back to article Internet imbeciles, aka British ISP lobbyists, backtrack on dubbing Mozilla a villain for DNS-over-HTTPS support

The brain-dead Internet Service Providers Association (ISPA) has backtracked on its nomination of Mozilla as an "internet villain" for 2019 after online outcry. "In the 21 years the event has been running it is probably fair to say that no other nomination has generated such strong opinion," the bonkers UK-based lobbying …

Page:

  1. tfewster

    Dear Police

    - if you want to know which sites I've been looking up, get a fucking warrant and serve it on my DNS provider.

    (Note, post may display evidence of ignorance over how DNS/HTTPS works. I would have thought that the IP address that subsequent HTTPS traffic went to would be sufficient to build a case for a warrant, even if an IP address hosts multiple legit and dodgy websites.)

    1. Pascal Monett Silver badge
      Thumb Up

      Re: Dear Police

      Right with you there, well said.

    2. hittitezombie

      Re: Dear Police

      As explained, if you use a reverse proxy service like Cloudflare, that information disappears, although they can send a warrant to there. It is just extra work they don't want to do.

    3. Pier Reviewer

      Re: Dear Police

      You’re right about getting a warrant. The IP address doesn’t really tell an investigator anything though. For example a ne’er do well may host a proxy website fronted with CloudFlare that grabs illegal content from Tor or whatever and sends it back to the user.

      The user is seen connecting to an IP address for CloudFlare. Not really dodgy.

      I have a small amount of sympathy with the police etc. They’re stuck between the push for better privacy rights which I agree with, and the pressure for them to nick bad folk, which I also agree with. It’s about striking an appropriate balance (which is what warrants are for). The difficulty they have is that you can’t get a warrant if you don’t know something bad has happened. You need intel. Humint is both expensive and unreliable as a rule.

      We as a society just need to have that conversation and decide where we want the balance to be, and what we’re willing to give up to get it (i.e. do we lean more towards privacy > all or more towards criminals being detected and prosecuted?). It’s not happening atm. Governments try to make changes without seeing what the people actually value. Never going to end well...

      1. Anonymous Coward
        Anonymous Coward

        "The IP address doesn’t really tell an investigator anything though"

        Yes, no, maybe. There's not an hard rule. Some people are smart about IT and can cover their tracks better than others. Some are utterly stupid/naive/unaware/etc. and don't. When you have to investigate, you look at everything - thinking "no, he/she couldn't be that stupid" could just make you miss the evidence you need. You may need the destination IP, or the source one, or both.

      2. JimmyPage Silver badge
        Mushroom

        Re: I have a small amount of sympathy with the police etc.

        Sorry, I have fuck all sympathy for them. Every power they have ever been granted has never been enough. Nothing is ever good enough, and they are just as institutionally racists as they were 40 years ago. There's no other job in the the UK where you get to blow an innocent mans head clean off, and walk away with a pension.

        So fuck them. They can bloody well do their job, do it by the rule of law, and also (controversially) be subject to the same rule of law. *Then* they'll have my sympathy.

        My views may have been tainted by the recent story that they police were allowed to send a 17-year old girl to be sexually exploited for a case. That's a child in the UK, just in case you didn't know. A child FFS.

        1. Anonymous Coward
          Anonymous Coward

          So fuck them

          And the horse they collectively rode in on as far as I'm concerned.

        2. I'm Brian and so's my wife

          Re: I have a small amount of sympathy with the police etc.

          Do you have a link please?

          1. JimmyPage Silver badge

            Re: Do you have a link please?

            What for ?

            1. baud

              Re: Do you have a link please?

              for "police were allowed to send a 17-year old girl to be sexually exploited for a case", or "blow an innocent mans head clean off, and walk away with a pension" I guess

              1. Anonymous Coward
                Anonymous Coward

                Re: Do you have a link please?

                > for "police were allowed to send a 17-year old girl to be sexually exploited for a case", or "blow an innocent mans head clean off, and walk away with a pension" I guess

                Assuming the blow a man's head off and walk away with a pension applies to Jean Charles de Menezes then Cressida Dick (in command of the operation at the time) is still employed by the police and so, technically, is yet to walk away with her pension.

                [No pensions were harmed during the making of this film.]

                1. baud

                  Re: Do you have a link please?

                  Thank you.

              2. JimmyPage Silver badge
                Flame

                Re: Do you have a link please?

                Here you go

                I'll also post the text ...

                QUOTE

                bbc.co.uk

                Use of child spies by Home Office 'lawful'

                3-4 minutes

                A girl standing in a hoodie Image copyright Getty Images

                Allowing children to be used as informants in criminal investigations is lawful, the High Court has ruled.

