back to article Please stop regulating the dumb tubes, says Internet Society boss

Andrew Sullivan, chief exec of the Internet Society, has condemned governments that "interfere in underlying technologies that people are allowed to build," as regulators increasingly target net infrastructure to enforce their visions of how the online world ought to be. Speaking to The Register, Sullivan warned that laws …

  1. jpo234

    How is DNS over HTTPS different from a normal VPN?

    1. Trenjeska
      Black Helicopters

      It isn't.

      If they could, they'd ban that as well.

      1. NoneSuch Silver badge
        Coffee/keyboard

        "vital security protections will end up being weakened and innocent sites will be wrongly blocked."

        That's what governments WANT!

      2. bombastic bob Silver badge
        Black Helicopters

        re: VPNs - "If they could, they'd ban that as well."

        good point, and then we'd need a different workaround

        like gun control - ban normal law abiding citizens from owning guns, and ONLY criminals will have them.

    2. chuBb.

      DNS over HTTPS differs quite a lot from a VPN

      VPN's provide you with an encrypted tunnel between point a and point b depending on how they have been configured depends what traffic gets routed to them, i.e. most remote access vpn's provided by an employer would only direct traffic destined for corporate subnets i.e. all traffic to 172.16.0.0/16 will go via the VPN, unless they are set to replace your default gateway/route when all traffic goes via the VPN (which is good for paranoid employers as all requests can go through their content filters, just crap for end user as your connection will be slower especially if you have a 50Mb+ connection at home and a crappy 20Mb line at the office....). DNS requests sent via VPN are still plain text in terms of protocol just the transmission is encrypted, and still susceptible to monitoring/filtering once they exit the tunnel.

      DoH on the other hand (from a high orbit viewpoint) stuffs the UDP payload of a DNS request into a TCP HTTPS request on the client, which is transmitted using TLS (SSL is dead, deprecated should not be used, only exists as an acronym for spotting people who either used to know what they were on about or never knew in first place) to a centralised proxy controlled by the browser maker (google or mozilla here) which accepts the HTTPS request, decodes the payload and performs a normal DNS lookup, which then sent back as a HTTPS reply to the client, which decodes the DNS response and handles as usual.

      Essentially its protocol stuffing and open to debate if its a good thing to move away from a decentralized name system, back to something similar to the walled gardens of AOL and Compuserve from the time that every publication came with a set of coasters.... although that reality is a way down the rabbit hole, its not unreasonable to expect google to game responses with paid for preferential results etc. The tricky bit is that by making it a client feature it can and will by pass the network config of the host, i.e. by default chrome would make DoH requests and you would have to go about:config diving to disable this (each and every auto update) and use the DNS configured on your adapter, which unless you have overiden your ISP's defaults will be their name servers. (this could also make life tricky inside enterprises running a split brain DNS for intranet access using the corp domain name)

      1. Anonymous Coward
        Anonymous Coward

        "DNS over HTTPS differs quite a lot from a VPN"

        While you're not wrong, you're missing the point for why the government wants to ban DoH - they can't filter the content using their existing methods, which makes it identical to a VPN solution using a provider who doesn't currently implement UK government policy.

        If the ID laws for porn in the UK are passed (which is unlikely in my view for both political and technical reasons), I wonder if the UK government will crack down on VPN's next? What do you mean businesses have valid requirements for them? It's just individuals trying to hide from the government...

        While you raise very valid technical concerns, the UK government has repeatedly demonstrated that it hasn't grasped the basics of the current technical issues without piling on new technologies and the associated long learning curve...

        1. Immenseness
          Devil

          The cynic in me thinks that the motivation for DoH is really to stop Ad-avoiding systems like pihole which can currently be very effective.

          1. bombastic bob Silver badge
            Devil

            I want to write a web browser that intercepts all DNS requests and RDNSs all IP address equivalents, using a regex filter and a blacklist, re-directing them to 'localhost' that serves up a 1 pixel GIF file in response to all requests

            that'll teach 'em!

          2. James R Grinter

            Isn’t PiHole just a DNS resolver that you configure, via DHCP or statically, as your device’s DNS server? It may then make those onward requests, for domains it deems “good”, over DoH but by that point it’s looking up only what it wants to anyway. Essentially it’s doing what some paternalistic ISPs servers are doing, only under your control.

