Internet imbeciles, aka British ISP lobbyists, backtrack on dubbing Mozilla a villain for DNS-over-HTTPS support The brain-dead Internet Service Providers Association (ISPA) has backtracked on its nomination of Mozilla as an "internet villain" for 2019 after online outcry. "In the 21 years the event has been running it is probably fair to say that no other nomination has generated such strong opinion," the bonkers UK-based lobbying …
- if you want to know which sites I've been looking up, get a fucking warrant and serve it on my DNS provider.
(Note, post may display evidence of ignorance over how DNS/HTTPS works. I would have thought that the IP address that subsequent HTTPS traffic went to would be sufficient to build a case for a warrant, even if an IP address hosts multiple legit and dodgy websites.)
You’re right about getting a warrant. The IP address doesn’t really tell an investigator anything though. For example a ne’er do well may host a proxy website fronted with CloudFlare that grabs illegal content from Tor or whatever and sends it back to the user.
The user is seen connecting to an IP address for CloudFlare. Not really dodgy.
I have a small amount of sympathy with the police etc. They’re stuck between the push for better privacy rights which I agree with, and the pressure for them to nick bad folk, which I also agree with. It’s about striking an appropriate balance (which is what warrants are for). The difficulty they have is that you can’t get a warrant if you don’t know something bad has happened. You need intel. Humint is both expensive and unreliable as a rule.
We as a society just need to have that conversation and decide where we want the balance to be, and what we’re willing to give up to get it (i.e. do we lean more towards privacy > all or more towards criminals being detected and prosecuted?). It’s not happening atm. Governments try to make changes without seeing what the people actually value. Never going to end well...
Yes, no, maybe. There's not an hard rule. Some people are smart about IT and can cover their tracks better than others. Some are utterly stupid/naive/unaware/etc. and don't. When you have to investigate, you look at everything - thinking "no, he/she couldn't be that stupid" could just make you miss the evidence you need. You may need the destination IP, or the source one, or both.
Sorry, I have fuck all sympathy for them. Every power they have ever been granted has never been enough. Nothing is ever good enough, and they are just as institutionally racists as they were 40 years ago. There's no other job in the the UK where you get to blow an innocent mans head clean off, and walk away with a pension.
So fuck them. They can bloody well do their job, do it by the rule of law, and also (controversially) be subject to the same rule of law. *Then* they'll have my sympathy.
My views may have been tainted by the recent story that they police were allowed to send a 17-year old girl to be sexually exploited for a case. That's a child in the UK, just in case you didn't know. A child FFS.
> for "police were allowed to send a 17-year old girl to be sexually exploited for a case", or "blow an innocent mans head clean off, and walk away with a pension" I guess
Assuming the blow a man's head off and walk away with a pension applies to Jean Charles de Menezes then Cressida Dick (in command of the operation at the time) is still employed by the police and so, technically, is yet to walk away with her pension.
[No pensions were harmed during the making of this film.]
I'll also post the text ...
QUOTE
bbc.co.uk
Use of child spies by Home Office 'lawful'
3-4 minutes
A girl standing in a hoodie Image copyright Getty Images
Allowing children to be used as informants in criminal investigations is lawful, the High Court has ruled.
Charity Just for Kids Law brought the case against the Home Office over the use of children by police and other bodies in England and Wales.
The campaign group said the safeguards in place were inadequate and the practice breached human rights.
But the High Court rejected the legal challenge, saying there was a "system of oversight" in place.
In March it was revealed that 17 children had been used to secretly gather intelligence for police and other agencies in the last four years.
Lord Justice Fulford, the Investigatory Powers Commissioner who is carrying out a review into the use of children as covert human intelligence sources (CHIS), said one of the informants was 15 years old, while the others were aged 16 and 17.
The Home Office had argued that undercover under-18s helped prevent and prosecute problems such as gang violence and dealing drugs.
However, concerns over the use of juveniles were raised in the House of Lords last year with the case of a 17-year-old girl who was recruited to spy on a man who had been exploiting her sexually.
The peers heard that the girl continued to be exploited sexually while she was deployed by police.
Charity may appeal
Dismissing the charity's case, Mr Justice Supperstone said he was satisfied the scheme was lawful.
