back to article When it comes to DNS over HTTPS, it's privacy in excess, frets UK child exploitation watchdog

Since last year, organizations like Cloudflare, Google and Mozilla have been working to encrypt DNS queries by implementing a protocol called DNS over HTTPS, one of a handful of related web specs that aim to close privacy gaps that can expose network requests to potential scrutiny. But the Internet Watch Foundation (IWF), a UK …

  1. Charles 9

    The ol' Dual-Use Problem

    Anything YOU can use to hide from The Man, CROOKS can use to hide from The Man. It's unavoidable: part and parcel. So what's it gonna be: anarchy or the police state?

    1. Anonymous Coward
      Anonymous Coward

      Re: The ol' Dual-Use Problem

      So what's it gonna be: anarchy or the police state?

      http://www.philosophy-index.com/logic/fallacies/false-dilemma.php

      1. Pascal Monett Silver badge

        An interesting read, but I'm not sure Charles 9's statement is wrong on that point.

        Given the obvious governmental push for state surveillance (this DNS stuff, backdooring encryption, shoddy age verification, etc), it would certainly seem that, from a governmental point of view, it's either the police state will keep you safe, or it will be anarchy through and through.

        The real problem is that the term anarchy is not used correctly. In Joe Public's mind, anarchy and chaos are the same thing, but that could not be more wrong.

        Anarchy is, philosophically speaking, the ideal society ; anarchy is where there are no leaders because everyone pitches in and gets the job done, so no leading is needed. It's a world where you see that the garbage needs picking up, so you go get the truck and pick up the garbage. On your way, you see a neighbor filling in a pothole, because that's what he saw that needed doing. Further away, someone else is directing traffic while another person is fixing the street light that broke down.

        That is a world in anarchy. Everyone is doing their bit, no one needs orders.

        Of course, that vision is literally impossible. Aside from the insurance issues of just anybody walking into a garage and taking off in a garbage truck, there are not all that many people who have the knowledge to fix street lights or potholes via the proper procedure. You may easily find other examples.

        So, what Charles 9 should have actually said was : what's it gonna be : chaos or the police state ?

        1. Headley_Grange Silver badge

          Garbage

          It's debatable as to whether a truly anarchic society could design and build a garbage truck.

          1. Anonymous Coward
            Anonymous Coward

            Re: Garbage

            "It's debatable as to whether a truly anarchic society could design and build a garbage truck."

            They could probably build a rubbish truck in an anarchic society, they just couldn't run a garbage collection service.

            Without garbage collection and other services, you will soon have anarchy when large numbers of people live in close proximity.

            Or maybe that's just what I tell myself to avoid a rage induced heart attack as I listen to the bin men at 4AM...

            1. ibmalone

              Re: Garbage

              They could probably build a rubbish truck in an anarchic society, they just couldn't run a garbage collection service.

              Could they though? You need steel, specialised engineering to make engine parts, fuel extraction and processing, various materials in small amounts (rubber, insulators for electrical components). Today we use a global distribution network to source and process these things. You probably don't need that, the early industrial revolution got by with a smaller industrial base (how else could it have been bootstrapped?) to make cruder, less efficient machines, but still probably beyond the ability of one person. Once you've got more than one person coordinating their efforts or cooperating is it really anarchy?

              1. Jason Bloomberg Silver badge
                Angel

                Re: Garbage

                Once you've got more than one person coordinating their efforts or cooperating is it really anarchy?

                I don't see that working together for a common cause necessarily discounts anarchy. The key is in coordinating, 'leading' in the sense of bringing good ideas and advice to the table, having the freedom to listen, accept or reject, rather than 'leading' by ruling and dictating how things must be.

                That anarchy doesn't 'leaders' doesn't mean that people cannot lead the way, collectively or individually.

                1. ibmalone

                  Re: Garbage

                  In what sense then does a consensual democracy or capitalist economy actually differ from anarchy?

                  1. Uncle Slacky Silver badge
                    Headmaster

                    Re: Garbage

                    Y'all need to read the Bread Book: https://www.thebreadbook.org/

                    ...and "Mutual Aid" by the same author:

                    http://dwardmac.pitzer.edu/Anarchist_Archives/kropotkin/mutaidcontents.html

                    ...and also GOOGLE MURRAY BOOKCHIN

                  2. Anonymous Coward
                    Anonymous Coward

                    Re: Garbage

                    @ibmalone

                    First you have to have a consensual democracy.

                    We don't, despite any illusions to the contrary.

                    We have rule by the elite, for the elite.

                    1. ibmalone

                      Re: Garbage

                      History seems to suggest this is what you end up with to varying degrees, anarchies (in the political idealist sense) have no inherent defence against taking power by force. So you end up somewhere on a continuum of how centralised control and distribution of wealth are. Our society is somewhat more egalitarian than medieval feudalism for example.

              2. Anonymous Coward
                Anonymous Coward

                Re: Garbage

                Isn't Linux (at least in its earlier days), and many other open-source projects, not essentially an example of anarchism in action?

                Admittedly these are virtual/software things rather than physical creations (and there is perhaps extra complexity in that because that involves actual stuff and the means to extract its component parts and re-form those and/or make the finished thing), but still...?

                1. ibmalone

                  Re: Garbage

                  It's an interesting case. Linux of course isn't, it's a benevolent dictatorship (less dictatorish these days), but its assembly together with GNU would better fit the description. I think the contrast between commodities and ideas is important. Anyone can copy and redistribute code without depriving the originator of their copy (copyright is another matter, I'll assume anarchists don't care), it can be quickly transported anywhere (using physical networks that are maintained, or at times in the early days using postal services), and software depends for its operation on hardware which doesn't have these properties. In a way it's quite similar to the enlightenment era idea of a republic of letters.

                2. Donn Bly

                  re: anarchism in action

                  Isn't Linux (at least in its earlier days), and many other open-source projects, not essentially an example of anarchism in action?

                  Not really, in my observance successful open source projects generally don't exhibit a high level of anarchy. When anarchy rises then the projects generally fork or die. Survival of the fittest then determines who survives.

                  I would say that most successful open source projects grow and thrive under a "benevolent dictator". For instance in your given example of Linux, when you think of Linux and of Linus Torvalds would you use the word "anarchist" or ""dictator" to describe his management style?

                  1. doublelayer Silver badge

                    Re: re: anarchism in action

                    I would say not at all. Linux clearly isn't for reasons stated above. GNU is a little less eager to describe themselves as dictators, but someone decides which version of the GNU-related code goes up on the website as the official glibc or utils or HURD kernel. That person has power to decide what they'll call the official GNU code, and the people who wrote a different version that didn't get used don't have that power. They can publish their version, of course, but that doesn't make it GNU approved. Because it is hard to define power, it's hard for anything to be anarchic. Power can at times be the ability to control some place, institution, activity, etc. I don't see any mechanism for ensuring everyone has equal control of every thing, physical or theoretical, in the universe. I'm not convinced I would want to try, either.

                    1. Anonymous Coward
                      Anonymous Coward

                      Re: re: anarchism in action

                      Someone earlier drew a useful distinction between anarchy and chaos. That distinction is characterized by the presence or absence of voluntary participation and especially cooperation. Linux Torvalds is not a benevolent dictator. In fact he is not a dictator at all, and even if he is, it would be silly to suggest this famously profane man is benevolent as a dictator beyond the net effect of the project he heads. The project is run entirely on voluntary contributions of various sorts. There is no quid pro quo. It is anarchy, and it works. It embodies the highest ideal of anarchism. It is a concrete example staring us in the face, yet it is still hard to fathom. How we are conditioned...

                  2. Michael Wojcik Silver badge

                    Re: re: anarchism in action

                    Not really, in my observance successful open source projects generally don't exhibit a high level of anarchy. When anarchy rises then the projects generally fork or die.

                    I've seen one or two interesting studies of large open-source projects that support this hypothesis. Those studies actually looked at discussion forums for projects where non-committers could propose changes and eventually, if their work met enough approval, get promoted to committers. In the successful projects, there was either a (official or de facto) leader or cabal who became the ultimate point of control in promoting participants to committers and shutting down disruptive participants.

                    I'd provide citations but I don't have the relevant materials at this house and I'm too lazy to try to search, so take my word for it or don't.

                  3. Anonymous Coward
                    Anonymous Coward

                    Re: re: anarchism in action

                    Apologies to all who replied, sloppy wording on my part: rather than "Linux, the kernel", I really meant "GNU/Linux OS distributions" (all due credit to RMS, the whole GNU shebang, and certainly not forgetting all of the other software projects involved, but we really need to come up with a non-confusing name that doesn't require a deep breath before saying...).

                    And, true enough, even many distros have some form of steering group that has the final say on what gets included, but I'd say that they are still a fairly good example of mostly ground-up organising?

            2. anonymous boring coward Silver badge

              Re: Garbage

              "they just couldn't run a garbage collection service"

              Anyone can do that, per definition.

          2. Teiwaz

            Re: Garbage

            It's debatable as to whether a truly anarchic society could design and build a garbage truck.

            Or need Insurance. It is a product of how currently functions.

        2. Headley_Grange Silver badge

          Novel

          "The Dispossessed" by Ursula K. LeGuin is a decent read which is partly set in a quasi-anarchic society.

        3. Carpet Deal 'em
          Stop

          The only reason we have garbage trucks is separation of labor. Someone who specializes in picking up the garbage is going to be able to pick it up a lot faster than somebody whose specialty is filling in potholes, for example. However, there's no reason why the absence of an "obey or die"* state structure should see the abandonment of this.

          * And yes, any state ultimately carries the death penalty if you refuse to comply. The only difference is how trigger-happy they are about which things.

      2. Anonymous Coward
        Anonymous Coward

        Re: The ol' Dual-Use Problem

        Fuck it, anarchy it is.

        1. Anonymous Coward
          Anonymous Coward

          @AC ... Re: The ol' Dual-Use Problem

          Uhm...

          First the world isn't black and white... there's a lot of gray.

          While there is concern about encrypting DNS queries, its a bit of a moot point.

          First, you can easily create your own local cache of the DNS servers so your lookups are all local.

          Second... what makes you think that the governments can't monitor your requests at the end point?