            DoH is about your privacy, stopping a middleman from snooping on what domains you are resolving under the guise of “it’s just metadata”) Also, about stopping those paternalistic ISPs from further meddling with your DNS lookups.

        2. chuBb.

          Not missing the point at all, fact is that the number of VPN users is dwarfed by the number of chrome (and by extension chromium based browsers) and firefox users, DoH will be an automatic default for those users, hence a much bigger problem than VPN's; as VPNs have to be activly setup, where as DoH would be a passive setup

          If their is a crack down on commercial VPN providers then it will only be a formalisation of existing law forcing them to provide logs on court order, and if they did overstep the mark then users will configure their own or just run a vpn box on aws hosted in a US region, lifehacker will have dozens or articles on how to set it up. It would be impossible to ban or even regulate VPN's as the economic damage would be to great, inter office comms made illegal, secure transport of patient records between hospital and surgery gone, etc.

          The fundamental flaw in the "they will ban vpns" argument is that its like saying "Ban roads to stop drivers speeding" a VPN is a transport, DNS is a protocol, legislating against traffic is a wholly different proposition to legislating on how the traffic is carried, regulating DoH is much more like saying mini moto bikes are not road legal and are not allowed on the roads (but their is nothing we can do stop people from doing that of they dont get caught). The real govt (civil service, not the who do you want lying to you popularity contest winners going for the click bait think of the children attention grabbers arguments) fear in my opinion is a ceding of control of domestic surveillance to the NSA as both the major infrastructure providers are US companies and accepting what ever evidence you gain may have been altered as it didnt come from your direct tap...

          Interesting you mention the pr0n farce, fully agree with you, if and when it comes into effect (i also believe as currently intended is utterly impossible) it will only effect those that pay for porn online, and what comes into effect will be so watered down as to be effectively optional

          1. Anonymous Coward
            Anonymous Coward

            You're still approaching the argument from a technical perspective rather than a political one.

            The government has a system they believe works. DoH will stop it working. Therefore, ban DoH. Cause and effect, with no thought of the technical implications.

            If the porn laws or something similar comes into effect that makes the widespread use of VPN's within the UK for consumer access, the government will look to ban VPN's or continue the crusade against encryption.

            None of this negates the technical arguments - they are all valid, but will be ignored if they don't match political will.

            1. chuBb.

              Nope very much a political approach, bottom line is no MP would go for it once they find out they they can no longer sign in to govnet from the cotswolds and would have to physically travel to approved locations to do their work, which renders the rest of the FUD about vpn's banned moot. Even if that embuggerence for them would probably do wonders for overall infosec in whitehall, until some bugger muppet popularity contest winner puts it all on an unencrypted harddrive and leaves it on a train to work on over the weekend....

              1. NetBlackOps

                Last time I looked, just yesterday, government doesn't hesitate to allow itself privileges that are withheld from the citizens. Heck, they grant them to their crony capitalists as well.

      2. Roland6 Silver badge

        "DoH would see DNS requests from browsers implementing the tech going directly to DNS servers controlled by that browser-maker"

        How did this get to be an RFC?

        There should be no vendor lock-in linkage between browser/client vendors and any other component of the Internet.

        1. JohnFen Silver badge

          "How did this get to be an RFC?"

          Mozilla submitted and advocated for it. Which is why I'm furious with Mozilla.

        2. doublelayer Silver badge

          And there doesn't technically have to be. Firefox supports it, but you can use any DoH server you please by changing the config. I've suggested running a system-wide DoH client that performs requests for applications that communicate with it locally. However, I wouldn't expect Chrome to make this easy to change.

          1. bombastic bob Silver badge
            Meh

            *ahem* - the browsers are OPEN SOURCE. Edit the source if you must. Or fork it.

          2. chuBb.

            And their in lies the problem, for every one of us that does change a config, isnt scared off by "here be dragons" messages, there will be 1000000 users who accept the default

  2. Pascal Monett Silver badge

    "A very strange thing for Parliament to do [..]"

    Not really. Today our society is practically based on the Internet. Whatever is not yet there is going there, and whoever is not on it is increasingly being pushed there, sometimes by their own government (online tax declaration, anyone ?).

    Those bits traveling over the wire have a specific function, to query some data that will orient the user to a specific site. That cornerstone of the Internet is how we access the web pages we think we want - which means it is the ideal point of control for a government that wants power over what its citizens can see.