The judge said children were "inherently more vulnerable than adults" and that the "very significant risk of physical and psychological harm" to them from being a CHIS in the context of serious crime is "self-evident".
However, he said he rejected the charity's contention "that the scheme is inadequate in its safeguarding" of the juveniles involved in the scheme.
Just for Kids Law, which used crowdfunding to pay for the case, said it was disappointed and was considering whether to appeal against the decision.
The charity's chief executive, Enver Solomon, said the judgement acknowledges the '"variety of dangers" that arise from the use of children as covert informants in the context of serious crime.
He added: "We remain convinced that new protections are needed to keep these children safe."
Presentational white space
Security minister Ben Wallace said the ruling showed the court recognised that the protections in law ensure "the best interests, safety and welfare of the child will always be paramount".
Children had been used as informants fewer than 20 times since January 2015, he said, but they remained "an important tool to investigate the most serious of crimes".
He added: "They will only be used where necessary and proportionate in extreme cases where all other ways to gain information have been exhausted."
ENDQUOTE
So if you think I have a shred of sympathy for suck fuckers like that you can fuck right off to the far side of fuck and then fuck off some more. I really don't care about the nuances of the case. You don't do that in a society that you want me to be part of.
Actually thats where the law in the UK is unclear in regards to when someone becomes an adult - Age of consent is 16, you can get married at 16, you can leave home at 16, you can start work at 16 full time, you can leave education at 16, you can get married at 16, join the military at 16 (but not be deployed till 18), make homemade grumble flicks with your SO at 16, You can't however drive till 17, appear in a commercial adult flick until 18, vote in some elections till 18, drink until 18, smoke until 18.
Its a mess, a total and utter mess, they should have made it all either 16 or 18, I'd lean towards the former though as you can leave home, get married and join the military at 16.
(Eastern Europe is often ~14, hence why eastern european adult movies are blocked from the UK due to the difference in legal age of consent)
However I don't agree with letting someone (of ANY age / gender / sexual orientation) be further exposed to sexual exploitation etc UNLESS they are fully aware of the risks, have been given independent advice from a lawyer, that there is independent oversight of it, full and immediate backup to extract this person at a moments notice if necessary, that they willingly agree to this once they are aware of the risks and have been given ALL the information AND had time to think about it - i.e. to ensure there is plenty evidence against the person who has exploited / abused them AND where there is no other option that could be used to get the evidence.
Sometimes getting information to stop something can only be achieved by covert means and often those methods make us uneasy. However if the person involved willingly takes part (i.e. to make sure their abuser is convicted and put away to protect others from that abuser) then so be it. I know if someone said to me "go through this one more time to get the evidence we need to put your abuser away for serious time and implicate others" then I'd find it very hard to say no.
> you can start work at 16 full time, you can leave education at 16
Not any more. You have to stay in some sort of education until 18. So that can be at school (the traditional higher-education); at college doing some sort of vocational course; or at work doing a recognised apprenticeship.
The law says you have to stay in education until you are 18 but there is no punishment if you do not so.
The problem is that parents are no longer assumed to be able to force a 16 year old to attend so the requirement is now an obligation of the 16 year old. They may not have enough money to be worth fining, and sending them to prison for not going into education is hardly constructive. In any case punishing people for their own good is problematic.
There are a few other issues with this statement.
YES, you can get married at 16 - but only with the consent of the two sets of parents - and only to another UK citizen. Want to marry someone from abroad and it goes up to 21 for most countries.
Grumble flicks at 16 - no, you are wrong, it is just the law is rarely enforced. In theory, even bikini shots are classed as child porn if you are under 18 and arent on a beach or at the pool.
Education has already been covered.
Military - this is only a recent guideline, and not (AFAIK) law; plenty of 16/17 y/o's sent to the Falklands war, N Ireland, Bosnia etc.
You should be grateful for the the rest, it used to be 21; go thank the Monster Raving Loony Party for getting the laws changed.
"We as a society just need to have that conversation and decide where we want the balance to be"
We had that conversation several centuries ago and came up with a good answer, the presumption of innocence. The conversation that's needed now is about why it's being ignored so often.
It’s important to understand and accept that rights are not absolute. That’s the point I tried (poorly it seems) to make.