          And then there's the issue of bad URL lookups. You can have your cache, but if your cached servers can't answer, they may go back to the root servers. (Actually your cache is a copy of the root servers)

          For the .com domains... You're going to tell me that the US Government can't get a copy of the logs?

          Same for other countries.

          Besides, unless you're in China... or some other totalitarian country... I wouldn't fear the government.

          1. Anonymous Coward
            Anonymous Coward

            Re: @AC ... The ol' Dual-Use Problem

            Re: "I wouldn't fear the government."

            Today.

            Tomorrow when they make what you think of as normal, illegal, you'll be in the same boat as the Chinese.

            1. Tom 64
              Windows

              Re: @AC ... The ol' Dual-Use Problem

              For the Tory party, the Chinese one party system is a model form of government. One which they are vigorously persuing.

              1. Anonymous Coward
                Anonymous Coward

                Re: @AC ... The ol' Dual-Use Problem

                The world is pursuing dictatorship all around, fueled by democracies filled with people that cannot see beyond their choices. History will repeat itself, it’s in human’s nature.

                1. Ian Michael Gumby
                  Boffin

                  Re: @AC ... The ol' Dual-Use Problem

                  Funny, but here in the good ol' US of A, we have this thing called the 2nd Amendment.

                  Now you may not like the fact Americans can own firearms, but it just makes it harder for someone to create a dictatorship or a single party like China.

                  Today/Yesterday there was a massive protest that started to turn violent because Hong Kong didn't like the new laws being crammed down their throat by China.

                  1. Charles 9

                    Re: @AC ... The ol' Dual-Use Problem

                    And what happened? Shots got fired. Someone with enough strength can just go, "You take it or I'll shove it down your throat." and have the backing to actually carry out the threat. The only reason MAD worked was because no one was crazy enough to say, "Sod this" and push the button anyway, but you can't count on that forever. Sooner or later, someone in power is going to respond to an uprising like this with overwhelming force and actually carry it out to the hilt. In which case, I would say all bets are off.

    2. Mr Benny

      Re: The ol' Dual-Use Problem

      Since we've had unencrypted DNS for decades I'm not too worried about the police state in this case. Some things trump personal privacy issues and reducing child abuse is one of them IMO even if the more advanced crims will use VPN anyway. There are still plenty of dumb ones around,

      1. Anonymous Coward
        Anonymous Coward

        Re: The ol' Dual-Use Problem

        No doubt marked down by 20 somethings who don't have kids. Your attitudes will change fast when you do people, believe me.

        1. BigSLitleP

          Re: The ol' Dual-Use Problem

          No, it won't.

          1. Anonymous Coward
            Anonymous Coward

            Re: The ol' Dual-Use Problem

            Oh it will, we all grow up fast when we have children and realise that the all the rah-rah idealistic BS we parroted as kids really isn't as important as we believed,

            1. Anonymous Coward
              Anonymous Coward

              Re: The ol' Dual-Use Problem

              That's when we learn it is hard and we seek expedients, conveniently trashing our ideals. the word for this is rationalization. But you are still wrong.

        2. Anonymous Coward
          Anonymous Coward

          Re: The ol' Dual-Use Problem

          Two points:

          1: Nonces will use VPNs or onion routing or whatever. Only non-nonces will be monitored. So there is no benefit.

          2: Having kids doesn't make you wiser. There's a reasonably good chance that it means that you are so stupid that you couldn't even work out how to use birth control.

          1. Anonymous Coward
            Anonymous Coward

            Re: The ol' Dual-Use Problem

            "There's a reasonably good chance that it means that you are so stupid that you couldn't even work out how to use birth control."

            Perhaps contemplate the reason for your own existence there.

            1. This post has been deleted by its author

            2. TrumpSlurp the Troll
              Coat

              Re: The ol' Dual-Use Problem

              There was a young man from Cape Horn

              Who wished he had never been born

              Nor would he have been

              If his father had seen

              That the end of the rubber was torn!

              Thank you. I'm here all week

        3. Anonymous Coward
          Anonymous Coward

          Re: The ol' Dual-Use Problem

          Sixty-something here with kids. Marked down for their sake.

        4. Claptrap314 Silver badge

          Re: The ol' Dual-Use Problem

          Mine are in their twenties...

        5. Kiwi

          Re: The ol' Dual-Use Problem

          No doubt marked down by 20 somethings who don't have kids. Your attitudes will change fast when you do people, believe me.

          I've never had kids of my own, but I've been quite involved in the raising of a few including taking a couple under my wing to get them a better education than their parents could manage and take them out of a place where their only real options were escape, a life of crime, or an early (and probably violent) death.

          I've got quite a good handle on what it takes to raise kids.

          Also through dealing with computer security issues over the years, I sadly have waaay to much knowledge about what exists in this world :(

      2. Nick Ryan Silver badge

        Re: The ol' Dual-Use Problem

        Almost all child abuse is carried out in the home or a similar environment by close family or those who are the equivalent. If you truly want to reduce child abuse, then change society, don't blame the Internet for child abuse.

        The Internet is not the cause of child abuse, it's been happening probably since humans started dragging knuckles along the floor. The Internet is, however, a medium allowing the relatively easy spread of material produced as a result of child abuse and individuals who are already inclined to doing such things may be more inclided to do it more - or, they may even find that they no longer need to do it if their gratifications can be satisfied.

        1. Anonymous Coward
          Anonymous Coward

          Re: The ol' Dual-Use Problem

          "If you truly want to reduce child abuse, then change society, don't blame the Internet for child abuse."

          Some would say society has been gradually morphing for several thousand years and yet the problem remains, yet no one wants to admit it as part of the human condition as it raises moral hackles. The question becomes: how does one segment of society change a (ITNSHO) disgusting habit (such that acceptance is not an option because to them it is a threat) accepted if not embraced by another segment?

          1. Anonymous Coward
            Anonymous Coward

            Re: The ol' Dual-Use Problem

            Your self-perception on your ability to solve difficult problems I perceive as too high.

            1. Anonymous Coward
              Anonymous Coward

              Re: The ol' Dual-Use Problem

              Eh? I never proposed a solution. In fact, I proposed there is NO solution, as you're pitting human natures against each other. Usually, when that happens, things get ugly.

    3. Alien Doctor 1.1

      Re: The ol' Dual-Use Problem

      As many of you said, anarchy is an ideal situation but sadly a pipe dream. Human nature will always cause it to fail.

      I’m reading Pyotr Kropotkin at the moment, he laid the foundations of anarcho-communism.

      After I left the RAF and discovered acid, I formulated my own, personal political code. I realised that there is little the individual can do to change the political system but the only person over whom I had or wanted any control was myself.

      My code is simple.

      1 - Imposing your will upon others and allowing them to impose their will on you is fascism.

      2- Refusing to impose your will on others and allowing others to impose their will on you is anarchism.

      To be an anarchist, one should also be a pacifist, be willing to work cooperatively for the common good and have a strong sense of social responsibility.

      I am happy to obey the laws made for the good of society.

      I am equally entitled to ignore the laws made that are only there for the state to control the individual’s freedom of thought or action.

      My favourite definition of an anarchist is anyone who opposes the suppression of any person or group of people by any other person or group of people.

      Take care

      1. Anonymous Coward
        Anonymous Coward

        Re: The ol' Dual-Use Problem

        Who owns the air and why do they allow me to breathe it?

        1. Charles 9
          Joke

          Re: The ol' Dual-Use Problem

          The Spaceballs, who will take your planet's air by force if they gotta (Thank you, Mel Brooks).

  2. Anonymous Coward
    Anonymous Coward

    How is this any different

    Than child porn seekers using a VPN that tunnels their DNS lookups?

    Just because there are some stupid criminals who get caught doesn't mean we should abandon any advancements that might protect them from their stupidity as a side effect. I'm sure they'll find other ways to be stupid and still get caught.

    1. Pascal Monett Silver badge

      Re: How is this any different

      Or typing an IP directly ?

      I'm guessing that, if you type in the IP address, there will be no DNS lookup, right ? So how can that be traced ?

      Of course, I'm guessing that, just like the vast majority of Internet users, pedophiles don't generally know what an IP address is, much less how to get it, but that information is not difficult to find, and it only takes one to explain things on a forum for the others to realize they need to do that to stay under the radar.

      1. James Ashton

        Re: How is this any different

        Your plan will almost never work. Let us count the ways ...

        * Many web sites share an IP number amongst more than one web site, e.g., example.com and example.co.uk could be different sites both served by a server at 1.2.3.4. If you access the server using its number it won't know which site you want.

        * Especially since we're talking privacy here, the sites will use HTTPS, requiring a cert for the address visited. The server will have a cert for the various DNS names it hosts but almost never will it have a cert for its IP number. So accesses using your technique will be totally insecure and vulnerable to interception and rewriting.

        * Even if there was only a single web site on an IP number, the server will want to appear on the web as a single site. Not only does this simplify configuration and management, it avoids diluting the site's web presence across what search engines consider different sites. So requests to example.co.uk, www.example.co.uk and 1.2.3.4 will all be instantly directed to the site's preferred domain. This will cause a DNS lookup even if you typed 1.2.3.4.

        * It can actually be difficult to configure web servers to respond identically to queries that use different names. Even if the server allows you to access content without redirection at both example.co.uk and 1.2.3.4, the content you see will often vary.

        1. aMIGA_dUDE

          Re: How is this any different

          James Ashton

          * Even if there was only a single web site on an IP number, the server will want to appear on the web as a single site. Not only does this simplify configuration and management, it avoids diluting the site's web presence across what search engines consider different sites. So requests to example.co.uk, www.example.co.uk and 1.2.3.4 will all be instantly directed to the site's preferred domain. This will cause a DNS lookup even if you typed 1.2.3.4.

          I don't know if this would work by lets say in hostfile (c:\windows\system32\drivers\etc\hosts) you put something like

          1.2.3.4 example.co.uk

          1.2.3.4 www.example.co.uk

          I by understand that would work

          1. eldakka

            Re: How is this any different

            Yes that would work.

            The hostname that is being access is part of the HTTP data packet, not part of TCP/IP. Therefore however the IP address is obtained (DNS, local hosts file) then the TCP/IP packet will have the IP in it as the destination, and the encapsulated HTTP packet will have a, literally, "Host:" header in it that contains the hostname (as opposed to IP address) in it.