    It is exactly like the government controlling what is told in the news on TV and the dead tree network, especially back when the Internet did not exist. It's a reflex for any government, let alone one that likes control.

    1. Teiwaz Silver badge

      Re: "A very strange thing for Parliament to do [..]"

      Harrumph!!

      I'm sure we all remember when doing things online was the new, convenient option to doing things.

      Now, it's no longer new, and often neither convenient a lot of the time, and getting well onto no longer being an option, but the only way to do things.

      1. Charles 9 Silver badge

        Re: "A very strange thing for Parliament to do [..]"

        Some of us still remember Service Merchandise and "Silent Sam". Then there was the Sears catalog and telling your product numbers over voice phone to a fallible operator...

        1. Teiwaz Silver badge

          Re: "A very strange thing for Parliament to do [..]"

          product numbers over voice phone to a fallible operator

          What, have you never ordered something 'online' and gotten somebody elses order instead of yours???

          I know I have.

          Not often, but then it wasn't any less often than when the family ordered from Freemans* catalogues in the 1970s.

          I'm more concerned with other services other than commercial concerns. The kind of thing that often delivers benefit to the customer from interaction with an (at least semi-knowledgeable) employee one to one.

          * bought by Sears group in 1988

          1. JohnFen Silver badge

            Re: "A very strange thing for Parliament to do [..]"

            "have you never ordered something 'online' and gotten somebody elses order instead of yours?"

            I have never had this happen, personally.

            1. Teiwaz Silver badge

              Re: "A very strange thing for Parliament to do [..]"

              I have never had this happen, personally.

              Lucky you, I have three times, once, two out of a four item order were incorrect. Twice my order was IT related and I received clothing items, once I ordered presents for a relative, and they were confused by what they received, and I, embarrassed.

              Point is, those fallible operators are probably now manning the warehouses, so it's just passed the fault down the line.

              1. JohnFen Silver badge

                Re: "A very strange thing for Parliament to do [..]"

                I didn't say that it never happens, of course, only that it's not happened to me.

        2. Jamie Jones Silver badge

          Re: "A very strange thing for Parliament to do [..]"

          Don't forget the required "Please allow 28 days for delivery"!

    2. Doctor Syntax Silver badge

      Re: "A very strange thing for Parliament to do [..]"

      "It's a reflex for any government, let alone one that likes control."

      The trouble is that it puts the rest of us between govts wanting control and the likes of Google wanting control.

      1. TheSmokingArgus

        Re: "A very strange thing for Parliament to do [..]"

        The difference being Google & the rest of the Silicon Valley Marxists society cannot send men with guns to your home to coerce compliance.

        1. Anonymous Coward
          Anonymous Coward

          "cannot send men with guns to your home to coerce compliance."

          Not yet.... US already got private prisons run for profit, what do you believe the next step will be?

          Robocop could become a prescient story, one day....

        2. NetBlackOps

          Re: "A very strange thing for Parliament to do [..]"

          Google need only pass a hash value corresponding to child porn to some Authority and you will be in a world of hurt. And it need not be officially, it could be some "woke" employee who targets you with one or more planted files. it's been asserted on more than one occasion that governments, specifically their intelligence arms, already do this amongst other bad actors out there.

          Just mentioning it. There's a reason I'm a stickler on computer hygiene.

    3. JohnFen Silver badge

      Re: "A very strange thing for Parliament to do [..]"

      "Today our society is practically based on the Internet"

      Not entirely, yet, fortunately. Personally, I literally can't think of a single thing that I need the internet to accomplish. The internet is more convenient, but I can still do every critical function I need the old-fashioned way if I choose to.

      1. Anonymous Coward
        Anonymous Coward

        Re: "A very strange thing for Parliament to do [..]"

        Funnily enough, life doesn't revolve around you and what you do :(

        Maybe you could comment on how much you care about those people who are affected.

    4. AdamWill

      Re: "A very strange thing for Parliament to do [..]"

      "It is exactly like the government controlling what is told in the news on TV and the dead tree network, especially back when the Internet did not exist. It's a reflex for any government, let alone one that likes control."

      Indeed it is...

      ...and just to play devil's advocate: is this necessarily entirely a bad thing?