The right to be presumed innocent unless found guilty does not preclude my arrest by the police, or being bailed on restrictive terms, because victims of crime have a right to justice. The police therefore need some investigative powers.
My right to free speech is likewise not absolute. If I were to claim you to be a kiddy fiddler you would understandably find take umbridge with that, and the courts provide relief in the form of slander and libel.
A classic example is going into a theatre and shouting “fire” when there is none resulting in panic, stampede and injury. I can not successfully claim the right to free speech as a defence as that right is fettered by other people’s rights not to be injured because I’m an idiot.
Rights lie on a spectrum, and it’s up to society to decide which parts of the spectrum are acceptable and which are deemed an abuse, or an unacceptable impact on another’s rights.
Our right to privacy is not and cannot be absolute. That doesn’t mean it can’t be very close to that end of the spectrum. However society needs to choose which way it leans, and how far. More towards absolute privacy impacts on the rights of victims to receive justice, and more towards a sole focus on criminal justice impacts on everyone’s privacy. Somewhere between those points is an acceptable balance, as there is with all rights, even the right to life (driving a car at armed police is a simple test).
It’s easy to say “I want total privacy” and leave it at that. I don’t necessarily disagree with the sentiment. Just remember that some other rights will be impacted by that choice. Failing to at least consider that and assess the choice in light of it is either pure selfishness, or in most cases a simple case of not realising. Either way, it’s not a great foundation on which to make a decision.
The (American) case from which the "shouting fire in a crowded theatre" quote comes has been overturned, and the reasoning was used to prevent people publishing an anti-war pamphlet: https://www.theatlantic.com/national/archive/2012/11/its-time-to-stop-using-the-fire-in-a-crowded-theater-quote/264449/
I’m not familiar with American law. I was speaking of the test of proportionality in English law, as it applies to the Human Rights Act (which includes the right to freedom of expression, but explicitly states it may be limited).
The test is intended to provide a framework for the courts to decide if a restriction on a right is proportional or not. As I’ve said, some limitations on rights are necessary for a functional society. It’s important that those restrictions don’t go any further than necessary to meet their objectives, ergo the proportionality test.
It may be necessary to give up some freedom wrt our DNS privacy, but it’s extremely unlikely the courts would accept the need to give up all of our DNS privacy.
There's no need to get a warrant thanks to IPA 2016. 50-odd government depts including a the Welsh Ambulance Service can bring up your browsing history at domain name level via unencrypted DNS snooping.
This is why Mozilla got the "light-hearted" award, because the ISPA don't want any trouble snooping as they're legally obliged to.
The main thing wrong with DoH (apart from DNS over the https port) is it's more difficult than it should be setting up LAN resolution.
That depends on the viewpoint. Looking at DNS as the distributed network service that it was designed to be, the main thing wrong with DoH is that it doesn't allow for caching name look ups at a local LAN gateway. Even on the local machine, the DoH look up cache is only accessible to Firefox and not useful to any other apps. Forcing all name look ups through a bottleneck at Cloudfare is not the answer.
I am very much an advocate of DNS privacy through encryption, but DoH, particularly when implemented in an app, is a half measure at best. We need DNS over TLS implemented in the OS resolver and allowing for a caching DNS server at the LAN gateway that uses DNS over TLS for all forwarding. Firefox, and all other client apps, should keep their hands off. Rather than implementing their own internal DNS client, why doesn't Mozilla contribute to getting DNS over TLS implemented in glibc? DoH is really counter to the distributive nature of DNS.
It also hasn't added a new villain to its list to replace Mozilla.
Ahh, come on people! It is staring you in the face... Why didn't you give the honour to ICANN? They've been ploughing on for years in the hope that, some day, after all their hard work, they would deserve the recognition they crave! And now, again, they are disregarded. A sorry situation indeed. I feel for them... (Was I joking? Really? You think so? Oh dear...)
So I went to see how to enable DoH in my browser and found the instructions at Mozilla Wiki. Surprisingly, this is not enabled by default.
<tinfoil hat area>
Thing of course is (again) a question of "who do you trust most?"
Is this great if you're on some dodgy open network (Hello hotel! Hello Starbucks!).
But...