            If it's plain HTTP, you can do this just via telnet, by just typing into a shell session of some description e.g.: say we have a site called www.mysite.com that has a file index.html, then to view it's raw HTML you could get it's IP first (say via doing a nslookup or dig), then:

            telnet <IP> 80

            Host: www.mysite.com

            GET /index.html HTTP/1.1

            <Enter><Enter>

            Apart from other 'housekeeping' tasks (inserting in other headers like referer etc.), that's all a browser does, and of course parses the returned HTML and displays it in parsed form rather than the raw HTML.

            I do that sometimes at work when I want to check an internal website, say via a script that is just testing if the site is up or not (admittedly, these days I actually use wget or curl rather than telnet).

            1. James Ashton

              Re: How is this any different

              Therefore however the IP address is obtained (DNS, local hosts file) then the TCP/IP packet will have the IP in it as the destination, and the encapsulated HTTP packet will have a, literally, "Host:" header in it that contains the hostname (as opposed to IP address) in it.

              If you type "http://1.2.3.4/" into your browser as Pascal suggests then it's going to send "host: 1.2.3.4". Anything else would break web sites that want to allow access to different content by IP number. The browser's not going to do a reverse DNS lookup and, even if it did, that would ruin the privacy that Pascal was trying to achieve. He didn't mention editing the hosts file; he just said "type in the IP address". Be aware that some browsers—at least Chrome—do their own DNS thing and mostly ignore the hosts file.

        2. Anonymous Coward
          Anonymous Coward

          TCP/IP vs. HTTP(S)

          * Many web sites share an IP number amongst more than one web site, e.g., example.com and example.co.uk could be different sites both served by a server at 1.2.3.4. If you access the server using its number it won't know which site you want.

          You are conflating three different things here: The symbolic host name, the numerical IP address, and the HTTP Host: header. Each time (barring caching) I ask for www.theregister.co.uk in my browser, the following happens:

          1. My browser asks the DNS server for the address record associated with www.theregister.co.uk

          2. My brouser opens a TCP connexion to the numerical IP address it received in the step 1.

          3. My browser sends the "Host: www.theregister.co.uk" header down the pipe, to indicate the web site I want.

          There is no particular reason why the symbolic names used in steps 1 and 3 should be the same: I could just as well directly open a connexion to a numerical address I already know, and instruct the browser to use the symbolic name I want through an extension (or eg in wget --header command-line option).

          The rest of your objections are circumvented in the same, trivial way - by setting the appropriate HTTP headers in a request sent to a known IP destination. Please note that this is not a "hack", and not a bug - it is the fundamental property of the TCP/IP and HTTP design. It cannot be fixed without breaking either protocol.

          1. Michael Wojcik Silver badge

            Re: TCP/IP vs. HTTP(S)

            And if TLS is in the picture, there may be SNI as well, further confusing the issue. The SNI name is usually the same as the Host header value, for HTTPS, less the optional port suffix; but it doesn't have to be.

            The application (e.g. browser) has to tell the TLS layer what SNI name to use. Some TLS APIs may not provide a way to do this separately from the target FQDN (or bare hostname or address) supplied by the user - that is, the TLS API may combine the DNS lookup, SNI configuration, and connection into a single call. That would force the application to use a "correct" name (i.e. one the server recognizes for SNI purposes) in your step 1, in order to get the correct server certificate to perform destination validation.

            For that matter, if TLS and PKIX are involved, the application has to match some user-provided string against the SANs in the server certificate. Normally that comes from your step 1.

            With other TLS APIs SNI, DNS, connection, and server-certificate SAN matching are separate. You can set SNI and server name explicitly using the s_client command of the openssl utility, for example. I'm not aware of a popular browser which gives you that level of control, but, hey, they're mostly open-source.

        3. Anonymous Coward
          Anonymous Coward

          Re: How is this any different

          1) Many very dodgy site probably aren't using a free hosting on godaddy using virtual hosts.

          2) Certificates can also store IPs. Again, I don't think very dodgy sites buy certificates, and pay them... which could let trace them (unless stolen cards are used, of course). Or use Let's Encrypt.

          3) Very dodgy sites may not want to be indexed by Google, and be easily found by the police too...

          4) It's pretty easy to make a site work with both the DNS name and IP address.

        4. Anonymous Coward
          Anonymous Coward

          Re: How is this any different

          No, if you were to use a hosts file or a private DNS cache, then all of your four ways do not apply.

  3. Anonymous Coward
    Anonymous Coward

    The IWF's impact

    The IWF argues that its model for spotting and removing child sexual abuse imagery and videos from the internet works, noting that the percent of such material hosted in the UK has declined from 18 per cent in 1996 to 0.04 per cent in 2018.

    I'm not sure how useful those stats are. Surely it is the decline since the IWF's model was instituted (much more recently) that matters? What are the figures for that?

    Regardless, I reckon that most Brits, like me, are lazy enough/happy enough to go with their ISP's DNS service - so the law can still be enforced.

    1. Anonymous Coward
      Anonymous Coward

      Re: The IWF's impact

      >The IWF argues that its model for spotting and removing child sexual abuse imagery and videos from the internet works, noting that the percent of such material hosted in the UK has declined from 18 per cent in 1996 to 0.04 per cent in 2018.

      But what is the actual amount of material hosted in the UK? If in 1996, we had 18,000 such items out of a worldwide total of 100,000, then that is 18%. If the UK now hosts 40,000 out of 100 million worldwide then it is 0.04%, but over double the actual amount of material. I wouldn't call doubling the amount of child porn a success.

      I honestly don't know what the figures are, and I would hope its significantly less than that, but %ages are not always the best indicator.

      1. Anonymous Coward
        Anonymous Coward

        Re: The IWF's impact

        Lol beat me to that point, imagine a beer instead of guy fawkes ;)

      2. Anonymous Coward
        Anonymous Coward

        Re: The IWF's impact

        I am pretty shure the bloke from IWF does not know anything substantial about the technicalities he’s blabbering about.

    2. Anonymous Coward
      Anonymous Coward

      Re: The IWF's impact

      Personally i wonder if that impressive sounding stat is actually an admission of managing to achieve fuck all at internet scale.

      Sure 18% of any thing internet would be a a few thousand servers which were (physically) uk based back in '96, 0.04% of anything internet in 2019 will be tens if not hundreds of thousand servers... Unless they also are also counting all the former uk based ISP's one&one and godaddy gobbled up in the early naughties and promptly shipped over to their mega dc's in Rotterdam and Dresden, so the muck is no longer in the uk....

      Dont get me wrong i think the IWF do a mostly alright job, just a shame they always resort to the think of the children hyperbole whilst asking for the wholesale of erosion of privacy. At the end of the day nonces are going to nonce, the worst/smartest will have learnt how to circumvent just about all state level snooping through use of proxies, vpn's, tor, end to end encryption, burner vm's etc. and judging by the any of the recent news stories about sucessful prosceutions they have all come about either through informants, undercover stings or lax security at their end. So i dont see how dns over https (tls surely??) has any impact, other than if they have the ability to monitor known abusive isp subscribers, and if thats the case then dns over https would have 0 impact as the isp would just keep the existing tap in place and just move it to the unencrypted side of the dns server, whilst still having 0 access to 1.1.1.1,9.9.9.9,8.8.8.8 or 8.8.4.4 (other than pushing their block list at them )to name the free dns services that spring to mind....

      1. Ben Tasker

        Re: The IWF's impact

        > So i dont see how dns over https (tls surely??)

        no, HTTPS.

        DNS over TLS (DoT) is a different protocol. DNS over HTTPS is literally what it sounds like - if effect an API call placed to a HTTPS server (what you're actually doing is plonking the wireline DNS packet into a HTTP POST request).

    3. Joseba4242

      Re: The IWF's impact

      If DoH (DNS-over-HTTP) as a protocol was used in the same way as transitional DNS then this would be true.

      However the way the Mozilla and Google are envisaging to implement it is that their browsers use fixed DoH resolvers directly, thus completely bypassing the ISP's DNS servers.

      So Mozilla and Google would choose which DNS provider theirs browsers use. Cloudflare and Google and the two main contenders for that.

  4. Blockchain commentard

    As one of the 20th century greatest philosophers once said "The needs of the many outweigh the needs of the few". Privacy might allow a few bad eggs to continue but the majority of people will benefit.

    1. Mr Benny

      Reducing crime is a need of the many. If fingerprinting were invented today some libertarian activist would be campaigning to outlaw it.

      1. trindflo Bronze badge

        @Mr Benny

        Fingerprint analysis has been largely discredited as being not much more than a police hunch, at least as it is practiced. Is that part of your point? It has, no doubt, been effective in sending criminals to prison because the public and importantly juries believed it to be much more conclusive than it is. Innocent people railroaded by the same mechanism are no-doubt in the minority, so good of the many at the expense of a few?

        1. steviebuk Silver badge

          True. There is that case of the police woman that was arrested for murder I think it was on fingerprint evidence. Turns out when they had another expert examine it was only a partial print that just happened to match hers but wasn't actually her print.

          I think it was this one

          https://en.m.wikipedia.org/wiki/Shirley_McKie

          1. Anonymous Coward
            Anonymous Coward

            Truly disconcering is that DNA evidence has the same shitty properties.

      2. CountCadaver Silver badge

        Blackstone's ratio also states "better a thousand guilty men go free than one innocent suffer punishment" - sentiment I whole heartedly concur with, shame our "elected representatives" would prefer it was inverted "better a thousand, nay a billion innocents be punished, than one guilty man go free"

    2. vtcodger Silver badge

      But it might have been ...

      "The needs of the many outweigh the needs of the few"

      OK, so the all knowing Internet tells me it was Mr Spock. But my initial guess was either Karl Marx, Chairman Mao, or Adolph Hitler. Seems to me it could be a quote from any demagogue from Cleon to Donald Trump to the antichrist him/herself.

      1. Afernie

        Re: But it might have been ...

        "Seems to me it could be a quote from any demagogue from Cleon to Donald Trump to the antichrist him/herself."

        I'm trying and failing to imagine the high priest of the 1%, Donald Trump, saying "the needs of the many outweigh the needs of the few."

