back to article Internet imbeciles, aka British ISP lobbyists, backtrack on dubbing Mozilla a villain for DNS-over-HTTPS support

The brain-dead Internet Service Providers Association (ISPA) has backtracked on its nomination of Mozilla as an "internet villain" for 2019 after online outcry. "In the 21 years the event has been running it is probably fair to say that no other nomination has generated such strong opinion," the bonkers UK-based lobbying …

                1. doublelayer Silver badge

                  Re: Mozilla

                  It sounds like you've panicked a bit too much about DoH's security risks. The kinds of problems you could see with DoH connections could also be seen by a user connecting directly to an IP address or using whatever open ports you have to run a VPN or connect through Tor. Either of those would bypass internal DNS controls and would probably flag as risks in your network analysis logs anyway. Since the use of any of those things would be violations of a security policy, you might as well tell people they must use a certain set of configurations that disallow DoH, and using DoH will be a violation of security policy. Wouldn't that pretty much solve that problem?

                  1. whitepines Silver badge
                    Holmes

                    Re: Mozilla

                    That strongly depends on what kind of device is attached, e.g. would a Google device even allow a non-Google DoH resolver to be configured?

                    For a long time a DNS based blocker was at least a deterrent for the majority of access -- anything with hardcoded access as you say would trip other protections. Now that DoH is making that impossible, the overall risk posture has changed from "misconfigured device likely to be blocked at firewall" to "misconfigured device leaking sensitive information over HTTPS". Without DPI and MITM on all HTTPS traffic it's not even possible to determine who is accidentally violating policy without random search of the attached devices, which goes into GDPR territory for BYOD and basically means no BYOD on the corporate net period.

                    Allowing employee Internet access, especially with relatively relaxed policies on what software could be used, was always a balance between risk and productivity. Now that the risk for both sudden legal action (employee browsing blacklisted material without detection at our firewall) and internal data leakage to known hostile entities is that much higher, it outweighs the impact to productivity. Simple as that.

  1. Anonymous Coward
    Anonymous Coward

    The post was popped online anonymously by some coward

    Disgraceful!

    .

    .

    :-)

    1. David Lewis 2
      Big Brother

      Re: The post was popped online anonymously by some coward

      No.

      We know your real name is Lord Lucan.

      We know where you live.

      We know who you associate with.

      We know if you put the wrong sort of waste in your recycling bin.

      We are watching you.

      Have a nice day!

      Toodle Pip, GCHQ Welsh Ambulance Service

  2. sabroni Silver badge
    Thumb Up

    Quality trolling!

    This is why other tech sites can't compete with El Reg!!!

    1. Anonymous Coward
      Anonymous Coward

      Re: Quality trolling!

      well, I hate to say this, but other tech sites (zdnet) have provided a fool's how-to guide, including screenshots :)

      1. Anonymous Coward
        Anonymous Coward

        Re: Quality trolling!

        Not sure if that's a pop at The Reg or a statement about the intelligence of other sites' readership??

        1. Anonymous Coward
          Anonymous Coward

          Re: Quality trolling!

          it's both. Who said you can't have idiots' guide and quality material under the same roof. It's about microsegmentation, catching all possible revenue streams, etc, etc ;)

      2. Anonymous Coward
        Anonymous Coward

        Re: other tech sites (zdnet) have provided a fool's how-to guide

        A fool's guide on trolling the ISPA? I can't find it on their site, got a link?

        1. osmarks

          Re: other tech sites (zdnet) have provided a fool's how-to guide

          1. implement useful security feature

          2. wait for ISPA to complain

          3. mention this to tech press

          4. ???

          5. profit

  3. old_IT_guy

    Kieren for Pres!

    superb breakfast laugh, thanks!

  4. Mephistro Silver badge
    Devil

    ISPs giving Internet villain awards?

    Jokes write themselves nowadays, don't they?

    1. JoshOvki

      Re: ISPs giving Internet villain awards?