      I mean, I've been using the internet for, uh...26 years now...and, well, the days where I uncomfortably wonder "was this whole thing just a really bad idea?" seem to be getting more frequent.

      The last one was when I read this story:

      https://www.theverge.com/2019/6/19/18681845/facebook-moderator-interviews-video-trauma-ptsd-cognizant-tampa

      I mean...somehow we wound up building a thing which means thousands of poor bastards have to get paid about 15 bucks an hour to watch people beat the shit out of puppies with a baseball bat. All day long.

      Is that...good? Because, I mean, it seems not good. And, how exactly are we going to fix that? If you start from the premise that you need the internet to be this giant open access thing to which anyone can send any series of bits at any time, and content moderation is at best reactive...how can you ever not need to make people watch other people murder puppies? OK, sure, AI...if it turns out to work. I really highly doubt it.

      The comparison with TV is actually kind of an interesting one to me. It's also an interesting comparison to Sullivan's argument that it's "a very strange thing to do". Is it, though? TV and radio are really just broadcasting bits over the air, after all. But we never let everyone broadcast whatever the shit they liked. This is partly a purely practical technical thing - you can't let everyone do high-power radio/TV broadcasts, after all, it'd be complete chaos - but it also wound up being a restriction on content. If a broadcaster started broadcasting snuff films it'd get its license revoked PDQ. And...really...is that *wrong*? I'm honestly not sure. I still just about remember what life was like when it *wasn't* a given that anyone could broadcast high-quality video of anything they liked to everyone else in the world, and that seems like it was better in some pretty important ways...

      1. Olivier2553 Silver badge

        Re: "A very strange thing for Parliament to do [..]"

        A couple of remarks. In the case of TV, I think there are/were people in charge of watching the programs 24/7 to make sure that the content was appropriate at any time.

        FB and the like could have a system of pre-moderation where by users content would be approved before it goes online. And only after a user has been deemed trustworthy, could he be allowed for post moderation. many forum work like that, why not FB? Oh yes, here and now, can wait 10 minutes.

        In the case of Cognizant, it seems to be a very toxic working environment more than the content of what they are watching: apply the same type of pressure on a postman, he too will commit suicide (yes, that happened in France). What company have bed bugs or pubic hairs in their premises? What company tolerate harassement?

        And it is definitely a badly conceived solution: why having the employee come to the office? This is the kind of job that could be made from home, with salary depending on the amount of video you watch.

  3. BebopWeBop Silver badge
    Devil

    Kockon effects shurely?

  4. Anonymous Coward
    Anonymous Coward

    Public blacklist...

    ... "hey, come here, we've got a list of all the sites you shouldn't see!!!"

    Guess what a not small percentage of people will do - just out of morbid curiosity? And bypassing DNS won't be that difficult. For the criminals, a flag they have to move elsewhere.

    Anyway this idea "you can't regulate tech" looks to me very alike those who would kill EPA and the like because they "put boundaries to business and progress". The Internet is already polluted as it grew ignoring any downside effects jut like XIX-XX century industries- maybe some regulations are needed as well?

    Frankly, I would not trust anyway any basic internet infrastructure run by Google & C. - and all we know between money and ethics what their choice is.

    DoH should be run by non-commercial entities at least - and maybe blacklists should not be made public - when they try to block criminal activities.

    1. Chronos Silver badge
      Facepalm

      Re: Public blacklist...

      DoH should be run by non-commercial entities at least - and maybe blacklists should not be made public - when they try to block criminal activities.

      FFS! You don't understand how DNS works at all, do you? In the first place, which DNS servers you use are purely a consensus, usually a "can't be arsed" decision to accept your ISP's DHCP advertised crap. DoH is just wrapping the payload up in TLS encryption so the contents cannot easily be viewed in-transit. The underlying protocol for turning names into numbers remains exactly the same and you can "can't be arsed" to Cloudflare, Google, Mozilla or any of the other DoH/T providers just by leaving about:config alone.

      Where the real fun will start is when the roots and authoritatives start serving DoH/T (stubby as a proxy). Then your private resolver can talk direct, in total privacy. This is not a Bad Thing™, especially when you weigh the risks between world+dog tracking you and a few miscreants who will find a way around whatever filtering you put in place. It'll also make amplification DDoS quite a lot more difficult as TLS requires TCP, which means a spoofed UDP request no longer provides the ability to swamp any poor old sod's pipe. As the chap said, your meddling only increases the collateral damage and does sod-all to address the problem.

