners if I didn’t trust Cloudflare at the beginning not to misuse my data with ordinary DoH (and nobody should trust them, of course). Maybe that would be a little less easy, but still too easy. I may trust that only if using a proxy from an ethical organization, that I know won’t collude with an evil DNS provider, but do those, typically librist ones,
already provide such services ?
The other problem is about doing that at scale, which is a common issue with small ethical service providers not just for DNS. Even if big browsers were ethical, they wouldn’t be able to just set some specific trustworthy one as a default because it may not handle the charge. A solution to this problem may be to randomly assign one among many small ethical service providers to each user. There would also be need to test service health and be able to switch provider in a list automatically. It’s not something unrealistic to do but big browser developers hate librists and ethical services and will always prefer some big evil corporate service provider, so that won’t happen by default. Often because they get profit or bribes from prefering them, but even without that it’s their general mindset to prefer greed motivated organizations.
Unfortunately the WF developer is not very far from that point of view either. He considers registered businesses (like Waterfox’s one, by the way) more trustworthy than small anonymous ethical developers for privacy because, he claims, there is someone to hold accountable and sue if they do something illegal. Unfortunately we know how false that is. We may not even know that something wrong was done ; and if we do, lots of wrong things against privacy remain legal (under GDPR for example) ; and when they’re illegal, the businesses get away with it usually, so much that is it actually the norm ; and finally, the for-profits have a strong motive to behave unethically, which results in what we observe in the real world, where they are the plague and where it’s those small informal ethical developers who are the ones to be trusted.
So setting Cloudflare as a default without specifying the proxies, if that’s what is done (I haven’t yet updated to G6 to check, checking for updates doesn’t even propose G6 yet), remains questionable even with oblivious DNS, from a privacy point of view. However the usual, dishonest discussion about third-party DNS providers focusing on privacy, purposefully ignores that the main point of not using the ISP DNS is to avoid censorship, because it’s a sensitive matter. From that point of view, making Cloudflare a default could be positive. In my country it censors less than my ISP DNS, however I use an ethical organization as DNS provider instead, which provides DoH and doesn’t censor either what my ISP DNS censors. I would really not like it if I discovered that that choice was overriden at Waterfox G6 update without a message about it except in the release notes. We’ll see how it goes.
I updated and it’s worse than I thought for the DNS defaults. Not only my ethical provider was overridden to Cloudflare DNS without asking for permission or even a warning, but also when changing DNS provider to another one manually in about:preferences#privacy , the browser silently ignores user choice and stays on Cloudflare DNS !
Apparently that last part is because of a bug, from excessive negligence rather than from malice:
https://old.reddit.com/r/waterfox/comments/16vizj1/custom_settings_for_dns_over_https_will_not_work/
The developer enabled himself by default something that I think is not yet a default in Firefox but may soon be, and is apparently not ready to be enabled as is without a few interface modifications. If network.trr.use_ohttp is not set back to false by the user in about:config (meaning, do not use oblivious DNS), then the user chosen providers will be ignored because they don’t use oblivious DNS. The dev is working on solving this.
On the bright side, not being Mozilla, he didn’t politely ask permission to GCHQ (they refused and Mozilla complied) before enabling a censorship avoiding DNS provider worldwide.
I updated but… I’m not sure why, I didn’t need to. The CSS (especially the arrows in panel menus) isn’t quite right for me but I don’t have time to fix it right now -_-
The built-in customisation options are nice though
Gotta say, BetterFox needs a lot of work. Bookmarks open in new tabs, clicking on the title in an embedded YouTube video doesn’t open the video in YouTube/New Tab. Oh and the own override function doesn’t work, one needs to edit the existing ones. Downloading a file opens the total garbage window where one has to choose what to do with the download etc etc, the ANNOYANCES are just ridiculous. They went completely overboard with it and the supposed gains it brings get soiled by the stupid defaults. Make FF FAST and FLUID to use for everyone, don’t cater to your perceived needs of what everyone should use. Nope, NOBODY wants calculator or translators or anything in the addressbar, especially when you claim to strip FF to be the best it can be.
Completely useless.
I thought it was versioned as G6 and/or G5, not GS6. Maybe it changed.
A little follow up -> In the “Waterfox Browser” screenshot above, it also says G6.0.
I downloaded and installed the new version with no problems on my Win7 Pro x64 machine. I had been using the beta for about six months and am generally content with the browser.
My only comment/question here is that the browser identifies itself as G6.0, whereas the author mentions GS6.0.
Am I missing something?
This is starting to get a bit messy. Cloudflare provide different services with their DNS resolver, for example:
DNS-over-HTTPS (Standard)
https://cloudflare-dns.com/dns-query
DNS-over-HTTPS (Blocks malware domains)
https://security.cloudflare-dns.com/dns-query
So how does someone set up Oblivious DNS-over-HTTPS with malware domain name blocking?
Article Title: Waterfox GS6.0 ships with DNS over Oblivious HTTP support and performance optimizations
Article URL: https://www.ghacks.net/2023/09/20/waterfox-gs6-0-ships-with-dns-over-oblivious-http-support-and-performance-optimizations/
It’s nice to see Alex free from the shackles of System1 and doing his thing.
I hope to see more improvements soon and exceed all expectations.