      I wonder if they tried nominating themselves first

      1. Glen 1 Bronze badge
        Joke

        Re: ISPs giving Internet villain awards?

        more like nominet-ing. Amirite?

    2. Benson's Cycle

      Re: ISPs giving Internet villain awards?

      Black farce, actually.

  5. Claverhouse Bronze badge

    You mean old Trump is more of an enemy to Internet & Whistle-blowing freedom than that poor wretch Obama ?

    1. veti Silver badge

      He is now.

    2. Anonymous Coward
      Anonymous Coward

      Not heard of net neutrality, bob?

  6. joeW

    "the police have complained about the 'unintended consequences'"

    Good enough for me, where do I sign up?

  7. Spanners Silver badge
    Big Brother

    "However, this privacy-protecting technology has turned out to be controversial"

    DoH is about as uncontroversial as it gets. Among more controversial things are...

    Anti virus programmes

    Basic internet security

    HTTPS itself

    VPNs

    Encryption and

    Not sticking all my internet activity on a notice board outside my house.

    The only discussion that needs to occur is in persuading the uninformed that they need it.

    1. Lee D Silver badge

      Re: "However, this privacy-protecting technology has turned out to be controversial"

      "Anti virus programmes" - programs under the control of a commercial third party, running with complete system privileges even when nobody is logged on, intercepting every single file access, and acting on un-decipherable instructions downloaded from the internet to decide what to do with every file access, and uploading random data to the Internet for "research purposes". AV is the biggest security hole that exists today.

      If you're a security professional suggesting that AV on every machine is essential, I seriously question your credentials and/or who you're working for.

      Much, much, much, much more secure to not have that crap, and implement security policies that mean arbitrary executables won't run.

    2. Joseba4242

      Re: "However, this privacy-protecting technology has turned out to be controversial"

      Quite so. Whether or not we should hand over DNS lookup data for 70% of browsing and 80% of mobile activity to Google seems uncontroversial to me indeed.

  8. Anonymous Coward
    Anonymous Coward

    "genuine desire to engage in a constructive dialogue"

    "to draw attention to an important issue in a light-hearted manner".

    These two don't add up.

  9. Anonymous Coward
    Anonymous Coward

    another warm chunk of sloppy garbage floating in the toxic hell soup of the modern internet

    Round of applause for that!

    Only joking.

    No, seriously :)

  10. Anonymous Coward
    Anonymous Coward

    Barbara, is that you again?!

    Alexa, how to enable DoH in Firefox...

  11. mark l 2 Silver badge

    To be honest i fail to see why the ISPs should be that bothered about people using DoH? Sure they are required by the government to block certain content at the DNS level which is what they are doing. If people use technology such as VPN, proxys or DoH to get around those blocks why should they care?

    The ISPs only implemented these blocks because the government required them to do, if the law were to be repealed most of them would probably drop the DNS blocking and history retention as it costs them money to maintain with no benefit to them. And there main goal is to squeeze as much money out of every subscriber as possible not police the internet.

    1. Dan 55 Silver badge

      They're required by the government to hand over Internet Connection Records but they're not told what technology to use to create those records, so if everyone starts using private DNS resolution they're obliged to use DPI to create them. They can't just shrug and say "dunno, plain old DNS doesn't work".

      1. Anonymous Coward
        Anonymous Coward

        talk-talk and virgin are the only ones I've experience with, and both already use DPI.

        Anyone know about any of the others?

    2. Suricou Raven

      In the case of the child abuse filter, it's not actually a law to repeal. It's more a soft pressure. The government *could* pass a law, but would rather not - so as long as all major ISPs maintain a 'voluntary' filter in compliance with the government requests, no law is needed. If one of them refused to do as they were politely asked, then the law would sail through parliament easily.

      Sort of an 'offer you can't refuse' deal.

      1. Doctor Syntax Silver badge

        "The government *could* pass a law, but would rather not"

        The government could pass all sorts of laws. It could pass a law to abolish gravity, for instance. Only the laws rooted in reality will actually work. That was the point of Cnut's demonstration about a millennium ago.