        1. vtcodger Silver badge

          Re: But it might have been ...

          On the contrary, The Donald will tell his audience whatever he thinks they want to hear. His actions? An entirely different and largely unrelated subject.

          1. TRT Silver badge

            Re: But it might have been ...

            What we need to build is a big, beautiful firewall... and the pornographers will pay for it.

    3. Fizzle
      Holmes

      "or the one"

      to complete the quote in full.

    4. Charles 9

      ""The needs of the many outweigh the needs of the few""

      Once upon a time, blacks were few versus the many whites. Does the term "tyranny of the majority" ring a bell?

    5. Anonymous Coward
      Anonymous Coward

      So you've handed over your prints to the old bill... Very civic minded of you.

  5. regbadgerer

    Does this change anything?

    I guess I must be wrong here, but I always thought that the domain was sent clear even over https, so even with dnssec you'd be able to see what sites people were trying to visit?

    1. VinceH

      Re: Does this change anything?

      AIUI...

      (Not my area of understanding, really, so apologies if this is bollocks...)

      The domain is sent in the clear to the name server (as the article suggests) but any and all communication between you and the website is either clear under http or encrypted under https, depending on which is in use.

      Your ISP can see you are visiting www.example.com because of the DNS query.

      It can't see that you are visiting www.example.com/foo/bar/dodgyimages/01.jpeg if https is in use because that query is sent to www.example.com's servers in encrypted form.

      You might be thinking that the fact the full url is being sent *to* www.example.com is the give away - but it's being sent to its IP address, and that IP address might be hosting multiple sites, so it doesn't give much away.

      1. Blockchain commentard
        Boffin

        Re: Does this change anything?

        Yep. Bollocks.

        DNS over HTTPS encrypts everything between client and DNS server. ISP and gov't snoops know nothing apart from a request has been sent. This could be to www.google.com or www.paedosRus.com. Looking at pages under the domain aren't handled by DNS servers since you're already resolved the host IP address and that IP address is cached. It would kill DNS servers if every page on a website was resolved individually when you click 'next' on articles (such as on el Reg).

        1. VinceH

          Re: Does this change anything?

          Just to clarify, you appear to be correcting me by explaining how DNS over HTTPS works - but I took the question to mean the existing system, not DNS over HTTPS.

          (And although I didn't mention caching the IP address, I wasn't implying that every single page visit includes a DNS lookup - at least not intentionally - but you seem to have inferred it.)

          1. Ben Tasker

            Re: Does this change anything?

            > The domain is sent in the clear to the name server (as the article suggests) but any and all communication between you and the website is either clear under http or encrypted under https, depending on which is in use.

            >

            > Your ISP can see you are visiting www.example.com because of the DNS query.

            >

            > It can't see that you are visiting www.example.com/foo/bar/dodgyimages/01.jpeg if https is in use because that query is sent to www.example.com's servers in encrypted form.

            That's *almost* correct.

            The query is sent to the nameserver in the clear, so they can see it there, yes. But, when you connect out to the server for www.example.com, your SSL Client Hello will include "www.example.com" in the clear as part of the Server Name Indication (SNI) extension - basically so the server knows which cert to serve you.

            If you're using < TLS 1.3, the servers cert will come back unencrypted, so names can also be extracted from there.

            Encrypted SNI is coming (and cloudflare already have an implementation), but as a rule, the name can come from there.

            > It can't see that you are visiting www.example.com/foo/bar/dodgyimages/01.jpeg if https is in use because that query is sent to www.example.com's servers in encrypted form.

            This bit is correct, although there are some situations where it might not be. The main one being where the browser warns you about mixed content, and you choose to allow that content.

            At which point, your browser will send out plain HTTP request to fetch whatever content it is you've just allowed, and your ISP will be able to see the referrer headers on that (assuming any are sent - depends on browser config and/or the referrer-policy header on the original site) which will give the full URL of the page you're using. I wrote a PoC script a little while back that essentially does this with PCAPs, to demo how easily you could extract what subreddits various reddit users on your network sub too.

          2. flec

            Re: Does this change anything?

            You're thinking of TLS server name indication, where the client sends the hostname to the server in plaintext, a feature which allowed multiple HTTPS certificates to be served via a single IP address, thus effectively implementing Host-header support in HTTPS.

            This is resolved by a TLSv1.3 extension - SNI encryption.

            1. regbadgerer

              Re: Does this change anything?

              @flec thanks, so sounds like the problem is a combination of DNS over HTTPS _and_ SNI encryption, rather than DNS over HTTPS by itself. Though for whatever reason everyone seems to be jumping on DNS over HTTPS as the evil here (speculation: google have been promoting DNS over HTTPS, so perhaps people auto-associate with evil)

      2. Jamie Jones Silver badge

        Re: Does this change anything?

        You are correct about how https will hide the full url, but:

        "You might be thinking that the fact the full url is being sent *to* www.example.com is the give away - but it's being sent to its IP address, and that IP address might be hosting multiple sites, so it doesn't give much away."

        Before SNI ( https://en.wikipedia.org/wiki/Server_Name_Indication ), https sites (to work correctly) needed a unique IP address per site.

        SNI now mean that yes - https sites can share an IP address and work correctly, however the sitename being connected to is still sent in the clear, because until the server knows which site is being contacted, it won't know which certificate to use, so any encryption up to that point could be MITMed anyway.

        As you said, "that IP address doesn't give much away" - but it also doesn't give much away to a server attempting to authorise an existing connection, either!

        ---

        One way around this "chicken and egg" situation I can think of (and I'm sure this has been proposed already.. if not ... cite this post as "prior art" if it's ever "invented" by someone else!) :

        If a dns name resolves to a canonical address, e.g. www.mysite.com -> CNAME www.elreghosting.com , then first connect to www.elreghosting.com , authenticate to that host, using its certificate, then once a valid connection is established, then request over that channel the original hostname. and then authenticate against that certificate.

        It would require both server and client changes, and would mean more traffic required to initiate the final connection, but it would be backwards compatible - If a client instead tries to authenticate as it does now, the server would be able to serve that request as it does now.

        1. vulture65537

          Re: Does this change anything?

          https://en.wikipedia.org/wiki/Domain_fronting

          disabled in April 2018 by big players

        2. This post has been deleted by its author

      3. LeahroyNake

        Re: Does this change anything?

        Sounds right to me and is probably why the pervs are putting child pron on Facebook and other massive social media sites.

  6. Lee D Silver badge

    In other news, telephones can be used to organise crime or save lives, paper can used to write a novel or commit arson, and cars can be used to transport emergency victims or run people over.

    1. Yet Another Anonymous coward Silver badge

      But it's monday so we use child porn as the excuse

      Tuesdays it's Chinese spying

      Wednesdays it's terrorism

      ...

      ...

      1. Roj Blake Silver badge

        You are Craig David and I claim my £5.

        Bo selecta!

        1. BigSLitleP

          He can't be, he'd be making love by Wednesday.

      2. CountCadaver Silver badge
        Headmaster

        Child Sex Abuse Imagery is the correct title, Porn is legal and done by consenting adults.

        Abusive images of children are a crime and should be treated as such

        Link: https://www.interpol.int/en/Crimes/Crimes-against-children/Appropriate-terminology

    2. big_D Silver badge

      Exactly, and just changing your DNS provider and using DNS over SSL and DNSSEC will also accomplish the same thing.

      I use my own DNS server and DNS over SSL and DNSSEC to a backbone DNS provider. My DNS server will also provide DNS over HTTPS to clients in my network.

  7. Anonymous Coward
    Anonymous Coward

    I don't understand the argument that millions could be exposed to these images. I've been online since the days of BBS and I have never come across any of these images besides why would making my DNS queries private all of a sudden make it more likely I'm going to end up being one of the "millions" now seeing these images?

    Call me cynical but the IWF work closely with government and I'm pretty sure it's them that have the main issue with this and a "Think of the children" push is always welcomed when it comes to taking peoples privacy.

    1. bpfh

      Yes.... but it’s less emotional.

      This is why scary guns were forbidden after Dunblane because of the danger and the murder of 16 kids, but the ~3699 deaths in 1997 in car accidents was a side note more or less accepted as bad luck.

      As for the internet, it’s easy for professionals to understand the interconnections, routing, addressing, we have read the RFC’s, and built networks ourselves, and we know how it goes together, but for the average joe, I plug my box in, type the WiFi password and magic happens.... add to that journalistic hyperbole over hackers, crackers (anyone remember phreakers btw?), kiddie porn and terrorism, with politicos willing to do anything to get their names into ephermeral history for doing something/anything to keep their snout in the trough for another 5 years (or in China’s case keep the whole shebang up by only allowing their version of alternative facts out, mostly for the same reason), and then you have... well.... today 2019 really.

      Sorry, it’s still too early on Monday morning and I do not see much to restore my faith in Humanity for the moment. I’m off for a triple espresso or 4.

      Peace out!

      1. Baldrickk

        Re: Yes.... but it’s less emotional.

        There is a difference between accidents and murder...

        Now if people had intentionally driven into 3700 people, then that would be different

      2. Aitor 1

        Re: Yes.... but it’s less emotional.

        I would add that bands of criminals roam free, and not even the BBC can have cameras on bridges WITH security guards and be safe.. in London. Yet the police do nothing.

        So it is all for show, the authorities do not care much about our security, just care about votes. Not a unusual thing, we are not particularly bad in the UK (I would say the opposite is true).

        So yeah, more privacy is certainly better for the majority.

      3. not.known@this.address

        Re: Yes.... but it’s less emotional.

        "but the ~3699 deaths in 1997 in car accidents was a side note more or less accepted as bad luck."

        I wonder how many of those included alcohol as a direct cause? And how many domestic abuse/child abuse cases can be linked to alcohol? But you won't see many people demanding a ban on alcohol sales, or even a zero-level limit on driving with alcohol.

        So alcohol-induced death and injury is fine but we can't allow anyone to browse the web in private. Yay for our team!

        (Incidentally, does anyone know if our lords and masters in Westminster/Holyrood/Senedd and Brussels will be subject to this, or merely us serfs?)

        1. Anonymous Coward
          Anonymous Coward

          "even a zero-level limit on driving with alcohol"

          There are countries where the limit is zero. US banned alcohol a century ago, and shown how difficult is to remove bad habits once they become deeply woven into social behaviour.

          Anyway there's still a difference from someone willingly killing other people - and people doing it for a side effect of their idiotic and dangerous behaviour. No one think is fine, and laws are much stricter now than not a long ago. Still there are powerful lobbies behind making money selling alcohol - just like there was behind tobacco, and are building behind pot.

          Anyway there's a difference between tools that are built only to kill, and tools that are built to perform very useful task, and can also kill.

          1. Cynic_999

            Re: "even a zero-level limit on driving with alcohol"

            "

            Anyway there's still a difference from someone willingly killing other people - and people doing it for a side effect of their idiotic and dangerous behaviour.

            "

            There is also a difference between someone killing other people, and someone looking at a photograph of a complete stranger committing murder.

    2. GruntyMcPugh

      @AC I'm struggling with that part myself, my recent web searches have been for CD storage units,.... and not once while searching for such have I had a result that's been banned because it contains dodgy images, they'll all been furniture shops. (I'm going with the one from Argos, if anyone is interested)

      I think they are trying to say that if they can't intercept DNS lookups, people might happen across dodgy sites,.... which sounds like they are looking down the wrong end of the problem here,..... if the dodgy sites still run regular DNS, they are still discoverable and can be banned, they don't need to see what the clients are looking at, and I'd have thought the authorities would have some pretty good web crawler technology, so they can find all this stuff by themselves? Also, the DNS part only gets you the server, not the URL, so unless the site has an obvious name like dodgy-images.com how are they discerning content from DNS lookups? I don't think they are, it sounds like instead of finding and dealing with the offending sites, they actually want them to persist, and then check and see who is looking. Which then makes you wonder,... are law enforcement running some of these sites as traps?

      1. Anonymous Coward
        Anonymous Coward

        Maybe once they have a suspect, they can back-search their DNS lookups to find other sites that they have been visiting? If they know PervA has been going to several sites and PervB has also been going to the same sites, then they can try to gather enough evidence to shut down those sites (or catch the other users).

        1. Anonymous Coward
          Anonymous Coward

          "If they know PervA has been going to several sites and PervB has also been going to the same sites, [...]"

          s/Perv/Voter/

      2. Ben Tasker

        > And I'd have thought the authorities would have some pretty good web crawler technology, so they can find all this stuff by themselves? Also, the DNS part only gets you the server, not the URL, so unless the site has an obvious name like dodgy-images.com how are they discerning content from DNS lookups?

        So, to answer your question, this is how the system works (or at least used to). This is based on BT's Cleanfeed, which was the original implementation (and the one first misused to block torrents as well as child abuse material).

        Lets assume example.com/fine is legal and above board but example.com/secret contains illegal content.

        - You try to visit example.com

        - Your browser does a DNS lookup for example.com, which is intercepted by your ISPs DNS servers

        - The ISP uses the IWFs list, and finds example.com on there

        - They return you A record 1.2.3.4

        - Your browser connects to 1.2.3.4 which is a proxy run by your ISP, it accepts your request and checks the path against the IWF list

        - If you were requesting /nice, your request is just proxied through to the true origin

        - If you were requesting /secret your request is dropped, alarm bells rung etc

        A few years back (fuck... 11 years back, it was 2008), this setup led to all UK users being blocked from editing Wikipedia. The reason was they were all originating from an IWF filter box because the IWF had decided that an album cover was "potentially" illegal. It's an old post, but I've got examples of other IWF fuckups on this page.

        Things are obviously a bit harder nowadays, because HTTPS adoption has increased significantly. I can only assume they handle it the way they handle things like The Pirate Bay which is to block the entire domain (because they can't provide a valid cert for the domain and therefore can't see the paths being accessed). With things like Torrent sites, they appear to use DPI to check SNI too, in an attempt to try and catch users that aren't using their ISPs DNS servers.

        Some ISPs, by the way, intercept UDP packets destined for 8.8.8.8 port 53 (and others) and redirect them to their own DNS servers, so simply configuring to use another DNS server isn't sufficient.

        1. Graham 32

          > Some ISPs, by the way, intercept UDP packets destined for 8.8.8.8 port 53 (and others) and redirect them to their own DNS servers, so simply configuring to use another DNS server isn't sufficient.

          Sneaky! IIRC you can't change the DNS server used on Android phones, unless using a VPN, so I should have guessed they'd do that already.

          1. Jamie Jones Silver badge

            Yes you can.

            1. Anonymous Coward
              Anonymous Coward

              Well, you're given the option to change the system's DNS resolver. Increasingly few parts of the android ecosystem honour it though - can't take the chance of an adblocking dns server preventing those sweet sweet adverts getting through, after all.

              1. Jamie Jones Silver badge

                I have no such leaks with any of my devices, running 5.0, 5.1, 6 and 9.

                All go to my own dns servers without me having to munge/block/restrict direct port 53. Which services and android version are you referring to?

                Cheers

          2. Charles 9

            I thought ISPs simply intercepted ANY UDP packet with a destination port 53 regardless of IP address and slapped down attempts to get around them as against their ToS.

            1. Ben Tasker

              Some do, yeah.

              Other's only target services they've heard of.

              That said, a lot of the complaints about DoH leading to over-centralisation are somewhat overblown too, and stem from a lack of understanding of how ISPs tend to behave (badly). There are a good chunk of ISPs that expose DNS servers to their clients, but have those servers configured just to act as caching forwarders, sending queries onto Google, Level3 and Cloudflare (amongst others).

              Some of those ISPs don't even provide any affinity to a service for a given zone, so you'll get a completely different A record back for CDN names if the ISP uses Google (supports ECS) than if they use Level3 (doesn't support ECS).

            2. Jamie Jones Silver badge

              Ugh. I've never heard of an ISP do that. Is that an American thing?

        2. CountCadaver Silver badge

          Or like Sky Broadband, install a transparent proxy on your router, which you can't turn on, so that "parents" can shut off their kids internet...hence why I went elsewhere, to Zen in fact.....Sky also never admitted to what they were doing and claimed multiple times they had rolled back the change and they hadn't, clearly dept responsible for "Sky Buddy" didn't tell anyone else that or the info was embargoed till marketing got around to doing their wankery to make it seem like a positive thing and not some orwellian nightmare in the making....just wait until the Sir Humphreys see how effective it is and mandate the whole country's internet works the same way....Scottish Parliament will be "leading the way" and "setting an example for the rest of the world again" - (I was an SNP voter for several years, not any longer, they're only pulling the stunts they are as they are at no real risk of losing power and so like Blair the power has gone to their heads well and truly.....)

          Nanny state is well out of control

  8. Nick Kew
    Devil

    Help!

    DNS over HTTPS is an an abomination. DNS was designed to be lightweight and efficient (not to mention well-distributed) and should remain so. Moving to https would be vast bloat as well as centralisation. And as for privacy, it just moves the ability (and potentially a legal requirement) to track you to the operator of the service, so the spooks benefit from centralisation - they have fewer cats to herd.

    But now you tell us Blighty's Great Firewall, the modern-day Mary Whitehouse, is on my side. I feel soiled by association. Like when I first went on an anti-war march supported by the Loony Left (if I'd stayed for the rally I could've been addressed by Tony Benn, but that was too much).

    1. druck Silver badge

      Re: Help!

      DNS over SSL is far more sensible, and achieves the same outcome.

      1. Ben Tasker

        Re: Help!

        It's also far, far easier to block (it's DNS over TLS btw, not DNS over SSL). Block TCP 853 and DoT goes away.

        In the context of a government forcing your ISP to be problematic when it comes to DNS, whether or not it can trivially be blocked is actually quite an important aspect.

        1. Nick Kew
          1. Ben Tasker

            Re: Help!

            Nice.

            Funnily enough, part of the reason this article caught my eye was because I was sorting through some stuff the other day and stumbled (back) across one of my articles from not-quite-as-far-back as that post complaining about the IWF and their haphazard approach to.. well, everything.

            It's been more than a decade, and people are still trying to do the same stupid shit...

    2. eldakka

      Re: Help!

      DNS was designed to be lightweight and efficient (not to mention well-distributed) and should remain so.
      Sure, in the days when even multi-campus university or corporate WANs were using 56k ISDN as the primary links. And in the days when ISPs weren't selling off our internet queries to whoever has the money to buy them. Or when it became common industry practice to build profiles of anyone they can on the Internet.
      And as for privacy, it just moves the ability (and potentially a legal requirement) to track you to the operator of the service
      Only if you are stupid enough to point to a DNS server located in the country you are in. Otherwise, they'll have no jurisdiction to force any laws on the DNS provider.
      so the spooks benefit from centralisation
      How does DNS over HTTPS imply centralisation? Anyone can still set up a DNS server, all it means is that if they want to use a certificate from an accepted CA, they'll (probably) have to buy one to operate the DNS service.

      1. flec

        Re: Help!

        "Only if you are stupid enough to point to a DNS server located in the country you are in. Otherwise, they'll have no jurisdiction to force any laws on the DNS provider."

        In the absence of a VPN, in this instance you're rather assuming that your local ISP isn't inspecting and rewriting the DNS responses from the out-of-country provider.

        1. Anonymous Coward
          Anonymous Coward

          Re: Help!

          https, rememeber?

          1. flec

            Re: Help!

            Ah, yes fair point - I misinterpreted eldakka's comment, thinking that that the "out of country provider" was using "standard" port 53 DNS.

      2. eldakka
        Facepalm

        Re: Help!

        Oh, my bad, as others have correctly pointed out:

        It's not DNS over HTTPS, it's DNS over TLS.

        HTTPS is HTTP over TLS, therefore saying DNS over HTTPS is saying that you are doing a DNS query with a TLS encrypted HTTP packet, which makes absolutely no sense!

        1. Jamie Jones Silver badge

          Re: Help!

          no, it is dns over https. you were right the first time!

    3. Mr Benny

      Re: Help!

      Many things over HTTPS are an abomination but unfortunately HTTP seems to be the go to protocol for hipster devs these days whether appropriate or not because most of them don't or can't understand anything lower level and rely on http libraries and websockets to get anything done over a network. Ask them what the fields are in an IP header or the difference between TCP and UDP and you'll probably just get a blank look.

      1. Nick Kew

        Re: Help!

        Damn, hadn't read your post when I posted my link above. Should've put it here instead.

    4. hoola Silver badge

      Re: Help!

      Add to that the point that Google and possibly Cloudflare would be the only people capable or decrypting the requests looks more to me to be a control issue & nothing to do with security/snooping/safety.

      It is all to easy to use "Security advantages" as reasons to do something that actually not the underlying issue. Google are attempting to own the Internet and that is something that should not be permitted. This will go a long way to helping them in achieving that goal.

  9. Anonymous Coward
    Anonymous Coward

    Authoritarian states will just need to block DNS addresses but their own ones.

    It doesn't look to me the Great Firewalls would have issue to block a few big providers addresses.

    While Google still sees all of your requests so I can't see where the privacy is - as long as people are so naive to use Google DNS just because someone told them that's good.

    While encrypting DNS calls have some advantages, I can't see how it does resolve the two biggest problems above. It looks to me just a move to cut out competitors from the data hoarding business.

    1. Ben Tasker

      Re: Authoritarian states will just need to block DNS addresses but their own ones.

      > It doesn't look to me the Great Firewalls would have issue to block a few big providers addresses.

      As I understand it, Cloudflare's DoH service runs on every single one of their delivery appliances.

      Client implementations vary, but Firefox's TRR functionality allows you to pre-load an IP for the DNS server name to resolve to so that you can skip looking up the name at startup.

      At which point, with a properly set value, your great firewall is left with a choice of blocking all of Cloudflare (which might get political rather quickly), or accepting it will get through.

      Google runs their service in most (if not all) PoPs too.

      It's also pretty trivial to set up your own DoH server on the net, especially as - straight off the bat - you don't have to worry about being used for things like reflection attacks (there is other stuff you have to think about though), so it may well be new servers/services spring up quite widely. Whether they'll all be trustworthy is something else.

      I run my own, using a location and provider I trust to host the system. It's a lot easier for me to move hosting provider than it is ISP or Government.

      Until fairly recently, I preferred DoT and viewed DoH as being a side effect of the lack of uptake of DoT, but I've since changed my mind - in part because of DNS leakage happening at the OS level because my phone's OEM tried to be "clever" with their memory management. The result was an important component got evicted from memory, but the notification icon remained in place (as if it were running). Having applications handle name resolution at their level isn't such a bad safety net after all...

      1. Anonymous Coward
        Anonymous Coward

        "(which might get political rather quickly), or accepting it will get through."

        Authoritarian states had made already clear that if you want to make business there you have to abide to their rule - and their rule is not hindered by those pesky "fundamental rights" the Western world is so fixated with., or they will replace you with a local-grown company.

        The outcome is they will run there local DoH servers with full access to the local "people enforcement agencies" and cleared of all "objectionable" addresses.

        1. Ben Tasker

          Re: "(which might get political rather quickly), or accepting it will get through."

          You're using too narrow a definition of Authoritarian states there really, in that you seem to be talking about China levels of state control.

          There are countries within the Western World that fall (in the minds of some) into the target audience for DoH. Our sceptred Isle is one of those.

          Just as people spin up Tor bridges on AWS (accessible via meek to help get via the firewall), it's fairly likely that DoH servers will also get spun up there too. Even China haven't yet gone so far as to outright block AWS, and the gamble being made is that that'll remain the case. Seems like a fairly safe bet for me, even with China, much less countries like the UK.

          There will be lots and lots of noise made in the process, of course, but for many countries it's not as simple as saying "do it our way, or else". If it were we'd no longer be arguing about whether Spooks should be able to backdoor encryption or not

  10. mark l 2 Silver badge

    I just got a new Nokia phone with Android Pie and it came with private DNS switched on by default, so secure DNS lookups is going to get more common.

    The IWF argument about the reduction on how much content is hosted in the UK from 1998 to now is not really relevant to the use of encrypted DNS.

    If the IWF identify that content is being hosted in the UK surely they should be reporting it to the police and hosting companies. And I expect 99.9% of it would be taken down by the hosting company within 24 hours once they have been notified anyway. So I very much doubt that there is still 0.04% illegal content still hosted in the UK for extended periods requiring it to be actively blocked. It would be interesting to know if IWF actually review their block list after a url has been added to it to see if it is still online or whether websites from 1998 that are long gone are still knocking around in it.

    And of course if the people searching for this content were to be using TOR then the IWF block list doesn't come into it anyway.

  11. Anonymous Coward
    Anonymous Coward

    Privacy?

    Surely even with https the dns provider knows all (google for instance). They know your ip and the request made. So not sure what it really solves.

    1. A.P. Veening Silver badge

      Re: Privacy?

      There are ways around that as well and everyone can find those with a modicum of effort. The easiest is installing an Unbound server, preferably next to your Pi-Hole.

      1. Anonymous Coward
        Anonymous Coward

        Re: Privacy?

        That's presuming all the servers from root down to the registrar (nominet in the case of .uk) support https doesn't it?

      2. Anonymous Coward
        Anonymous Coward

        Re: Privacy?

        Which works only from your home - and need the proper hardware to work. In a setup I made a few weeks ago, Unbound quickly filled the NAT table of a consumer router (an old model, sure, but not everybody has the latest and more powerful hardware), these software are not the simplest to run for the average user.

        And still, when you're outside the range of your wife, you're using someone else's DNS servers.

        1. A.P. Veening Silver badge

          Re: Privacy?

          Which works only from your home

          Ever heard of a VPN?

          - and need the proper hardware to work.

          A Raspberry Pi is more than sufficient.

          In a setup I made a few weeks ago, Unbound quickly filled the NAT table of a consumer router (an old model, sure, but not everybody has the latest and more powerful hardware), these software are not the simplest to run for the average user.

          I am little if anything better than the average user in this regard and I have no problems whatsoever, I am afraid this said more about your competence in setting this up.

          And still, when you're outside the range of your wife, you're using someone else's DNS servers.

          This remark tells me more about you than I really care to know, but I refer you to the above mentioned VPN.

          1. Anonymous Coward
            Anonymous Coward

            Re: Privacy?

            "Ever heard of a VPN?"

            Sure. But many people didn't, and don't have nor the knowledge nor the equipment to run a VPN and a recursive DNS server from home, and configure them properly. Using one of the "free" VPN services doesn't make you more secure.

            BTW, in some states VPNs are illegal... be careful, when you travel abroad, if you travel abroad....

            "A Raspberry Pi is more than sufficient."

            Maybe - but running Unbound is heavier than running a PiHole and forwarding. And far more difficult to configure and troubleshoot it if you don't know almost anything about networking.

            "I am afraid this said more about your competence in setting this up."

            LOL!!! What part of "filled the NAT table" you did not understand? I was setting up a pfSense for a friend in a VM - unluckily his old router coudn't cope with the increased number of connections. Do you believe the average user can easily troubleshoot this kind of problems - which showed as intermittent DNS errors?

            BWT, I do run Unbond on my pfSense - but on more powerful hardware than a pi. And that's just for resolving outside addresses, my LAN has its own separate BIND server....

            "And still, when you're outside the range of your wife"

            Sorry, it was wifi but was automatically corrected to wife by the browser.

            Anyway I always like when IT people believe the whole world should have their knowledge, and it's always funny to see them with the trousers down when they find themselves in situations that requires knowledge they don't have but other people have, and look like little children....

      3. XerxesPST

        Re: Privacy?

        DoH (DNS over HTTPS) will neatly disregard your Pi-Hole, it's what DoH is designed for.

        The clients that has DoH functionality will use an internal list of DNS-servers. You may or may not change this list depending on the whim of the developer (adware and malware will probably not allow you to edit or disable this list).

        This means that you need to configure every DoH aware application you run individually, if you want to preserve your privacy/security/sanity.

        1. A.P. Veening Silver badge

          Re: Privacy?

          Wrong guess, that Pi-Hole will do the DoH, the clients can connect in clear to my Pi-Hole, which is on my internal network.

          1. Ben Tasker

            Re: Privacy?

            That's the point XerxesPST is trying to make, those clients will not use your PiHole.

            If for example, your laptop's OS sends queries to your PiHole (with the DNS server address either hard set or acquired via DHCP), but you then install Firefox with TRR (their name for DoH) turned on, DNS lookups from Firefox will not be passed off to the OS, but instead placed via DoH to the DoH server configured in Firefox (so, by default, Cloudflare - depending what region you're in).

            With trr.mode 2, if that query fails (including NXDOMAIN) the query will the be passed off to your OS and sent onto the OS configured DNS server - so you'll still be able to access local shit in Firefox.

            The way I addressed this was to set up my own publicly accessible (but authenticated) DoH server. So I've got always on pihole when out and about (for latencies sake used split-horizon DNS so that when I'm at home the queries hit a server on my LAN rather than having to go out over the WAN).

            So I've configured Firefox and other DoH supporting applications to use my DoH server - with a DoH stub running at OS level to catch everything else. More or less the same on Android (using Jigsaw's intra to intercept normal DNS).

            I could equally have just run the box at home and proxied 443 with the relevant name through, but I'm not short of infra anyway.

        2. Charles 9

          Re: Privacy?

          "The clients that has DoH functionality will use an internal list of DNS-servers. You may or may not change this list depending on the whim of the developer (adware and malware will probably not allow you to edit or disable this list)."

          Think of it this way. It's very hard to intercept Windows X's telemetry system because it uses an internal IP resolution list which means it never needs to use DNS or anything like it to connect. This combined with always using an encrypted connection (for which you don't know the key for the handshake) means the worst you can do is block the connection at the IP level, which has the potential for collateral damage since at least some of the IPs also resolve to the update system.

          DoH is another way for apps to achieve the same feat. It's actually always been possible to tunnel DNS through other protocols (meaning malware could do that if it wanted). DoH simply raised awareness of the technique.

  12. Anonymous Coward
    Anonymous Coward

    The focus of this article is on the TARGET server site.......

    ......but I'm sure that the NSA and GCHQ are MUCH more interested in the IP address of the client doing the call to DNS!!

    *

    It's a pity that the "bad guys" (oh...and the consumers of porn) are most likely using internet cafes, or someone else's hijacked wifi, or a VPN.......so the client end-point is completely anonymous, or maybe even points to some innocent third party!

    *

    So....more misdirection of the public by the so-called "good guys". Why am I not surprised?

  13. Anonymous Coward
    Childcatcher

    OMG Think of the Children

    The security services and copyright bullies have been using this ruse for far too long now, sorry but bugging all conversations and sticking cameras on peoples foreheads isn't acceptable crime prevention as it sacrifices far too many hard won freedoms.

    Perhaps if the IWF was more transparent and not have caused collateral damage to innocent websites I'd be less suspicious of them.

  14. Anonymous Coward
    Anonymous Coward

    IWF ?

    Are they a real body, or a bunch of busybodies ?

    What was that organisation that appointed itself the guardian of the UK internet when nobody was asking or looking.

    I see initials: JG ?

    1. Ben Tasker

      Re: IWF ?

      > Are they a real body, or a bunch of busybodies ?

      Both.

      They're also pretty bloody incompetent. At one point I believe the IWF list (which, remember you have to strictly control access to because it's a list of illegal content) was just a text file. Not an authenticated API, or a set of hashes (so you could hash the requested URL/domain and compare), just a lousy plain text file.

  15. Christoph

    "But the Internet Watch Foundation (IWF), a UK-based advocacy organization focused on eliminating child sexual abuse images online"

    Ah yes, the IWF that blocked the entire Wikipedia site due to a single image (of an album cover, that was later deemed perfectly OK).

  16. Anonymous Coward
    Anonymous Coward

    DNS, SNI or certificate snooping

    When you access a web site the first lookup for DNS goes in the clear and can be monitored by your ISP. Once DNS is encrypted your browser still send the web site name in plaintext as the SNI. This can be mitigated by eSNI where the SNI is encrypted but this is at very early stages with very limited support. Even once this is done the server sends back the certificate in plain text, which again provides the web site name, unless it too is protected by eSNI, We are still a long way from going dark in terms of web site interception and blocking.

    1. katrinab Silver badge

      Re: DNS, SNI or certificate snooping

      If you visit my webserver, you will get a wildcard certificate back covering about 16 different domain names. It is not going to tell you which specific site you visited.

    2. Ben Tasker

      Re: DNS, SNI or certificate snooping

      > Even once this is done the server sends back the certificate in plain text, which again provides the web site name, unless it too is protected by eSNI

      You're convoluting 2 different things here.

      In TLS1.3 the cert is sent back encrypted. Before 1.3 it was indeed sent in the clear.

      eSNI is not part of TLS1.3, but will be in the future. Certain providers like Cloudflare have already implemented support for it as an extension to TLS, but eSNI has nothing to do with whether the cert is sent back encrypted or not.

  17. vtcodger Silver badge

    I wonder if those of us who don't care who looks at our DNS queries would be allowed to opt out of this nuttiness? It adds complexity and presumably an extra transaction to negotiate a key (what could possibly go wrong?) to every internet operation that uses DNS. Furthermore the Security enthusiasts and the world's abundant crop of hackers will eventually find about three levels of bugs in any secure DNS scheme, so we'll probably end up stumbling over several mutually incompatible secure-DNS schema. All of which MUST be patched in RIGHT NOW as they evolve.

    BTW, My dim view of computer security is based on many decades of working with classified data. My experience was that security was VERY costly. And ultimately it didn't actually work very well for a variety of reasons. My feeling is that you can't secure everything and trying to do so is a serious mistake. I do think that it might, and I emphasize MIGHT, be possible to secure a very small set of critical information -- launch codes for nuclear missiles, authorization codes for transferring large amounts of money, etc. And that's well worth doing. But my guess is that is about the best that can be done.

    Needless to say, I think that the current enthusiasm for putting all sorts of critical infrastructure in the "cloud" in search of (probably imaginary) cost savings is an dubious idea that may well end badly.

    1. katrinab Silver badge

      DNS has been a cloud-based system since about 1984.

      If you would like to go back to the days when Elizabeth Feinler maintained a global /etc/hosts file that you had to download / update periodically, then I don't think you are going to find much support.

    2. Anonymous Coward
      Anonymous Coward

      "I wonder if those of us who don't care who looks at our DNS queries [...]"

      That sounds like "the innocent have nothing to fear from surveillance".

      The problem is always that the definition of "innocence" is set by those doing the surveillance. Most people would agree on what should be strictly illegal in any fair society. Beyond that you have social engineering, draconian laws, subjective judgements, and unwarranted bias and suspicions.

      It can be a thin end of a wedge where "the end justifies the means" - even if most people wouldn't agree with the "end" that the policy/law instigators actually desire.

  18. Evil Scot Bronze badge
    Childcatcher

    Will somebody think of the ISP's bank balance.

    About 5 years ago I ported a Virgin Media Telephone number to Gradwell. The purpose of this was to enable the owner of said number to maintain the ability to receive calls to that number whilst living outside of the area code. Could my ATA see Gradwell's Sip services? Not if it used Virgin Media DNS.

    That is why I take responsibility for my Internet Services.

  19. katrinab Silver badge
    WTF?

    Is this really a problem?

    Can't they go to the Registrar / Hosting Provider / etc and get the site shut down?

    Most countries in the world have laws against child porn, and the punishments tend to be pretty strict.

    I would have thought that the paedos would mostly use the likes of Tor to distribute their child-abuse images, and it does not use the DNS system.

    1. Anonymous Coward
      Anonymous Coward

      Re: Is this really a problem?

      "I would have thought that the paedos would mostly use the likes of Tor to distribute their child-abuse images, [...]"

      First you have to understand the definition of the material vested interests like IWF want inhibited. It's a broad spectrum - where often it is not the image that is strictly illegal but the thoughts someone possibly may have when looking at it. It can be the modern equivalent of posed clothing pictures in a mail order catalogue.

      Most social media is capable of being tarred with that broad brush - not to mention the Daily Mail's "all grown up" articles and pictures.

    2. Anonymous Coward
      Anonymous Coward

      Re: Is this really a problem?

      "Can't they go to the Registrar / Hosting Provider / etc and get the site shut down?"

      And if the provider (or worse, the country) doesn't cooperate because the laws there don't support you?

      1. katrinab Silver badge

        Re: Is this really a problem?

        Which countries would that be? Apart from possibly The Vatican, I can't really think of any.

        1. Anonymous Coward
          Anonymous Coward

          Re: Is this really a problem?

          "Which countries would that be?"

          There are many different subjective or objective criteria depending on a country and its culture. Think of the age of sexual consent as a possible indicator: UK 16 (Northern Ireland 17); Germany 14 (with age difference rules); many European neighbours 15. In the USA several states have no minimum age for marriage - 11yo to a much older spouse is not unknown.

  20. Anonymous Coward
    Anonymous Coward

    Upgrade the root DNS servers

    meh. The issue is that Cloudflare, Google Public DNS are men in the middle. I say go the full hog and enable DNS-over-TLS on the root DNS servers and use a direct resolving DNS server with no forwarding.

    1. Charles 9

      Re: Upgrade the root DNS servers

      Which the ISPs can still block (as the port is known).

      DoH is meant to obfuscate DNS to prevent hostile ISPs and up from blocking DNS for their own nefarious reasons.

  21. Long John Silver
    Pirate

    Barking up the wrong tree?

    The matter of Internet-related sexual exploitation of minors is so mired in emotional revulsion that good sense and beneficial use of (inevitably) limited resources is abandoned. It appears to have become a case of something must be seen to be done about it regardless of measurable success.

    This is well illustrated when in the UK the Criminal Justice Act 1998 – section 160(1) was formulated, debated, and passed. MPs vied with each other to display (for public consumption) their credentials for decency by adding increasing detail and complexity to the legislation without apparent thought about how the whole cohered and would be applied by authorities charged with implementing it. Doubtless well meaning, and politically expedient too, the result is a dog's breakfast of law ranging from the clearly necessary to wishful thinking.

    Confusion reigned upon the Act's implementation. Police were uncertain about where priorities for enforcement action lay. Judiciary strove to display their credentials as tough on Internet child abuse by handing out stiff sentences to people detected seeking and possessing offending images (ones already extant on the Internet rather than newly commissioned 'works'). Need to clarify the seriousness of possessing images ranging from simple nudity through to depictions of horrific nature led to elaborate classification of severity.

    The public was equally confused. Museum curators sought advice from police over whether art works of long standing depicting child nudity now contravened law. Presumably, many curators merely placed 'doubtful' works into store. Fortunately it did not reach the point of art previously regarded as utterly inoffensive being burned before a baying crowd. Doubtless, by modern criteria, Dr Charles Dodgson, better known as Lewis Carrol, was a paedophile to be imprisoned and shunned.

    The problem with all this rests with loss of sight of what, presumably, was the intent behind the legislation. It was to prevent children being sexually abused. The secondary objective being apprehending and punishing individuals thus engaged. The tertiary objective being to underline disgust at such behaviour by making examples of people to deter others from doing likewise.

    The Internet figured largely in these considerations because it facilitated publication and distribution of unacceptable images. Although seeking out and possessing these images is reprehensible the most productive target with respect to child safety must be shutting down operations which, through financial motivation or otherwise, encourage production of fresh images. There is likely a huge collection of images, of varying degrees of acceptability and good taste, dating back to the beginning of photography, circulating, likely unstoppably, on the Internet. Add to that non-photographic images covered by the Act and it's clear that their eradication is pie in the sky.

    Thus, the bottom line for protecting children rests with detecting and curtailing organised activities taking place now and, when feasible, investigation of older instances where victims are still alive. In addition to circulating images, old and new, available for mass consumption there are reports of social media being deployed to entrap children into posting images of themselves and into making physical contact.

    Law enforcement is expected to cover the whole gamut ranging from near trivial to very serious indeed. Gaining convictions for possession of illegal images is far more easy and less demanding on resources than going after people making the images. In passing it should be noted that the Act has, by logic Lewis Carroll would admire, defined 'making' as the process of downloading and storing images. This results, by intention I don't know, in reported convictions giving suggestion of the offender being directly complicit in the actual making of the images (which would be so if money changed hands or there was conspiracy to produce images by members of a 'club') rather than a voyeur with deviant tastes. This approach is justified by some on the 'common sense' (metaphysic of savages -Russell), but not validated, ground that viewers go on to be producers.

    Thus, police would benefit from explicit direction on where to direct their attention to maximise protection of identifiable children under threat rather than mainly curbing aberrant taste in viewing material.

    So, how does the Internet Watch Foundation (IWF) fit into this?

    Motivation of people devoting time to furthering IWF activities is unquestionably good. However, in the broad context outlined above, their effectiveness is likely to be slight. Additionally, there must be reservations over whether selection of sites to block doesn't veer too much toward caution and prohibit viewing materials inhabiting a debatable grey zone.

    Perhaps, IWF members' time would better be spent engaging in the 'honey pot' activities of Internet vigilantes, but under police supervision.

  22. JoMe

    "won't anyone think of the children"

    Again... bloody bunch of bumbags.

  23. martinusher Silver badge

    Theyre missing the point

    HTTP and its sibling HTTPS are just two of many Internet protocols. Its not even a particularly good protocol as its a packet framing kludge on top of a

    stream protocol (a reliable indicator of amateurishness). People keep using it only because their chosen programming language has the appropriate API calls to implement it and parse the results. They're not interested in how inefficient or unreliable it is, it just seems to work for them (and if it doesn't you just pop up a dialog box to the user and get them to handle it).

    Meanwhile, if I was truly interested in being nefarious it would be straightforward to organize a protocol that managed the information I was interested in getting or broadcasting quietly, efficiently and reliably. I daresay that others already do this.

  24. Anonymous Coward
    Anonymous Coward

    rinse, repeat

    Once again, another encryption debate with the immediate response of "think of the kids". This is such a BS reasoning for keeping/making the net more insecure. Every time encryption is brought up, oh it'll help the Pedes hide. It was insane talk when it was about punching a backdoor into general encryption and it's downright stupid in this discussion too. If some tech makes the net MORE secure, please implement it. In a few more years quantum computers will make all encryption worthless anyways, so why not enjoy a few more years of online banking, online shopping, you know... all the things that rely on encryption to keep BAD GUYS (both criminals AND government snoops) from getting their hands on even more of our "personal" data.

    These legislators really should subpoena Bill Nye to come and explain how this whole wacky world wide web thing works. I'm afraid some of them still think it's tubes and dump trucks.

    1. Charles 9

      Re: rinse, repeat

      "In a few more years quantum computers will make all encryption worthless anyways,"

      Shor's Algorithm is useless on NP-hard problems. Several post-quantum systems use lattices, multivariates, and hashes, which can be reduced to NP-hard problems.

  25. Cederic Silver badge

    Disclosure: The Register is a customer of Cloudflare.

    Thank you for putting this. It's appreciated.

  26. John Smith 19 Gold badge
    Gimp

    If you have nothing hide, blah, blah, blah

    The usual excuse used by any data fetishist.

    1. Charles 9

      Re: If you have nothing hide, blah, blah, blah

      Anytime someone asks that, reply, "Care to give your benefit/identification/Social Security number, then?"

  27. Dr.Flay
    Facepalm

    Too late to close the gate, that horse already bolted

    If they are worried that they will not be able to block "exposure" to problem domains, it should be pointed out that they do have the choice of having the sites taken down.

    Apparently leaving child exploitation sites running is fine, but we take down malware sites.

    Why bother to actually remove a problem when you can just block a handful of people from accessing it ?

    Ultimately, tough luck. Crying over spilled milk.

    DNS over TLS has been around for a while, now we have DNS over HTTPS. We also have DNSCrypt, DNSSec, and the ability to choose any resolver we want.

    Unless Governments force OS vendors remove the ability to change your DNS there is nothing they can do but cry about it.

    Even without improved DNS, there is still nothing they can do, other than block all VPN nodes and offer a Chinese or Russian style state sanctioned VpN (small P as no privacy).

    ...or . . .they could take down the problem sites ?

  28. steviebuk Silver badge

    Cynical?

    To me this smacks of someone thinking

    "The government knows they can snoop on DNS queries and this also helps us censor the net and helps our brown envelope friends the movie and music industry. However people want these DNS leaks to be plugged which will annoy our brown envelope friends. What can we do to stop this encryption happening? I know. We'll say we use these queries to block child porn, that'll get them. But how? Well isn't it obvious. If you're not in agreement with us, then you must be in agreement with child porn. No one wants to be associated with that, so we'll indirectly get more backing. There will still be some that will be able to argue their point better than us and point out the above argument is bollocks, but a lot won't because of the fear it makes it look like they support child porn (even though we know they don't) so they'll keep quiet and we'll get our way"

    Or is that too cynical of me?

  29. Yes Me Silver badge
    Facepalm

    Irrelevant

    Disclosure: The Register is a customer of Cloudflare.

    Excellent. So please ask them to switch on IPv6.

  30. Grinning Bandicoot

    Who was it that is attributed "better a hundred should suffer than one guilty evade punishment.

    1. Anonymous Coward
      Anonymous Coward

      Even if that one lights the fuse the blows up everyone?

  31. Tom 64
    Coffee/keyboard

    Think of the Children!

    Yes, lets do that! Lets make sure our schools and hospitals are properly funded.

  32. Kiwi
    Flame

    Control...

    "We are living through a time where more and more people are seeking ways to control the internet,"

    Yes.

    And I'm sure clodfool and gagyle are pulling they shit they are for completely innocent and altruistic purposes. I'm certain they have absolutely nothing to gain from being able to monitor people's DNS requests, and quite sure they'd never consider being a part of selling such information to anyone else.

    I need to read up on DOH more - but from the little I know it worries me. I have gone to some extent to protect myself from offensive advertisements (not all, but many are offensive to me and infringe my holy snowflake rights not to be offended even in the mildest way!) and much of that is handled via my DNS server. Bypassing my DNS server bypasses my security (which is not just there to block advertising).

    I could block ips wholesale, but then given the prevalence of clodfool that'd likely take out sites like el reg - and El Reg please note you're the sole reason why clodfool even begins to get a look inside my network. I'd love it if you got rid of them!

    (and that captcha crap from that other group that will likely be triggered by this post, that means I either have to allow their JS to run on my machine or not post...)

  33. Anonymous Coward
    Anonymous Coward

    DoH and Privacy

    When you look beneath the superficial claims of privacy linked to DoH, there are some clear issues that need to be addressed in this pretty incomplete protocol. For example, why does it incorporate cookies, potentially enabling persistent per-device tracking across locations? And why do European users, already protected by measures like ePrivacy and GDPR, need to have their DNS data exported to the US, noting that US providers adhere to FISA 702 which does not protect privacy of Europeans (or indeed any non-US citizens) at all?

    There's a strong argument that all DoH really does is to present new data monetisation opportunities to the big tech companies whilst simultaneously delivering new malware vulnerabilities. That does not seem like an especially compelling proposition to me!

    1. Charles 9

      Re: DoH and Privacy

      Then how do you propose a way to keep DNS from getting hijacked or even blocked wholesale by hostile people up the chain, given that anything with a known port can AND ACTUALLY HAS BEEN redirected or blocked at the port?

      1. Anonymous Coward
        Anonymous Coward

        Re: DoH and Privacy

        Conversely, if you implement DoH, how do you propose to avoid malware exploitation? Or intrusive tracking and monetisation by Google and others? Let's face it, Google's track record on privacy has not been great! And that's before you think about other app developers like Facebook et al.

        How can you be confident that you can trust the DoH resolver that you've opted to use? The standard currently lacks any form of discovery and authentication.

        The problem with not using a known port is that it's too easy to hide malware and also causes issues in the corporate environment where the network controller may well decide to block port 853 to stop TLS because it doesn't comply with his/her policy decisions and could cause major issues with the cybersecurity setup.

        And let's not forget that DoH could easily lead to a much more centralised DNS, something which will prove highly attractive to hackers, both private and state-backed. Do you really think your chosen DoH resolver will be able to fend off targeted attacked from well resourced groups? Or will you simply have the illusion of privacy and the reality of a hijacked service?

        In other words, DoH is not the magic bullet that some would have you believe. In my view it is highly likely to result in both security and privacy being compromised.

        1. Charles 9

          Re: DoH and Privacy

          "Conversely, if you implement DoH, how do you propose to avoid malware exploitation? Or intrusive tracking and monetisation by Google and others?"

          User your own server, housed nigh anywhere you want, including outside of government control?

          "How can you be confident that you can trust the DoH resolver that you've opted to use? The standard currently lacks any form of discovery and authentication."

          Again, use your own. If you can't trust yourself, you can't trust anyone and you're already screwed.

          "The problem with not using a known port is that it's too easy to hide malware and also causes issues in the corporate environment where the network controller may well decide to block port 853 to stop TLS because it doesn't comply with his/her policy decisions and could cause major issues with the cybersecurity setup."

          Similarly, the problem WITH using a known port is that it's too easy for someone up the chain to disrupt you with no recourse (because, again, they're up the chain from you). The trick with DoH is that the ONLY way to block it is to block port 443, the HTTP/S port, which means you practically stop using the Web anymore. Care to tolerate THAT level of collateral damage? Plus, at least this is standardized; what makes you think it hasn't already been used by malware without your knowledge PRIOR to this becoming a standard, because, again, it's too useful a port to block, just as some malware used Realtek's signing key because it's too ubiquitous to invalidate right away?

          Basically, you're screwed either way. C'est la vie. Pick your poison.

          "And let's not forget that DoH could easily lead to a much more centralised DNS, something which will prove highly attractive to hackers, both private and state-backed."

          Why when people can roll their own pretty easily. The thing about Cloudflare and Google offering DoH is to make any attempt to block DoH too politically-sensitive. Do you really think China would be SO bold as to block Cloudflare, Google, AND Amazon wholesale (which is the ONLY way to stop them offering DoH tunneled through their existing services) in order to deny the use of DoH which can tunnel over the HTTP/S protocol the Web needs to work?

          "Do you really think your chosen DoH resolver will be able to fend off targeted attacked from well resourced groups?"

          If they're that resourced (you're implying state-level), I'd be more concerned with moles.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like