If I'm @homebase, I must admit that I trust my ISP and the legislation in my country of residence much, much more than some, activated by default US third party.
<recycling tin foil hat>
Then again, if for example my uni starts offering DoH servers...
it's not been enabled by default for UK to avoid clashing with censorship in this country.
It's not been enabled by default anywhere yet because it's still a slightly experimental implementation and they've been working out the bugs with (for instance) detecting captive portals and ensuring people in enterprise environments are able to reliably manage/override it in Group Policy, etc. No bloody good enabling it by default and making the internal infrastructure of enterprises, hospitals and other big networks inaccessible because the browser has decided to phone it's own DNS out to Cloudflare.
It's there for the tyre-kickers on the nightly builds to report issues.
That said, you are correct that when/if it does become "by default" Mozilla have said that won't include the UK. We'll have to turn it on manually if we actually want it (which quite a lot of people won't because they want their System/OS resolver to connect to their internal DNS/Active Directory/PiHole which will then use DNS-over-TLS or -HTTPS to do external resolution).
Don't like the idea of spamming Cloudflare with internal LAN addresses then falling back to LAN DNS, it's the wrong order. Firefox's DoH configuration should accept two servers and try the first one before the second, like normal DNS configuration.
Also I don't think router software like OpenWRT can be configured to accept DoH and DoT on the LAN and use DoH or DoT for upstream DNS yet, which would also be helpful.
> Also I don't think router software like OpenWRT can be configured to accept DoH and DoT on the LAN and use DoH or DoT for upstream DNS yet, which would also be helpful.
I think I would be interested in trying to write a module for OpenWRT that blocks connections to IPs that haven't recently been looked up using OpenWRT's DNS server (or proxied through OpenWRT to Pi-Hole) in order to explicitly prevent DoH.
In addition to the pier-to-pier problems mentioned above, there are some other problems you might see with that. Depending on cache policies and the definition for "recent" you're using, that could break various things, as many devices maintain their own caches and contact later. It could also be problematic in various less common but still existing situations, for example when a new remote server is spun up and is accessible only by its IP as a DNS name has not been assigned to it yet, or applications that contact their own remote services, as those might have addresses outside of DNS (for example, some programs with group usage, especially games, list servers on their own main system without using DNS).
Don't like the idea of spamming Cloudflare with internal LAN addresses
This, in my mind, is a really bad security hole. You're basically leaking information about your internal network topology to an unverified third party (and if you're using Cloudflare, one in the US where the laws around personal information treat it as a commodity to be traded). This is the sort of thing that is potentially extremely useful to an attacker. Got a privilege escalation attack? Know the names of other machines on the same network? I wonder if that machine that has a name that sounds like it might be a SQL Server is open on port 1433? Oh, looks like it is, and is using AD authentication. etc.
I know there are other ways of discovering network topology, but it can only be useful to an attacker to know what it is in advance.
I would suggest that DNS requests be sent to an internal DNS proxy (if you have internal names, that's already there), which can do the HTTPS stuff recursively from there. Failing that, you could send all requests to that as primary, configure it to only know internal DNS addresses, and have the HTTPS address as secondary.
When using DoH, you have to contend with the possible issue of the trustworthiness of the DNS server, but it is not at all required that CloudFlare or Google be used. DoH could be set up by any existing DNS server with relatively little effort. I've taken a look at a basic implementation of a DoH server. I'm planning to set it up on one of my servers to see exactly how difficult it is, but it doesn't look like it will take very long.
Thank you! Finally some sanity around DoH.
At our organization the risks from leaking all kinds of internal information to a dodgy third party (sorry, no SLA with CloudFlare, they're a risk to be mitigated not a benefactor here) far, far outweigh the "benefits" of DoH. Thanks to DoH and the fact that it can't be blocked at the edge, we've been forced to lock employee workstations down even further for legal reasons and to deny any type of BYOD on the corporate network.
In fact I'd probably say that DoH has made privacy /worse/ for our employees, not better, since instead of blocking the unwanted external traffic now we have to control each and every device on the network at a far more invasive level than before, and instead of some degree of anonymization from the traffic going out over the central DNS servers now each and every employee gets to be tracked via their mobile phone since public Internet outside of a severely restricted browser isn't available to them any more.