    3. Lee D Silver badge

      Quite... they should just shrug their shoulders and say "Here's the information you asked for. Yes, we know it's useless to you. But that's what you asked for."

      As technology progresses, the very idea of "trusting" the ISP to be anything more than a shifter of encrypted packets gets more laughable... I honestly don't understand why they were ever considered anything else.

      There will come a point where all Internet traffic is encrypted point-to-point and even metadata becomes next-to-useless. It's inevitable.

      If someone could please get off their backside and replace email too, we'd be a damn sight closer. SMTP over TLS is *not* end-to-end encryption between sender and intended receiver and cannot be with current protocols.

    4. Yet Another Anonymous coward Silver badge

      >i fail to see why the ISPs should be that bothered about people using DoH

      Because the excuse about GCHQ/council dog wardens needing it to stop communist ISIS child abusing terrorist non-recyclers is a consignment of geriatric shoemakers

      It stops the ISPs getting lots of lovely customer traffic to sell to advertisers

  12. j.bourne
    Windows

    Perplexed

    Maybe it's just me, but I don't see a huge benefit in DoH for concealing Internet history, except to ensure that the results received are from the queried server( i.e. no MITM). After all, if you use those results (HTTPS or not) you'll be exposing the fact of a connection to a specific site (time + IP = site identification) to your ISP (or any other interested parties with access to your ISP logs).

    1. Nageki

      Re: Perplexed

      Partially true, which is why it should be combined with a VPN for true privacy. However, an IP address does not really identify a website anymore. A single IP can serve dozens of websites, and a large number of websites these days are behind reverse proxies like Cloudflare. The only thing the ISP would see is a connection to a random Cloudflare IP which could be used for any number of sites. The bigger problem is the SNI which is unencrypted and identifies the website, but Firefox has implemented encrypted SNI along with DoH so it's all good.

    2. Graham Cobb

      Re: Perplexed

      There is value in hiding name translation. Many different sites are hosted on the same IP address (small sites use shared hosting servers, large sites use Cloudflare and others).

      So, if your lookup for "badsite.childporn" (has that TLD been sold yet?) returns 1.2.3.4, that doesn't necessarily allow anyone to work out what site you were visiting as that address may also be hosting "puppies.lovely".

      Note: this is only half the problem. Currently the TLS protocol used for https: traffic sends the server name in cleartext anyway! There is a new feature called "Encrypted SNI" to encrypt that. There is a good blog post explaining it on the Cloudflare site.

      So, DOH is half the answer, ESNI is the other half.

      1. tfewster Silver badge
        Thumb Up

        Re: Perplexed

        Thanks Graham - the explanation at https://blog.cloudflare.com/encrypted-sni/ shows that ESNI is quite elegant, as it offloads the SNI portion to DNS (which seems like a valid extension of DNS anyway).

        1. j.bourne

          Re: Still Perplexed...

          OK, so an IP doesn't identify a specific website (in many cases) so, If I make a dns lookup for 'dogsittingonyourface.com' and get an IP 123.456.789.012 back - then go visit the same IP over HTTPS - it's still no guarantee that I actually visited 'dogsittingonyourface.com' is it? I could have been visiting 'catsittigonyourface.org' instead if it's hosted at the same IP. Add further that I expect that there are many more DNS lookups being spammed out from my computer that aren't due to directly typed URLs or clicked links - just page content loads...

  13. Hstubbe

    DoH is not all good

    I still don't get this DoH praise. DoH simply replaces a decentralized logging opportunity with a concentrated, centralized logging opportunity. Instead of hundreds if not thousands of ISP's being able to log your DNS lookups, we all send all our DNS lookups to one party (cloudflare in the instance of firefox). So cloudflare will be able to build a big database of the browsing behaviour of all firefox users that have DoH enabled.

    So why is trusting a US company like cloudflare with that any better than trusting my local ISP? No thank you, I trust my ISP a bunch more than some NSA subsidiary.