                Charity Just for Kids Law brought the case against the Home Office over the use of children by police and other bodies in England and Wales.

                The campaign group said the safeguards in place were inadequate and the practice breached human rights.

                But the High Court rejected the legal challenge, saying there was a "system of oversight" in place.

                In March it was revealed that 17 children had been used to secretly gather intelligence for police and other agencies in the last four years.

                Lord Justice Fulford, the Investigatory Powers Commissioner who is carrying out a review into the use of children as covert human intelligence sources (CHIS), said one of the informants was 15 years old, while the others were aged 16 and 17.

                The Home Office had argued that undercover under-18s helped prevent and prosecute problems such as gang violence and dealing drugs.

                However, concerns over the use of juveniles were raised in the House of Lords last year with the case of a 17-year-old girl who was recruited to spy on a man who had been exploiting her sexually.

                The peers heard that the girl continued to be exploited sexually while she was deployed by police.

                Charity may appeal

                Dismissing the charity's case, Mr Justice Supperstone said he was satisfied the scheme was lawful.

                The judge said children were "inherently more vulnerable than adults" and that the "very significant risk of physical and psychological harm" to them from being a CHIS in the context of serious crime is "self-evident".

                However, he said he rejected the charity's contention "that the scheme is inadequate in its safeguarding" of the juveniles involved in the scheme.

                Just for Kids Law, which used crowdfunding to pay for the case, said it was disappointed and was considering whether to appeal against the decision.

                The charity's chief executive, Enver Solomon, said the judgement acknowledges the '"variety of dangers" that arise from the use of children as covert informants in the context of serious crime.

                He added: "We remain convinced that new protections are needed to keep these children safe."

                Presentational white space

                Security minister Ben Wallace said the ruling showed the court recognised that the protections in law ensure "the best interests, safety and welfare of the child will always be paramount".

                Children had been used as informants fewer than 20 times since January 2015, he said, but they remained "an important tool to investigate the most serious of crimes".

                He added: "They will only be used where necessary and proportionate in extreme cases where all other ways to gain information have been exhausted."

                ENDQUOTE

                So if you think I have a shred of sympathy for suck fuckers like that you can fuck right off to the far side of fuck and then fuck off some more. I really don't care about the nuances of the case. You don't do that in a society that you want me to be part of.

                1. baud

                  Re: Do you have a link please?

                  Thank you. I hadn't heard about that story and I'm somewhat relieved I'm not part of a society that's condoning that shit, even if I'm sure it's no better where I live

                  1. Adrian 4

                    Re: Do you have a link please?

                    Clearly, whatever the policy regarding use of children, in that case there was not sufficient oversight. Never mind the police - Ben Wallace is in the frame for prosecution there.

          2. Anonymous Coward
            Anonymous Coward

            Re: I have a small amount of sympathy with the police etc.

            Link for heads blown off and then a pension? https://en.wikipedia.org/wiki/Sunday_Bloody_Sunday

            Anonymous, obviously. BTW, thanks el Reg -- I now have DoH set up on Firefox.

        3. CountCadaver Silver badge

          Re: I have a small amount of sympathy with the police etc.

          Actually thats where the law in the UK is unclear in regards to when someone becomes an adult - Age of consent is 16, you can get married at 16, you can leave home at 16, you can start work at 16 full time, you can leave education at 16, you can get married at 16, join the military at 16 (but not be deployed till 18), make homemade grumble flicks with your SO at 16, You can't however drive till 17, appear in a commercial adult flick until 18, vote in some elections till 18, drink until 18, smoke until 18.

          Its a mess, a total and utter mess, they should have made it all either 16 or 18, I'd lean towards the former though as you can leave home, get married and join the military at 16.

          (Eastern Europe is often ~14, hence why eastern european adult movies are blocked from the UK due to the difference in legal age of consent)

          However I don't agree with letting someone (of ANY age / gender / sexual orientation) be further exposed to sexual exploitation etc UNLESS they are fully aware of the risks, have been given independent advice from a lawyer, that there is independent oversight of it, full and immediate backup to extract this person at a moments notice if necessary, that they willingly agree to this once they are aware of the risks and have been given ALL the information AND had time to think about it - i.e. to ensure there is plenty evidence against the person who has exploited / abused them AND where there is no other option that could be used to get the evidence.

          Sometimes getting information to stop something can only be achieved by covert means and often those methods make us uneasy. However if the person involved willingly takes part (i.e. to make sure their abuser is convicted and put away to protect others from that abuser) then so be it. I know if someone said to me "go through this one more time to get the evidence we need to put your abuser away for serious time and implicate others" then I'd find it very hard to say no.