      1. Anonymous Coward
        Anonymous Coward

        Re: Public blacklist...

        Keep on thinking Google works for you and it's not evil - DoH is an attempt to bind people into a very few DNS services and track all their DNS queries. I frankly find people ridiculous when the fret about government tracking, but not "surveillance capitalism".

        All of you will awake one day - I hope - and understand the big mistake you did. Meanwhile, keep on watching your porn using Chrome and believing you're not tracked. Nobody is really interested in how much porn you watch (as long as it is legal), the real issues are others.

        It's funny how libertarian are exactly alike climate change deniers and polluters when proposed regulations touch their interests. Just like the real environment, the Internet can't become a wild west were a few powerful companies do whatever they like, dictate the rules that makes them more money, and pollute the environment regardless of the effects on people.

        "The underlying protocol for turning names into numbers remains exactly the same"

        No - it looks you didn't understand what DoH is - and the protocol is HTTP, not DNS. The message format is different, you need a whole new server and client to support the new protocol.

        BTW, DNS works on TCP too, if you want.

      2. JohnFen Silver badge

        Re: Public blacklist...

        "Then your private resolver can talk direct, in total privacy. This is not a Bad Thing"

        If I can't see who my machine is talking to and what they're saying, then this is indeed a Bad Thing.

        1. Chronos Silver badge

          Re: Public blacklist...

          You can, John. It's the MITM who can't, exactly the same as, say, HTTPS, assuming your CA trust store is sane.

          I'm not even bothering to reply to the cow-herd. DoH isn't the only game in town and I just adequately explained how to move away from the likes of Ogle and Cloudflare, i.e. don't accept the defaults.

          1. Anonymous Coward
            Anonymous Coward

            Re: Public blacklist...

            It's ironic that many people's CA trust store will be "Avast Web / Mail Shield Root".

            Check the padlock icon to see yours.

      3. bombastic bob Silver badge
        Facepalm

        Re: Public blacklist...

        non-commercial entities

        I spend 5 minutes listening to N.P.R. or any 'public broadcast' news and suddenly realize why I do not want NON-PROFIT CORPORATIONS determining what kind of intarweb access I have...

        (ok if I have to explain it, these guys are SO LEFT OF CENTER in their politics and their TRANSPARENTLY OBVIOUS news filtering that it's pathetic, worse than CNN, worse than [P]MSNBS <-- not a typo - 'BS' - and the LAST thing I want is some left-wing-activist-driven "non profit" filtering my DNS instead...)

        1. Charles 9 Silver badge

          Re: Public blacklist...

          The problem is that there's no real center: never was. It's just that the modern Internet made it possible for people to not be afraid to admit they're not in the center because they have "friends" to back them up.

          Basically, if it isn't LEFT of center, it's RIGHT of center. Anything that claims to be center simply doesn't realize its own inherent biases. So, pick your poison.

      4. Joseba4242

        Re: Public blacklist...

        "It'll also make amplification DDoS quite a lot more difficult"

        No it doesn't. Just because DoH is deployed, even if deployed widely, does not mean a single Do53 server is shut down. Unless that happens those same Do53 servers (even if used less by "proper" clients) can still be used for DoS attacks.

  5. chuBb.

    IWF Handwringing

    Something has just occurred to me, sure DoH might break the IWF's watch list for forward requests, but reverse DNS queries of the list would work just fine, especially if they go for the sledge hammer to crack a wall nut approach and block by IP, rather than host header. So why couldnt ISP's just move the check from DNS access to Gateway access for HTTPS requests, and plain HTTP well its just another packet inspection rule at that point...

    Of course solutions don't win headlines or votes, so jerk your knee as you think of the children, the sky is falling, damn those terrorists and their hashtags!!!!

    1. Anonymous Coward
      Anonymous Coward

      Re: IWF Handwringing

      talk-talk already do filter at the http/https level, not the dns level.

    2. James R Grinter

      Re: IWF Handwringing

      A lot of TLS web sites are hosted on shared services these days: think anything on AWS S3, for example.

      There’s separate work going on to prevent them being enumeratable (i.e. to prevent the domain names being disclosed via the certificate when you connect to them)

      This will lead to some suggesting the answer is to “man in the middle” every TLS connection, I’m sure.