    I myself disabled DoH on all my devices that have firefox. I'd switch browsers because by forcing DoH upon users firefox has clearly abandoned their 'privacy first' goals, but there isn't a browser left that cares about users anymore. The only alternative is spy-by-default chrome/chromium (which of course will also force DoH for your own good soon).

    DoH in itself is a nice idea, it's just that the implementation forces all DNS requests world-wide to go through one company which seems like a terribly bad idea to me.

    1. Anonymous Coward
      Anonymous Coward

      forces all DNS requests world-wide to go through one company

      Not true, you can choose from a shopping list of DoH enabled servers quite apart from the default offered by firefox.

      At the moment not a huge amount but give it a bit of time and there will be hundreds.

      These people are already implementing some.

      https://dev.to/commonshost/how-we-built-a-doh-cdn-with-20-global-edge-servers-in-10-days-1man

      Of course if you are really serious about DNS security use DNSCRYPT or a VPN.

    2. Loyal Commenter Silver badge

      Re: DoH is not all good

      I'd switch browsers because by forcing DoH upon users firefox has clearly abandoned their 'privacy first' goals

      Except, of course, that the settign to use DoH is off by default, so nobody is forcing anyone to use it.

      Always best to establish the facts before issuing the tirade.

      I did, in fact, turn it on, and found that the browser hung after about 20 seconds, probably because of the chonky corporate gateway proxy at work, so I turned it off again. I'll probably try it out at home when I get round to it, to see if it's more stable there.

      1. Hstubbe

        Re: DoH is not all good

        "Except, of course, that the settign to use DoH is off by default, so nobody is forcing anyone to use it."

        Not yet at least, but they're planning on turning it on by default, instead of the current default. At least, that's what's reported at zdnet: https://www.zdnet.com/article/mozilla-no-plans-to-enable-dns-over-https-by-default-in-the-uk/

        1. CommanderGalaxian
          FAIL

          Re: DoH is not all good

          "...but they're planning on turning it on by default..."

          That is literally exactly the opposite of what is reported in the article: "We have no current plans to enable DoH by default in the UK" .

  14. Sulky

    Mozilla not the only one doing it

    Funny how the owners of Android weren't included as a villain, Android now has DoT by default and you can set your own host, of which plenty abound. It must have been an oversight by the ISPA and nothing to do with the fact Android's owners are, um, members of the ISPA.

    1. Dan 55 Silver badge

      Re: Mozilla not the only one doing it

      Out of the box Android 9 is set up to try DoT then fall back to plain old slurpable DNS if that fails, so the ISP can just block DoT and most people are probably none the wiser.

  15. Will Godfrey Silver badge
    Happy

    Streisand effect

    Nice of them to tell as many people as possible about this.

  16. Franco Silver badge

    Nice one El Reg!

    Might I suggest your old friends Nominet as a replacement in the villain category? Purely in a light-hearted way of course....

  17. Augie
    Thumb Up

    Superb!

  18. Anonymous Coward
    Anonymous Coward

    piHole all the way - ahoy !

    Surely the hardcore El Reggers are already running something like a piHole to avoid ads and trackers ? Not too difficult to setup DNS-over-HTTPS. In fact the newer versions might have it already running. I'm an earlier adopter and had to set it up by hand.

    Of course the next step is a DNS roulette system which arbitrarily chooses a DNS route out of many tens as and when. Try to piece that together.

    AC, obviously !

    1. Anonymous Coward
      Anonymous Coward

      Re: piHole all the way - ahoy !

      Have you tried updating it lately? It's built in on mine. (Settings/DNS tab scroll to the bottom and tick use dnssec) Quad9 and cloudflare are available or you can choose your own)

      Pi-hole Version v4.3.1 Web Interface Version v4.3 FTL Version v4.3.1

    2. Anonymous Coward
      Anonymous Coward

      Re: piHole all the way - ahoy !

      A better way would be to use Unbound with piHole rather than trust a third party. It's really easy to set up: https://docs.pi-hole.net/guides/unbound/

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019