          1. Anonymous Coward
            Anonymous Coward

            Re: I have a small amount of sympathy with the police etc.

            > you can start work at 16 full time, you can leave education at 16

            Not any more. You have to stay in some sort of education until 18. So that can be at school (the traditional higher-education); at college doing some sort of vocational course; or at work doing a recognised apprenticeship.

            1. unimaginative

              Re: I have a small amount of sympathy with the police etc.

              The law says you have to stay in education until you are 18 but there is no punishment if you do not so.

              The problem is that parents are no longer assumed to be able to force a 16 year old to attend so the requirement is now an obligation of the 16 year old. They may not have enough money to be worth fining, and sending them to prison for not going into education is hardly constructive. In any case punishing people for their own good is problematic.

              1. Anonymous Coward
                Anonymous Coward

                Re: I have a small amount of sympathy with the police etc.

                > "punishing people for their own good is problematic."

                They should "hang by the neck until they cheer up!".

                Monty P.

            2. Anonymous Coward
              Anonymous Coward

              Re: I have a small amount of sympathy with the police etc.

              There are a few other issues with this statement.

              YES, you can get married at 16 - but only with the consent of the two sets of parents - and only to another UK citizen. Want to marry someone from abroad and it goes up to 21 for most countries.

              Grumble flicks at 16 - no, you are wrong, it is just the law is rarely enforced. In theory, even bikini shots are classed as child porn if you are under 18 and arent on a beach or at the pool.

              Education has already been covered.

              Military - this is only a recent guideline, and not (AFAIK) law; plenty of 16/17 y/o's sent to the Falklands war, N Ireland, Bosnia etc.

              You should be grateful for the the rest, it used to be 21; go thank the Monster Raving Loony Party for getting the laws changed.

              1. Richard Tobin

                English, not UK laws

                Several of these are not governed by UK laws. In particular, the requirement to stay in some sort of education until 18, and for parental consent to marriage if under 18, do not apply in Scotland (I haven't checked on Wales and Northern Ireland).

          2. Jamie Jones Silver badge
            Childcatcher

            Re: I have a small amount of sympathy with the police etc.

            The legal age for drinking alcohol in the UK is FIVE.

            Seriously.

            1. Tom Paine

              Re: I have a small amount of sympathy with the police etc.

              Well, 'pon my soul!

              https://www.drinkaware.co.uk/alcohol-facts/alcohol-and-the-law/the-law-on-alcohol-and-under-18s/

      3. Anonymous Coward
        Anonymous Coward

        Re: Dear Police

        "I have a small amount of sympathy with the police"

        Don't worry, once Boris gets in they'll be up for privatisation right after the NHS.

        After all, poor people don't need police, because they don;t have anything worth stealing, right?

        1. SolidSquid

          Re: Dear Police

          Or for being cut like the fire brigade when he was London mayor

      4. Pete4000uk

        Re: Dear Police

        'We as a society just need to have that conversation and decide where we want the balance to be'

        LOL, we arnt going to get any say in this!

      5. Doctor Syntax Silver badge

        Re: Dear Police

        "We as a society just need to have that conversation and decide where we want the balance to be"

        We had that conversation several centuries ago and came up with a good answer, the presumption of innocence. The conversation that's needed now is about why it's being ignored so often.

        1. Pier Reviewer

          Re: Dear Police

          It’s important to understand and accept that rights are not absolute. That’s the point I tried (poorly it seems) to make.

          The right to be presumed innocent unless found guilty does not preclude my arrest by the police, or being bailed on restrictive terms, because victims of crime have a right to justice. The police therefore need some investigative powers.

          My right to free speech is likewise not absolute. If I were to claim you to be a kiddy fiddler you would understandably find take umbridge with that, and the courts provide relief in the form of slander and libel.

          A classic example is going into a theatre and shouting “fire” when there is none resulting in panic, stampede and injury. I can not successfully claim the right to free speech as a defence as that right is fettered by other people’s rights not to be injured because I’m an idiot.

          Rights lie on a spectrum, and it’s up to society to decide which parts of the spectrum are acceptable and which are deemed an abuse, or an unacceptable impact on another’s rights.

          Our right to privacy is not and cannot be absolute. That doesn’t mean it can’t be very close to that end of the spectrum. However society needs to choose which way it leans, and how far. More towards absolute privacy impacts on the rights of victims to receive justice, and more towards a sole focus on criminal justice impacts on everyone’s privacy. Somewhere between those points is an acceptable balance, as there is with all rights, even the right to life (driving a car at armed police is a simple test).