Brilliant work, Mozilla, Cloudflare, and Google! Well, I guess they now have even more data on individual users and browsing habits, plus can stop those evil DNS-based adblockers, so end goal accomplished?
It sounds like you've panicked a bit too much about DoH's security risks. The kinds of problems you could see with DoH connections could also be seen by a user connecting directly to an IP address or using whatever open ports you have to run a VPN or connect through Tor. Either of those would bypass internal DNS controls and would probably flag as risks in your network analysis logs anyway. Since the use of any of those things would be violations of a security policy, you might as well tell people they must use a certain set of configurations that disallow DoH, and using DoH will be a violation of security policy. Wouldn't that pretty much solve that problem?
That strongly depends on what kind of device is attached, e.g. would a Google device even allow a non-Google DoH resolver to be configured?
For a long time a DNS based blocker was at least a deterrent for the majority of access -- anything with hardcoded access as you say would trip other protections. Now that DoH is making that impossible, the overall risk posture has changed from "misconfigured device likely to be blocked at firewall" to "misconfigured device leaking sensitive information over HTTPS". Without DPI and MITM on all HTTPS traffic it's not even possible to determine who is accidentally violating policy without random search of the attached devices, which goes into GDPR territory for BYOD and basically means no BYOD on the corporate net period.
Allowing employee Internet access, especially with relatively relaxed policies on what software could be used, was always a balance between risk and productivity. Now that the risk for both sudden legal action (employee browsing blacklisted material without detection at our firewall) and internal data leakage to known hostile entities is that much higher, it outweighs the impact to productivity. Simple as that.
No.
We know your real name is Lord Lucan.
We know where you live.
We know who you associate with.
We know if you put the wrong sort of waste in your recycling bin.
We are watching you.
Have a nice day!
Toodle Pip, GCHQ Welsh Ambulance Service
DoH is about as uncontroversial as it gets. Among more controversial things are...
Anti virus programmes
Basic internet security
HTTPS itself
VPNs
Encryption and
Not sticking all my internet activity on a notice board outside my house.
The only discussion that needs to occur is in persuading the uninformed that they need it.
"Anti virus programmes" - programs under the control of a commercial third party, running with complete system privileges even when nobody is logged on, intercepting every single file access, and acting on un-decipherable instructions downloaded from the internet to decide what to do with every file access, and uploading random data to the Internet for "research purposes". AV is the biggest security hole that exists today.
If you're a security professional suggesting that AV on every machine is essential, I seriously question your credentials and/or who you're working for.
Much, much, much, much more secure to not have that crap, and implement security policies that mean arbitrary executables won't run.
To be honest i fail to see why the ISPs should be that bothered about people using DoH? Sure they are required by the government to block certain content at the DNS level which is what they are doing. If people use technology such as VPN, proxys or DoH to get around those blocks why should they care?
The ISPs only implemented these blocks because the government required them to do, if the law were to be repealed most of them would probably drop the DNS blocking and history retention as it costs them money to maintain with no benefit to them. And there main goal is to squeeze as much money out of every subscriber as possible not police the internet.
They're required by the government to hand over Internet Connection Records but they're not told what technology to use to create those records, so if everyone starts using private DNS resolution they're obliged to use DPI to create them. They can't just shrug and say "dunno, plain old DNS doesn't work".
In the case of the child abuse filter, it's not actually a law to repeal. It's more a soft pressure. The government *could* pass a law, but would rather not - so as long as all major ISPs maintain a 'voluntary' filter in compliance with the government requests, no law is needed. If one of them refused to do as they were politely asked, then the law would sail through parliament easily.
Sort of an 'offer you can't refuse' deal.
Quite... they should just shrug their shoulders and say "Here's the information you asked for. Yes, we know it's useless to you. But that's what you asked for."
As technology progresses, the very idea of "trusting" the ISP to be anything more than a shifter of encrypted packets gets more laughable... I honestly don't understand why they were ever considered anything else.
There will come a point where all Internet traffic is encrypted point-to-point and even metadata becomes next-to-useless. It's inevitable.
If someone could please get off their backside and replace email too, we'd be a damn sight closer. SMTP over TLS is *not* end-to-end encryption between sender and intended receiver and cannot be with current protocols.