    3. Joseba4242

      Re: IWF Handwringing

      IP blocking doesn't work because of shared hosting, and SNI hostname based blocking for HTTPS won't work if eSNI becomes widely used.

  6. Graham 32

    Corporate dominance

    > Sullivan proposes making all content hosts sign up to what would effectively be a public blacklist

    Who are the content hosts? On the internet that can be anyone and everyone. It can only work if there's just a few major platforms hosting everything. It means forcing all the "little people" to become clients of a few big firms for it to be effective.

    1. TheSmokingArgus

      Re: Corporate dominance

      Seems to me STATE Supremacists are attempting to put the proverbial toothpaste back in the tube. The free flow of information has for the first time in human history freed the individual to pursue any passion to their heart's content limited only by their motivation.

      Such is bad business for authoritarians who prefer use of the regulatory state to keep folks subservient to STATE approved, licensed media outlets.

      We saw the same here in the states with the notion of "public airwaves" that led to the licensure of radio & television, thus consolidating those who could or would comply with regulatory barriers, i.e. pre-filtering for copyright, etc.

  7. Blane Bramble

    Wait until they find out you can put letters and numbers in a file on your computer and bypass DNS lookups completely.

  8. adam 40 Bronze badge

    DNS isn't needed if you already have the IP address

    ... so there.

    I have noticed Virgin Broadband DNS has been behaving strangely, recently. Anyone else noticed this?

    1. bombastic bob Silver badge
      Trollface

      Re: DNS isn't needed if you already have the IP address

      hell we can just get '.onion' addresses and be done with it

      1. NetBlackOps

        Re: DNS isn't needed if you already have the IP address

        IFF (IF and only iF) you can get to a TOR gateway.

  9. amanfromMars 1 Silver badge

    Jackanory?

    "It's all about the content and not the infrastructure." .... Andrew Sullivan

    And aint that the gospel truth, the whole truth and nothing but the truth. So help me, Global Operating Devices. But it is not as if you haven't been well advised of the situation, is it ...... so does that suggest you have learning difficulties and/or have a limited and limiting intelligence and a stunting imagination? ...... .... Changed SNAFU Times indeed in Deeds.

    Nowadays spinning tall crooked tales is a sure telltale sign of mass intelligence weakness, which is pathetic in the extreme to deny.

    Who/what tells you what to expect tomorrow with media tales of what is being hosted and posted today by useful puppets and useless muppets alike .... and who profits in the shadows on right dodgy markets with systems which cannot afford to not make good on the promise to make future killings?

    It's all about keeping people stupid and unaware of the quandary and quagmires they be in.

    And aint that another doozy to try and deny is a fact with the spinning of more sub-prime fiction.

    1. Teiwaz Silver badge

      Re: Jackanory?

      It's all about keeping people stupid and unaware of the quandary and quagmires they be in.

      Whoo Boy, is that coming back to bite them in the form of flat-earthers, climate denailists, anti-vaxxers, rise of right and alt-right (brexiters and trumpeters?) and fake news.

  10. LeahroyNake Silver badge

    His opinion

    "I don't agree massacres of people should be filmed and shown on the internet or elsewhere. I don't think [child abuse images and footage] is OK. I don't think, either, that we should permanently try to use the underlying infrastructure to stamp out content we don't like."

    I agree with all three points mentioned above. The first point though, when it involves <strikeout>US<\strikeout> armed forces killing civilians anywhere. It should not be possible for agencies or governments to block what they do not like / the great firewall of China.

  11. Anonymous Coward
    Anonymous Coward

    Errr, the fundamental flaw in Sullivan's argument

    Is that we don't live in a democracy.

    It's only an illusion.

    Ergo all bets are off when it comes to authoritarianism - doesn't matter if it's communism, capitalism, tribalism, nationalism, patriotism or religion - it's all about control.

  12. solinmoon

    /etc/hosts restricts access into my private property

    DoH gets around my ability to use /etc/hosts to limit who has access into my private property, my personal computing device.

    I pay for bandwidth. I can restrict useless, to me, content from ever getting into the pipe.

    This will just be another arms race.

    Opportunity for a new browser that will have be aggressively proactive and scan the web page as it loads and change any links that are in /etc/hosts to whatever /etc/hosts specifies as the IP address.

    Same as it ever was, the powerful taking authority away from the individual.

    1. Charles 9 Silver badge

      Re: /etc/hosts restricts access into my private property

      Using IPs won't help you because of SNI. HTTP needs the actual host name to resolve a multi-hosted server that uses one IP for multiple services.

      1. NetBlackOps

        Re: /etc/hosts restricts access into my private property

        I've had a proxy for years (over twenty) that dynamically rewrites HTTP(S) on the fly so substituting a locally hosted web site/page for whatever hosts I wish to block/trash isn't at all hard. Started as blocking blinking text, cookies, javascript, &c.

        1. Charles 9 Silver badge

          Re: /etc/hosts restricts access into my private property

          But you can't just replace a host name with an IP to bypass DNS because most hosts use SNI (which is a server-side thing) to multiplex hosts from a single IP.

  13. JohnFen Silver badge

    Internet Society membership

    Considering the list of the most important members of The Internet Society, I'm pretty skeptical about the motives behind their proclamations.

  14. SNAFUology
    Angel

    Oh {Sigh} !

    "condemned governments that "interfere in underlying technologies that people are allowed to build," as regulators increasingly target net infrastructure to enforce their visions of how the online world **ought** to be."

    Now who could determine that ? and why isn't it that way already ?

    {analogy}

    People have used toilets (WC's) for years now:

    they still are designing new ones, have bad ones, people without one, have a need to get deep in it to fix one or otherwise,

    and they in some way are more necessary than the internet (provided it isn't the only form of communication).

    Guess we will never have an 'ought to be internet' that works perfectly then.

  15. Dr Stephen Jones

    Google speaks

    Google devises a protocol which secures its ad business against ad blockers and centralises control over the internet

    Google funds Mozilla $300m a year, Mozilla advances it as a “community initiative”.

    Google funds the Internet Society (sadly now a Big Tech lobbying shop) to tell you opposing the new protocol is a really bad idea.

    You do see what’s happening here folks, don’t you?

  16. EnviableOne Bronze badge

    DNS over What

    DNS is not port 80 web traffic so shouldnt be going over port 443

    DNS is its own protocol, so should have its own secure protocol like

    HTTPS is to HTTP

    FTPS (FTPoT) and SCP/SFTP (FTPoS) are to FTP

    DNSCrypt and DoT fit this bill, but DoH does not.

    segregating this traffic allows more effective monitoring and prioritisation of this specific service and reserving the dedicated port 853 achieves this.

    the aim of encryption is privacy, and even if this is segregated from HTTP traffic, this is achieved by TLS (and 1.3 enhances this)

    1. Charles 9 Silver badge

      Re: DNS over What

      "segregating this traffic allows more effective monitoring and prioritisation of this specific service and reserving the dedicated port 853 achieves this."

      It ALSO allows The Man to BLOCK unwanted services by simply controlling that port wholesale. It's unavoidable: a dedicated port is easy to manage: by you OR The Enemy. That's what a tunneled DNS like DoH is meant to defeat.

      1. Roland6 Silver badge

        Re: DNS over What

        It also means that on the WAN interface I have port 443 open and HTTPS service running (on that port), on routers that is probably not a good idea, given if the HTTPS service is running the management web console is probably also available on that port...

        1. Charles 9 Silver badge

          Re: DNS over What

          Most routers I know use a custom port. Otherwise, you're in a dilemma because of what I said earlier (if not the State, then your ISP may hijack the port wholesale).

  17. Joseba4242

    "You could embed the blocklist in servers on the internet."

    No you can't. Well, technically you can of course but in reality it cannot be enforced.

    The whole reason why blocking happens on infrastructure level is because it doesn't work at server level. ISPs are accountable to local jurisdiction, the operators are (usually) responsible businesses and there are a reasonably small number of them so they can practically be addressed.

    There are hosting providers out there that tolerate kiddie porn. If even that content can't be removed from servers, what chance is there for other illegal content?

    Why would IWF bother with ISP blocking if they could just get that content removed from the servers?

    That's not even talking about jurisdictional issues for which there isn't an obvious answer. Why should a server operator in Netherlands block content that a UK court deems illegal?

    There simply isn't any alternative. What they are proposing means in reality no content, however bad, will be blocked one the proposals are implented. This argument of "I agree with the intentions but there are other means" just isn't true.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019