          It’s easy to say “I want total privacy” and leave it at that. I don’t necessarily disagree with the sentiment. Just remember that some other rights will be impacted by that choice. Failing to at least consider that and assess the choice in light of it is either pure selfishness, or in most cases a simple case of not realising. Either way, it’s not a great foundation on which to make a decision.

          1. unimaginative

            Re: Dear Police

            The (American) case from which the "shouting fire in a crowded theatre" quote comes has been overturned, and the reasoning was used to prevent people publishing an anti-war pamphlet: https://www.theatlantic.com/national/archive/2012/11/its-time-to-stop-using-the-fire-in-a-crowded-theater-quote/264449/

            1. Pier Reviewer

              Re: Dear Police

              I’m not familiar with American law. I was speaking of the test of proportionality in English law, as it applies to the Human Rights Act (which includes the right to freedom of expression, but explicitly states it may be limited).

              The test is intended to provide a framework for the courts to decide if a restriction on a right is proportional or not. As I’ve said, some limitations on rights are necessary for a functional society. It’s important that those restrictions don’t go any further than necessary to meet their objectives, ergo the proportionality test.

              It may be necessary to give up some freedom wrt our DNS privacy, but it’s extremely unlikely the courts would accept the need to give up all of our DNS privacy.

    4. Dan 55 Silver badge

      Re: Dear Police

      There's no need to get a warrant thanks to IPA 2016. 50-odd government depts including a the Welsh Ambulance Service can bring up your browsing history at domain name level via unencrypted DNS snooping.

      This is why Mozilla got the "light-hearted" award, because the ISPA don't want any trouble snooping as they're legally obliged to.

      The main thing wrong with DoH (apart from DNS over the https port) is it's more difficult than it should be setting up LAN resolution.

      1. Nick Kew

        Re: Dear Police

        The main thing wrong with DoH (apart from DNS over the https port)

        Nicely put :-)

        Not sure I agree with the rest of the sentence: the competition is strong in the field of things wrong with DoH. Something must be done, but this something isn't it!

      2. unimaginative
        Stop

        Re: Dear Police

        The main thing wrong with it is that we have DNS lookups being done in the browser instead of by the OS. It means more settings, makes trouble shooting harder (because a DNS lookup problem in the browser would not affect any thing else and vice-versa).

        1. Jaybus

          Re: Dear Police

          That depends on the viewpoint. Looking at DNS as the distributed network service that it was designed to be, the main thing wrong with DoH is that it doesn't allow for caching name look ups at a local LAN gateway. Even on the local machine, the DoH look up cache is only accessible to Firefox and not useful to any other apps. Forcing all name look ups through a bottleneck at Cloudfare is not the answer.

          I am very much an advocate of DNS privacy through encryption, but DoH, particularly when implemented in an app, is a half measure at best. We need DNS over TLS implemented in the OS resolver and allowing for a caching DNS server at the LAN gateway that uses DNS over TLS for all forwarding. Firefox, and all other client apps, should keep their hands off. Rather than implementing their own internal DNS client, why doesn't Mozilla contribute to getting DNS over TLS implemented in glibc? DoH is really counter to the distributive nature of DNS.

  2. NATTtrash
    Devil

    Mozilla replacement

    It also hasn't added a new villain to its list to replace Mozilla.

    Ahh, come on people! It is staring you in the face... Why didn't you give the honour to ICANN? They've been ploughing on for years in the hope that, some day, after all their hard work, they would deserve the recognition they crave! And now, again, they are disregarded. A sorry situation indeed. I feel for them... (Was I joking? Really? You think so? Oh dear...)

    1. Loyal Commenter Silver badge

      Re: Mozilla replacement

      Or, indeed, Nominet...

  3. Bronek Kozicki

    Re: Mozilla

    So I went to see how to enable DoH in my browser and found the instructions at Mozilla Wiki. Surprisingly, this is not enabled by default.

    1. Anonymous Coward
      Anonymous Coward

      Re: Mozilla

      In fact it's even easier than that, just go to preferences/settings and type DOH in the search box and it takes you to the appropriate page.

      Just tick enable DNS over HTTPS.

      1. NATTtrash

        Re: Mozilla

        <tinfoil hat area>

        Thing of course is (again) a question of "who do you trust most?"

        Is this great if you're on some dodgy open network (Hello hotel! Hello Starbucks!).

        But...

        If I'm @homebase, I must admit that I trust my ISP and the legislation in my country of residence much, much more than some, activated by default US third party.

        <recycling tin foil hat>

        Then again, if for example my uni starts offering DoH servers...