>i fail to see why the ISPs should be that bothered about people using DoH
Because the excuse about GCHQ/council dog wardens needing it to stop communist ISIS child abusing terrorist non-recyclers is a consignment of geriatric shoemakers
It stops the ISPs getting lots of lovely customer traffic to sell to advertisers
Maybe it's just me, but I don't see a huge benefit in DoH for concealing Internet history, except to ensure that the results received are from the queried server( i.e. no MITM). After all, if you use those results (HTTPS or not) you'll be exposing the fact of a connection to a specific site (time + IP = site identification) to your ISP (or any other interested parties with access to your ISP logs).
Partially true, which is why it should be combined with a VPN for true privacy. However, an IP address does not really identify a website anymore. A single IP can serve dozens of websites, and a large number of websites these days are behind reverse proxies like Cloudflare. The only thing the ISP would see is a connection to a random Cloudflare IP which could be used for any number of sites. The bigger problem is the SNI which is unencrypted and identifies the website, but Firefox has implemented encrypted SNI along with DoH so it's all good.
There is value in hiding name translation. Many different sites are hosted on the same IP address (small sites use shared hosting servers, large sites use Cloudflare and others).
So, if your lookup for "badsite.childporn" (has that TLD been sold yet?) returns 1.2.3.4, that doesn't necessarily allow anyone to work out what site you were visiting as that address may also be hosting "puppies.lovely".
Note: this is only half the problem. Currently the TLS protocol used for https: traffic sends the server name in cleartext anyway! There is a new feature called "Encrypted SNI" to encrypt that. There is a good blog post explaining it on the Cloudflare site.
So, DOH is half the answer, ESNI is the other half.
OK, so an IP doesn't identify a specific website (in many cases) so, If I make a dns lookup for 'dogsittingonyourface.com' and get an IP 123.456.789.012 back - then go visit the same IP over HTTPS - it's still no guarantee that I actually visited 'dogsittingonyourface.com' is it? I could have been visiting 'catsittigonyourface.org' instead if it's hosted at the same IP. Add further that I expect that there are many more DNS lookups being spammed out from my computer that aren't due to directly typed URLs or clicked links - just page content loads...
I still don't get this DoH praise. DoH simply replaces a decentralized logging opportunity with a concentrated, centralized logging opportunity. Instead of hundreds if not thousands of ISP's being able to log your DNS lookups, we all send all our DNS lookups to one party (cloudflare in the instance of firefox). So cloudflare will be able to build a big database of the browsing behaviour of all firefox users that have DoH enabled.
So why is trusting a US company like cloudflare with that any better than trusting my local ISP? No thank you, I trust my ISP a bunch more than some NSA subsidiary.
I myself disabled DoH on all my devices that have firefox. I'd switch browsers because by forcing DoH upon users firefox has clearly abandoned their 'privacy first' goals, but there isn't a browser left that cares about users anymore. The only alternative is spy-by-default chrome/chromium (which of course will also force DoH for your own good soon).
DoH in itself is a nice idea, it's just that the implementation forces all DNS requests world-wide to go through one company which seems like a terribly bad idea to me.
Not true, you can choose from a shopping list of DoH enabled servers quite apart from the default offered by firefox.
At the moment not a huge amount but give it a bit of time and there will be hundreds.
These people are already implementing some.
https://dev.to/commonshost/how-we-built-a-doh-cdn-with-20-global-edge-servers-in-10-days-1man
Of course if you are really serious about DNS security use DNSCRYPT or a VPN.
I'd switch browsers because by forcing DoH upon users firefox has clearly abandoned their 'privacy first' goals
Except, of course, that the settign to use DoH is off by default, so nobody is forcing anyone to use it.
Always best to establish the facts before issuing the tirade.
I did, in fact, turn it on, and found that the browser hung after about 20 seconds, probably because of the chonky corporate gateway proxy at work, so I turned it off again. I'll probably try it out at home when I get round to it, to see if it's more stable there.
"Except, of course, that the settign to use DoH is off by default, so nobody is forcing anyone to use it."
Not yet at least, but they're planning on turning it on by default, instead of the current default. At least, that's what's reported at zdnet: https://www.zdnet.com/article/mozilla-no-plans-to-enable-dns-over-https-by-default-in-the-uk/
Funny how the owners of Android weren't included as a villain, Android now has DoT by default and you can set your own host, of which plenty abound. It must have been an oversight by the ISPA and nothing to do with the fact Android's owners are, um, members of the ISPA.
Surely the hardcore El Reggers are already running something like a piHole to avoid ads and trackers ? Not too difficult to setup DNS-over-HTTPS. In fact the newer versions might have it already running. I'm an earlier adopter and had to set it up by hand.
Of course the next step is a DNS roulette system which arbitrarily chooses a DNS route out of many tens as and when. Try to piece that together.
AC, obviously !
Quality journalism. DoH isn't without problems, see for example the following two presentations from UKNOF.
https://indico.uknof.org.uk/event/46/contributions/668/attachments/898/1109/UKNOF43_Potential_ISP_challenges_with_DNS_over_HTTPS_Issue_1A_050419.pdf
https://indico.uknof.org.uk/event/43/contributions/574/attachments/786/966/UKNOF_Its_DNS_Jim.pdf
It does change the trust model during browsing, and you may end up somewhere else than you originally intended...
Lots of specific, concrete issues brushed aside with a one-line ad hominem attack. Quality commentary!
How about refuting them instead?
Or explaining why the vast majority of internet users who will use the default settings should trust Google and Cloudflare more than their local ISP?
So having done stuff with ISPA, I'm not entirely suprised. See-
Oscar Tapp-Scotting & Paul Blaker, Global Internet Governance Team, DCMS – for leading the UK Government’s efforts to ensure a balanced and proportionate agenda at the International Telecommunications Union Conference
An odd 'hero' to pick given DCMS's role in things like age verification and content 'management'. Or just being the UK's implementation/enforcement arm for this bit of villainry-
Article 13 Copyright Directive – for threatening freedom of expression online by requiring ‘content recognition technologies’ across platforms
But that also shows a lack of joined-up thinking, or possibly self-preservation. If most content access will occur via DoH, well, sorry, ISP's can't help you manage that problem.
(or, because politics, the nomination of Trump for villain. FCC, EU or DCMS would have been better candidates, but less right-on. Or should that be left-on?)
This is because DNS snooping and filtering is easy, whereas spying on DNS-over-HTTPS is most certainly not,
Be Reliably Advised IT Made Sure Command and Control of the IMPossible was Available to Lead All in Greater Beta AIDirections ........ Mega Grand AIMajor Productions with Virtually Realised Presentations to Score. ..... and Host Global Allies. Friends and Foe alike in the Worlds of Others is the Present Jump Point/ Absolutely Fabulous Quantum Leap Step to Provide with Almighty Magical Scripts to Supply .... well, the Most Radical of All Systems are a Happy Customer of Services Provided and Provisioned For. That's surely a Most Indicative Tell of its Provenance.
And be aware from here, Live Operational Virtual Environments Reign with Surreal Remote Island Rule ...... Virgin Kings and Adorable Queens Territory ...... and Alien Terrain for Commandeering and Securing with Home Grown High Grove Talent. ....... Latent Debutante and Knight of the Realms Types.
I can all too easily imagine that route and root causing all manner of contrived problems for GCHQ/NCSC Type Operations? You know, the Real Sp00Key Stuff that is best not widely shared because it terrifies and leads terrible lives.
Do you think that which supplies Great British Intelligence to GCHQ/NCSC will Co-Host a Program of Prime Novel Projects Realising and Drivering SMARTR MMORPG Play.
It is a very difficult foe to fend off to a friend, and practically impossible whenever ever the love of one's life.
And .... something quite exceptional for Palace Barracks Holywood MODified Assets to Know is Freely Available from Heavenly Crown Stores .... Immaculate Pits that are All Giving. And over the Twelfth they can have a ponder and wonder on the Power of Enlightening Scripts Exalting Scripture. ..... that Share the Release of the Knowledge of the True Essence of One's Being ...... and the Virtual Nature of Existence.
It's only then a hop, skip and a jump or a stumble and fall into Immortal Tales, which to make sure are perfectly safe and secure, are Assured Explosive and Mind Blowing. I wonder who Punts and Hunts with Such for Blighty? Surely they gotta have somebody. And best it not be just anybody if they don't know what needs to be done in these new fangled and entangling fields of Strange Novel Communications .... Spiel Alien Style Stations.
You know the Tease .... Who Dares Win Wins ....... Sc00ps the Eternal Prize.
Now that wouldn't normally cause any sort of problem, El Reg, so if/whenever it does, we all know the problems to be sorted are hosting at their end.
Well truly never ceases to amaze on both the size and scale of past and present driver deliverables in Live Operational Virtual Environments amfM :-) SIMply astonishing really, how some and many rely on the virtual ball on the roul et te wheel landing, with reds and blacks leaving others feeling blue?, however one cannot help but feel that leaves others grinding the axe in anticipation of badly briefed acts poorly scripted.
Montauk?, or lets talk?, all one can do is smile and do the best one can do in difficult circumstances is it not?, grand conspiracy or Gran de performance?
The truth is that event + reaction = outcome, but any sentient being, be it natural, or evolved through environmental manipulation will react in accordance with learning and instinct. Where this never ending story changes dependant on whether friend or FOIA, or whether Norwich Pharmaceutical Orders be just what the doctor ordered be the true questions in great game play.
I was once told ‘do the right things and the right things will happen’ when one questions what the ‘right’ thing is anymore and the moral compass sways off course is it the puppet or the one who pulls the strings who must decide the true value of guiding principles underpinning such activities?
I have an ASUS router running the AsusWrt-Merlin firmware. DoT/DoH support is baked in. My entire home network uses DNS-over-TLS, round-robined between 8.8.8.8, 1.1.1.1, 9.9.9.9, etc.. If I'm away my phone and laptop can OpenVPN tunnel all traffic back through it.
The router advertises itself as the DNS server, then uses stubby to forward queries over TLS/HTTPS to the servers.
..had they nominated themselves afterwards.
"We did mean it light-hearted, lack of real thought, the voting didn't get passed via folk who would've pointed out privacy issues, etc"
We'd have known they were full of shit, but they'd have come off looking a little better.
You don't actually HAVE to switch if you don't want to. (Although if you're using Chrome you'd just be pissing into the wind anyway). Apart from that you could just re purpose an old low powered pc/netbook/R-Pi, plonk Pi-Hole on it + Unbound and get your router to use that as it's dns resolver.
I've found that setup to be pretty efficient as you just need to configure the router and leave all the clients as is, (provided they are all using DHCP from the router of course).
I've got all the usual suspects including Google blocked at the pi-hole, an advantage of having Firefox available is if for example you have a visitor that just HAS TO HAVE google for search, you can just turn on the DOH option and they can get Google on that machine and browser ONLY, until you reset Firefox again.
Authoritative servers will still be distributed. Unless some idiot has stuck them all on Route 53.
Basically this is what you get when you spy and censor people. Or it can be used by spyware browsers like Chrome. Mobiles are vulnerable because Apple doesn't let you see or override your 4g dhcp settings - you have to run a vpn to change those settings.
Given Australian censorship, I use this all the time. ISPs are just not reliable.
Next up, caching dns servers which relay over tls. Cloudflare is easy to block due to its well known ip. We need to make any IP address a potential dns server. I know it's a security and botnet risk, but overreaching government and overly compliant ISPs are a greater threat than cryptolocker.
Also, they are one that affects me more.
Application level name resolution as an idea also helps new tech like ipns gain a foothold by not requiring system-wide configuration.
Yeah, privacy fuckwits like this ignore, for example, the way that DNS-over-HTTPS prevents the folk at the Internet Watch Foundation trying to keep child sex abuse imagery off the web. https://www.iwf.org.uk/news/exposing-child-victims-catastrophic-impact-of-dns-over-https. ISPA may be inane but this article is no less unbalanced and ignorant
DoH!!... Firefox's implemenation of DoH seems to bypass the 'hosts' file!
I've added a range of troublesome pop-up/tracking sites to 'hosts' (no, I'm not interested in vaping, online poker or MILFs in my area) and tried enabling DoH in FF, now those sites have started to pop up again despite appearing (and the ad exchange preceeding it) in 'hosts'
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