      2. Anonymous Coward
        Thumb Up

        Re: Mozilla

        Thank you; typed in Homer Simpson's favourite phrase, ticked the box and off I went.

        So far no problems, in fact one website that seems to have severe issues with TLS handshakes via O2 mobile internet is actually working a lot better than it did before.

    2. Anonymous Coward
      Anonymous Coward

      Re: Mozilla

      it's not been enabled by default for UK to avoid clashing with censorship in this country. However, because authorities refused to share blacklists with Mozilla, the blacklists - when DoH gets enabled by users - will be bypassed. Nothing new here, information is power.

      1. rg287

        Re: Mozilla

        it's not been enabled by default for UK to avoid clashing with censorship in this country.

        It's not been enabled by default anywhere yet because it's still a slightly experimental implementation and they've been working out the bugs with (for instance) detecting captive portals and ensuring people in enterprise environments are able to reliably manage/override it in Group Policy, etc. No bloody good enabling it by default and making the internal infrastructure of enterprises, hospitals and other big networks inaccessible because the browser has decided to phone it's own DNS out to Cloudflare.

        It's there for the tyre-kickers on the nightly builds to report issues.

        That said, you are correct that when/if it does become "by default" Mozilla have said that won't include the UK. We'll have to turn it on manually if we actually want it (which quite a lot of people won't because they want their System/OS resolver to connect to their internal DNS/Active Directory/PiHole which will then use DNS-over-TLS or -HTTPS to do external resolution).

        1. iron Silver badge

          Re: Mozilla

          The recommended setting is to use DoH with fallback to unsecure DNS if that fails, which should find your internal DNS.AD no problem. Sure those queries will take a little longer but they should still work.

          Also it is present in release builds not just nightlies.

          1. Dan 55 Silver badge

            Re: Mozilla

            Don't like the idea of spamming Cloudflare with internal LAN addresses then falling back to LAN DNS, it's the wrong order. Firefox's DoH configuration should accept two servers and try the first one before the second, like normal DNS configuration.

            Also I don't think router software like OpenWRT can be configured to accept DoH and DoT on the LAN and use DoH or DoT for upstream DNS yet, which would also be helpful.

            1. Anonymous Coward
              Anonymous Coward

              Re: Mozilla

              > Also I don't think router software like OpenWRT can be configured to accept DoH and DoT on the LAN and use DoH or DoT for upstream DNS yet, which would also be helpful.

              I think I would be interested in trying to write a module for OpenWRT that blocks connections to IPs that haven't recently been looked up using OpenWRT's DNS server (or proxied through OpenWRT to Pi-Hole) in order to explicitly prevent DoH.

              1. Dan 55 Silver badge

                Re: Mozilla

                You'd probably kill Windows 10 services, VoIP, and torrents too?

                1. doublelayer Silver badge

                  Re: Mozilla

                  In addition to the pier-to-pier problems mentioned above, there are some other problems you might see with that. Depending on cache policies and the definition for "recent" you're using, that could break various things, as many devices maintain their own caches and contact later. It could also be problematic in various less common but still existing situations, for example when a new remote server is spun up and is accessible only by its IP as a DNS name has not been assigned to it yet, or applications that contact their own remote services, as those might have addresses outside of DNS (for example, some programs with group usage, especially games, list servers on their own main system without using DNS).

            2. Loyal Commenter Silver badge

              Re: Mozilla

              Don't like the idea of spamming Cloudflare with internal LAN addresses

              This, in my mind, is a really bad security hole. You're basically leaking information about your internal network topology to an unverified third party (and if you're using Cloudflare, one in the US where the laws around personal information treat it as a commodity to be traded). This is the sort of thing that is potentially extremely useful to an attacker. Got a privilege escalation attack? Know the names of other machines on the same network? I wonder if that machine that has a name that sounds like it might be a SQL Server is open on port 1433? Oh, looks like it is, and is using AD authentication. etc.

              I know there are other ways of discovering network topology, but it can only be useful to an attacker to know what it is in advance.

              1. doublelayer Silver badge

                Re: Mozilla

                I would suggest that DNS requests be sent to an internal DNS proxy (if you have internal names, that's already there), which can do the HTTPS stuff recursively from there. Failing that, you could send all requests to that as primary, configure it to only know internal DNS addresses, and have the HTTPS address as secondary.

                When using DoH, you have to contend with the possible issue of the trustworthiness of the DNS server, but it is not at all required that CloudFlare or Google be used. DoH could be set up by any existing DNS server with relatively little effort. I've taken a look at a basic implementation of a DoH server. I'm planning to set it up on one of my servers to see exactly how difficult it is, but it doesn't look like it will take very long.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon