back to article Internet imbeciles, aka British ISP lobbyists, backtrack on dubbing Mozilla a villain for DNS-over-HTTPS support

The brain-dead Internet Service Providers Association (ISPA) has backtracked on its nomination of Mozilla as an "internet villain" for 2019 after online outcry. "In the 21 years the event has been running it is probably fair to say that no other nomination has generated such strong opinion," the bonkers UK-based lobbying …

  1. tfewster Silver badge

    Dear Police

    - if you want to know which sites I've been looking up, get a fucking warrant and serve it on my DNS provider.

    (Note, post may display evidence of ignorance over how DNS/HTTPS works. I would have thought that the IP address that subsequent HTTPS traffic went to would be sufficient to build a case for a warrant, even if an IP address hosts multiple legit and dodgy websites.)

    1. Pascal Monett Silver badge
      Thumb Up

      Re: Dear Police

      Right with you there, well said.

    2. hittitezombie

      Re: Dear Police

      As explained, if you use a reverse proxy service like Cloudflare, that information disappears, although they can send a warrant to there. It is just extra work they don't want to do.

    3. Pier Reviewer

      Re: Dear Police

      You’re right about getting a warrant. The IP address doesn’t really tell an investigator anything though. For example a ne’er do well may host a proxy website fronted with CloudFlare that grabs illegal content from Tor or whatever and sends it back to the user.

      The user is seen connecting to an IP address for CloudFlare. Not really dodgy.

      I have a small amount of sympathy with the police etc. They’re stuck between the push for better privacy rights which I agree with, and the pressure for them to nick bad folk, which I also agree with. It’s about striking an appropriate balance (which is what warrants are for). The difficulty they have is that you can’t get a warrant if you don’t know something bad has happened. You need intel. Humint is both expensive and unreliable as a rule.

      We as a society just need to have that conversation and decide where we want the balance to be, and what we’re willing to give up to get it (i.e. do we lean more towards privacy > all or more towards criminals being detected and prosecuted?). It’s not happening atm. Governments try to make changes without seeing what the people actually value. Never going to end well...

      1. LDS Silver badge

        "The IP address doesn’t really tell an investigator anything though"

        Yes, no, maybe. There's not an hard rule. Some people are smart about IT and can cover their tracks better than others. Some are utterly stupid/naive/unaware/etc. and don't. When you have to investigate, you look at everything - thinking "no, he/she couldn't be that stupid" could just make you miss the evidence you need. You may need the destination IP, or the source one, or both.

      2. JimmyPage Silver badge
        Mushroom

        Re: I have a small amount of sympathy with the police etc.

        Sorry, I have fuck all sympathy for them. Every power they have ever been granted has never been enough. Nothing is ever good enough, and they are just as institutionally racists as they were 40 years ago. There's no other job in the the UK where you get to blow an innocent mans head clean off, and walk away with a pension.

        So fuck them. They can bloody well do their job, do it by the rule of law, and also (controversially) be subject to the same rule of law. *Then* they'll have my sympathy.

        My views may have been tainted by the recent story that they police were allowed to send a 17-year old girl to be sexually exploited for a case. That's a child in the UK, just in case you didn't know. A child FFS.

        1. Anonymous Coward
          Anonymous Coward

          So fuck them

          And the horse they collectively rode in on as far as I'm concerned.

        2. I'm Brian and so's my wife

          Re: I have a small amount of sympathy with the police etc.

          Do you have a link please?

          1. JimmyPage Silver badge

            Re: Do you have a link please?

            What for ?

            1. baud Bronze badge

              Re: Do you have a link please?

              for "police were allowed to send a 17-year old girl to be sexually exploited for a case", or "blow an innocent mans head clean off, and walk away with a pension" I guess

              1. Anonymous Coward
                Anonymous Coward

                Re: Do you have a link please?

                > for "police were allowed to send a 17-year old girl to be sexually exploited for a case", or "blow an innocent mans head clean off, and walk away with a pension" I guess

                Assuming the blow a man's head off and walk away with a pension applies to Jean Charles de Menezes then Cressida Dick (in command of the operation at the time) is still employed by the police and so, technically, is yet to walk away with her pension.

                [No pensions were harmed during the making of this film.]

                1. baud Bronze badge

                  Re: Do you have a link please?

                  Thank you.

              2. JimmyPage Silver badge
                Flame

                Re: Do you have a link please?

                Here you go

                I'll also post the text ...

                QUOTE

                bbc.co.uk

                Use of child spies by Home Office 'lawful'

                3-4 minutes

                A girl standing in a hoodie Image copyright Getty Images

                Allowing children to be used as informants in criminal investigations is lawful, the High Court has ruled.

                Charity Just for Kids Law brought the case against the Home Office over the use of children by police and other bodies in England and Wales.

                The campaign group said the safeguards in place were inadequate and the practice breached human rights.

                But the High Court rejected the legal challenge, saying there was a "system of oversight" in place.

                In March it was revealed that 17 children had been used to secretly gather intelligence for police and other agencies in the last four years.

                Lord Justice Fulford, the Investigatory Powers Commissioner who is carrying out a review into the use of children as covert human intelligence sources (CHIS), said one of the informants was 15 years old, while the others were aged 16 and 17.

                The Home Office had argued that undercover under-18s helped prevent and prosecute problems such as gang violence and dealing drugs.

                However, concerns over the use of juveniles were raised in the House of Lords last year with the case of a 17-year-old girl who was recruited to spy on a man who had been exploiting her sexually.

                The peers heard that the girl continued to be exploited sexually while she was deployed by police.

                Charity may appeal

                Dismissing the charity's case, Mr Justice Supperstone said he was satisfied the scheme was lawful.

                The judge said children were "inherently more vulnerable than adults" and that the "very significant risk of physical and psychological harm" to them from being a CHIS in the context of serious crime is "self-evident".

                However, he said he rejected the charity's contention "that the scheme is inadequate in its safeguarding" of the juveniles involved in the scheme.

                Just for Kids Law, which used crowdfunding to pay for the case, said it was disappointed and was considering whether to appeal against the decision.

                The charity's chief executive, Enver Solomon, said the judgement acknowledges the '"variety of dangers" that arise from the use of children as covert informants in the context of serious crime.

                He added: "We remain convinced that new protections are needed to keep these children safe."

                Presentational white space

                Security minister Ben Wallace said the ruling showed the court recognised that the protections in law ensure "the best interests, safety and welfare of the child will always be paramount".

                Children had been used as informants fewer than 20 times since January 2015, he said, but they remained "an important tool to investigate the most serious of crimes".

                He added: "They will only be used where necessary and proportionate in extreme cases where all other ways to gain information have been exhausted."

                ENDQUOTE

                So if you think I have a shred of sympathy for suck fuckers like that you can fuck right off to the far side of fuck and then fuck off some more. I really don't care about the nuances of the case. You don't do that in a society that you want me to be part of.

                1. baud Bronze badge

                  Re: Do you have a link please?

                  Thank you. I hadn't heard about that story and I'm somewhat relieved I'm not part of a society that's condoning that shit, even if I'm sure it's no better where I live

                  1. Adrian 4 Silver badge

                    Re: Do you have a link please?

                    Clearly, whatever the policy regarding use of children, in that case there was not sufficient oversight. Never mind the police - Ben Wallace is in the frame for prosecution there.

          2. Anonymous Coward
            Anonymous Coward

            Re: I have a small amount of sympathy with the police etc.

            Link for heads blown off and then a pension? https://en.wikipedia.org/wiki/Sunday_Bloody_Sunday

            Anonymous, obviously. BTW, thanks el Reg -- I now have DoH set up on Firefox.

        3. CountCadaver Bronze badge

          Re: I have a small amount of sympathy with the police etc.

          Actually thats where the law in the UK is unclear in regards to when someone becomes an adult - Age of consent is 16, you can get married at 16, you can leave home at 16, you can start work at 16 full time, you can leave education at 16, you can get married at 16, join the military at 16 (but not be deployed till 18), make homemade grumble flicks with your SO at 16, You can't however drive till 17, appear in a commercial adult flick until 18, vote in some elections till 18, drink until 18, smoke until 18.

          Its a mess, a total and utter mess, they should have made it all either 16 or 18, I'd lean towards the former though as you can leave home, get married and join the military at 16.

          (Eastern Europe is often ~14, hence why eastern european adult movies are blocked from the UK due to the difference in legal age of consent)

          However I don't agree with letting someone (of ANY age / gender / sexual orientation) be further exposed to sexual exploitation etc UNLESS they are fully aware of the risks, have been given independent advice from a lawyer, that there is independent oversight of it, full and immediate backup to extract this person at a moments notice if necessary, that they willingly agree to this once they are aware of the risks and have been given ALL the information AND had time to think about it - i.e. to ensure there is plenty evidence against the person who has exploited / abused them AND where there is no other option that could be used to get the evidence.

          Sometimes getting information to stop something can only be achieved by covert means and often those methods make us uneasy. However if the person involved willingly takes part (i.e. to make sure their abuser is convicted and put away to protect others from that abuser) then so be it. I know if someone said to me "go through this one more time to get the evidence we need to put your abuser away for serious time and implicate others" then I'd find it very hard to say no.

          1. Anonymous Coward
            Anonymous Coward

            Re: I have a small amount of sympathy with the police etc.

            > you can start work at 16 full time, you can leave education at 16

            Not any more. You have to stay in some sort of education until 18. So that can be at school (the traditional higher-education); at college doing some sort of vocational course; or at work doing a recognised apprenticeship.

            1. unimaginative

              Re: I have a small amount of sympathy with the police etc.

              The law says you have to stay in education until you are 18 but there is no punishment if you do not so.

              The problem is that parents are no longer assumed to be able to force a 16 year old to attend so the requirement is now an obligation of the 16 year old. They may not have enough money to be worth fining, and sending them to prison for not going into education is hardly constructive. In any case punishing people for their own good is problematic.

              1. Anonymous Coward
                Anonymous Coward

                Re: I have a small amount of sympathy with the police etc.

                > "punishing people for their own good is problematic."

                They should "hang by the neck until they cheer up!".

                Monty P.

            2. Anonymous Coward
              Anonymous Coward

              Re: I have a small amount of sympathy with the police etc.

              There are a few other issues with this statement.

              YES, you can get married at 16 - but only with the consent of the two sets of parents - and only to another UK citizen. Want to marry someone from abroad and it goes up to 21 for most countries.

              Grumble flicks at 16 - no, you are wrong, it is just the law is rarely enforced. In theory, even bikini shots are classed as child porn if you are under 18 and arent on a beach or at the pool.

              Education has already been covered.

              Military - this is only a recent guideline, and not (AFAIK) law; plenty of 16/17 y/o's sent to the Falklands war, N Ireland, Bosnia etc.

              You should be grateful for the the rest, it used to be 21; go thank the Monster Raving Loony Party for getting the laws changed.

              1. Richard Tobin

                English, not UK laws

                Several of these are not governed by UK laws. In particular, the requirement to stay in some sort of education until 18, and for parental consent to marriage if under 18, do not apply in Scotland (I haven't checked on Wales and Northern Ireland).

          2. Jamie Jones Silver badge
            Childcatcher

            Re: I have a small amount of sympathy with the police etc.

            The legal age for drinking alcohol in the UK is FIVE.

            Seriously.

            1. Tom Paine Silver badge

              Re: I have a small amount of sympathy with the police etc.

              Well, 'pon my soul!

              https://www.drinkaware.co.uk/alcohol-facts/alcohol-and-the-law/the-law-on-alcohol-and-under-18s/

      3. Anonymous Coward
        Anonymous Coward

        Re: Dear Police

        "I have a small amount of sympathy with the police"

        Don't worry, once Boris gets in they'll be up for privatisation right after the NHS.

        After all, poor people don't need police, because they don;t have anything worth stealing, right?

        1. SolidSquid

          Re: Dear Police

          Or for being cut like the fire brigade when he was London mayor

      4. Pete4000uk

        Re: Dear Police

        'We as a society just need to have that conversation and decide where we want the balance to be'

        LOL, we arnt going to get any say in this!

      5. Doctor Syntax Silver badge

        Re: Dear Police

        "We as a society just need to have that conversation and decide where we want the balance to be"

        We had that conversation several centuries ago and came up with a good answer, the presumption of innocence. The conversation that's needed now is about why it's being ignored so often.

        1. Pier Reviewer

          Re: Dear Police

          It’s important to understand and accept that rights are not absolute. That’s the point I tried (poorly it seems) to make.

          The right to be presumed innocent unless found guilty does not preclude my arrest by the police, or being bailed on restrictive terms, because victims of crime have a right to justice. The police therefore need some investigative powers.

          My right to free speech is likewise not absolute. If I were to claim you to be a kiddy fiddler you would understandably find take umbridge with that, and the courts provide relief in the form of slander and libel.

          A classic example is going into a theatre and shouting “fire” when there is none resulting in panic, stampede and injury. I can not successfully claim the right to free speech as a defence as that right is fettered by other people’s rights not to be injured because I’m an idiot.

          Rights lie on a spectrum, and it’s up to society to decide which parts of the spectrum are acceptable and which are deemed an abuse, or an unacceptable impact on another’s rights.

          Our right to privacy is not and cannot be absolute. That doesn’t mean it can’t be very close to that end of the spectrum. However society needs to choose which way it leans, and how far. More towards absolute privacy impacts on the rights of victims to receive justice, and more towards a sole focus on criminal justice impacts on everyone’s privacy. Somewhere between those points is an acceptable balance, as there is with all rights, even the right to life (driving a car at armed police is a simple test).

          It’s easy to say “I want total privacy” and leave it at that. I don’t necessarily disagree with the sentiment. Just remember that some other rights will be impacted by that choice. Failing to at least consider that and assess the choice in light of it is either pure selfishness, or in most cases a simple case of not realising. Either way, it’s not a great foundation on which to make a decision.

          1. unimaginative

            Re: Dear Police

            The (American) case from which the "shouting fire in a crowded theatre" quote comes has been overturned, and the reasoning was used to prevent people publishing an anti-war pamphlet: https://www.theatlantic.com/national/archive/2012/11/its-time-to-stop-using-the-fire-in-a-crowded-theater-quote/264449/

            1. Pier Reviewer

              Re: Dear Police

              I’m not familiar with American law. I was speaking of the test of proportionality in English law, as it applies to the Human Rights Act (which includes the right to freedom of expression, but explicitly states it may be limited).

              The test is intended to provide a framework for the courts to decide if a restriction on a right is proportional or not. As I’ve said, some limitations on rights are necessary for a functional society. It’s important that those restrictions don’t go any further than necessary to meet their objectives, ergo the proportionality test.

              It may be necessary to give up some freedom wrt our DNS privacy, but it’s extremely unlikely the courts would accept the need to give up all of our DNS privacy.

    4. Dan 55 Silver badge

      Re: Dear Police

      There's no need to get a warrant thanks to IPA 2016. 50-odd government depts including a the Welsh Ambulance Service can bring up your browsing history at domain name level via unencrypted DNS snooping.

      This is why Mozilla got the "light-hearted" award, because the ISPA don't want any trouble snooping as they're legally obliged to.

      The main thing wrong with DoH (apart from DNS over the https port) is it's more difficult than it should be setting up LAN resolution.

      1. Nick Kew

        Re: Dear Police

        The main thing wrong with DoH (apart from DNS over the https port)

        Nicely put :-)

        Not sure I agree with the rest of the sentence: the competition is strong in the field of things wrong with DoH. Something must be done, but this something isn't it!

      2. unimaginative
        Stop

        Re: Dear Police

        The main thing wrong with it is that we have DNS lookups being done in the browser instead of by the OS. It means more settings, makes trouble shooting harder (because a DNS lookup problem in the browser would not affect any thing else and vice-versa).

        1. Jaybus

          Re: Dear Police

          That depends on the viewpoint. Looking at DNS as the distributed network service that it was designed to be, the main thing wrong with DoH is that it doesn't allow for caching name look ups at a local LAN gateway. Even on the local machine, the DoH look up cache is only accessible to Firefox and not useful to any other apps. Forcing all name look ups through a bottleneck at Cloudfare is not the answer.

          I am very much an advocate of DNS privacy through encryption, but DoH, particularly when implemented in an app, is a half measure at best. We need DNS over TLS implemented in the OS resolver and allowing for a caching DNS server at the LAN gateway that uses DNS over TLS for all forwarding. Firefox, and all other client apps, should keep their hands off. Rather than implementing their own internal DNS client, why doesn't Mozilla contribute to getting DNS over TLS implemented in glibc? DoH is really counter to the distributive nature of DNS.

  2. NATTtrash
    Devil

    Mozilla replacement

    It also hasn't added a new villain to its list to replace Mozilla.

    Ahh, come on people! It is staring you in the face... Why didn't you give the honour to ICANN? They've been ploughing on for years in the hope that, some day, after all their hard work, they would deserve the recognition they crave! And now, again, they are disregarded. A sorry situation indeed. I feel for them... (Was I joking? Really? You think so? Oh dear...)

    1. Loyal Commenter Silver badge

      Re: Mozilla replacement

      Or, indeed, Nominet...

  3. Bronek Kozicki Silver badge

    Re: Mozilla

    So I went to see how to enable DoH in my browser and found the instructions at Mozilla Wiki. Surprisingly, this is not enabled by default.

    1. Anonymous Coward
      Anonymous Coward

      Re: Mozilla

      In fact it's even easier than that, just go to preferences/settings and type DOH in the search box and it takes you to the appropriate page.

      Just tick enable DNS over HTTPS.

      1. NATTtrash

        Re: Mozilla

        <tinfoil hat area>

        Thing of course is (again) a question of "who do you trust most?"

        Is this great if you're on some dodgy open network (Hello hotel! Hello Starbucks!).

        But...

        If I'm @homebase, I must admit that I trust my ISP and the legislation in my country of residence much, much more than some, activated by default US third party.

        <recycling tin foil hat>

        Then again, if for example my uni starts offering DoH servers...

      2. Anonymous Coward
        Thumb Up

        Re: Mozilla

        Thank you; typed in Homer Simpson's favourite phrase, ticked the box and off I went.

        So far no problems, in fact one website that seems to have severe issues with TLS handshakes via O2 mobile internet is actually working a lot better than it did before.

    2. Anonymous Coward
      Anonymous Coward

      Re: Mozilla

      it's not been enabled by default for UK to avoid clashing with censorship in this country. However, because authorities refused to share blacklists with Mozilla, the blacklists - when DoH gets enabled by users - will be bypassed. Nothing new here, information is power.

      1. rg287 Silver badge

        Re: Mozilla

        it's not been enabled by default for UK to avoid clashing with censorship in this country.

        It's not been enabled by default anywhere yet because it's still a slightly experimental implementation and they've been working out the bugs with (for instance) detecting captive portals and ensuring people in enterprise environments are able to reliably manage/override it in Group Policy, etc. No bloody good enabling it by default and making the internal infrastructure of enterprises, hospitals and other big networks inaccessible because the browser has decided to phone it's own DNS out to Cloudflare.

        It's there for the tyre-kickers on the nightly builds to report issues.

        That said, you are correct that when/if it does become "by default" Mozilla have said that won't include the UK. We'll have to turn it on manually if we actually want it (which quite a lot of people won't because they want their System/OS resolver to connect to their internal DNS/Active Directory/PiHole which will then use DNS-over-TLS or -HTTPS to do external resolution).

        1. iron Silver badge

          Re: Mozilla

          The recommended setting is to use DoH with fallback to unsecure DNS if that fails, which should find your internal DNS.AD no problem. Sure those queries will take a little longer but they should still work.

          Also it is present in release builds not just nightlies.

          1. Dan 55 Silver badge

            Re: Mozilla

            Don't like the idea of spamming Cloudflare with internal LAN addresses then falling back to LAN DNS, it's the wrong order. Firefox's DoH configuration should accept two servers and try the first one before the second, like normal DNS configuration.

            Also I don't think router software like OpenWRT can be configured to accept DoH and DoT on the LAN and use DoH or DoT for upstream DNS yet, which would also be helpful.

            1. 2+2=5 Silver badge

              Re: Mozilla

              > Also I don't think router software like OpenWRT can be configured to accept DoH and DoT on the LAN and use DoH or DoT for upstream DNS yet, which would also be helpful.

              I think I would be interested in trying to write a module for OpenWRT that blocks connections to IPs that haven't recently been looked up using OpenWRT's DNS server (or proxied through OpenWRT to Pi-Hole) in order to explicitly prevent DoH.

              1. Dan 55 Silver badge

                Re: Mozilla

                You'd probably kill Windows 10 services, VoIP, and torrents too?

                1. doublelayer Silver badge

                  Re: Mozilla

                  In addition to the pier-to-pier problems mentioned above, there are some other problems you might see with that. Depending on cache policies and the definition for "recent" you're using, that could break various things, as many devices maintain their own caches and contact later. It could also be problematic in various less common but still existing situations, for example when a new remote server is spun up and is accessible only by its IP as a DNS name has not been assigned to it yet, or applications that contact their own remote services, as those might have addresses outside of DNS (for example, some programs with group usage, especially games, list servers on their own main system without using DNS).

            2. Loyal Commenter Silver badge

              Re: Mozilla

              Don't like the idea of spamming Cloudflare with internal LAN addresses

              This, in my mind, is a really bad security hole. You're basically leaking information about your internal network topology to an unverified third party (and if you're using Cloudflare, one in the US where the laws around personal information treat it as a commodity to be traded). This is the sort of thing that is potentially extremely useful to an attacker. Got a privilege escalation attack? Know the names of other machines on the same network? I wonder if that machine that has a name that sounds like it might be a SQL Server is open on port 1433? Oh, looks like it is, and is using AD authentication. etc.

              I know there are other ways of discovering network topology, but it can only be useful to an attacker to know what it is in advance.

              1. doublelayer Silver badge

                Re: Mozilla

                I would suggest that DNS requests be sent to an internal DNS proxy (if you have internal names, that's already there), which can do the HTTPS stuff recursively from there. Failing that, you could send all requests to that as primary, configure it to only know internal DNS addresses, and have the HTTPS address as secondary.

                When using DoH, you have to contend with the possible issue of the trustworthiness of the DNS server, but it is not at all required that CloudFlare or Google be used. DoH could be set up by any existing DNS server with relatively little effort. I've taken a look at a basic implementation of a DoH server. I'm planning to set it up on one of my servers to see exactly how difficult it is, but it doesn't look like it will take very long.

              2. whitepines Silver badge
                Thumb Up

                Re: Mozilla

                Thank you! Finally some sanity around DoH.

                At our organization the risks from leaking all kinds of internal information to a dodgy third party (sorry, no SLA with CloudFlare, they're a risk to be mitigated not a benefactor here) far, far outweigh the "benefits" of DoH. Thanks to DoH and the fact that it can't be blocked at the edge, we've been forced to lock employee workstations down even further for legal reasons and to deny any type of BYOD on the corporate network.

                In fact I'd probably say that DoH has made privacy /worse/ for our employees, not better, since instead of blocking the unwanted external traffic now we have to control each and every device on the network at a far more invasive level than before, and instead of some degree of anonymization from the traffic going out over the central DNS servers now each and every employee gets to be tracked via their mobile phone since public Internet outside of a severely restricted browser isn't available to them any more.

                Brilliant work, Mozilla, Cloudflare, and Google! Well, I guess they now have even more data on individual users and browsing habits, plus can stop those evil DNS-based adblockers, so end goal accomplished?

                1. doublelayer Silver badge

                  Re: Mozilla

                  It sounds like you've panicked a bit too much about DoH's security risks. The kinds of problems you could see with DoH connections could also be seen by a user connecting directly to an IP address or using whatever open ports you have to run a VPN or connect through Tor. Either of those would bypass internal DNS controls and would probably flag as risks in your network analysis logs anyway. Since the use of any of those things would be violations of a security policy, you might as well tell people they must use a certain set of configurations that disallow DoH, and using DoH will be a violation of security policy. Wouldn't that pretty much solve that problem?

                  1. whitepines Silver badge
                    Holmes

                    Re: Mozilla

                    That strongly depends on what kind of device is attached, e.g. would a Google device even allow a non-Google DoH resolver to be configured?

                    For a long time a DNS based blocker was at least a deterrent for the majority of access -- anything with hardcoded access as you say would trip other protections. Now that DoH is making that impossible, the overall risk posture has changed from "misconfigured device likely to be blocked at firewall" to "misconfigured device leaking sensitive information over HTTPS". Without DPI and MITM on all HTTPS traffic it's not even possible to determine who is accidentally violating policy without random search of the attached devices, which goes into GDPR territory for BYOD and basically means no BYOD on the corporate net period.

                    Allowing employee Internet access, especially with relatively relaxed policies on what software could be used, was always a balance between risk and productivity. Now that the risk for both sudden legal action (employee browsing blacklisted material without detection at our firewall) and internal data leakage to known hostile entities is that much higher, it outweighs the impact to productivity. Simple as that.

  4. Anonymous Coward
    Anonymous Coward

    The post was popped online anonymously by some coward

    Disgraceful!

    .

    .

    :-)

    1. David Lewis 2
      Big Brother

      Re: The post was popped online anonymously by some coward

      No.

      We know your real name is Lord Lucan.

      We know where you live.

      We know who you associate with.

      We know if you put the wrong sort of waste in your recycling bin.

      We are watching you.

      Have a nice day!

      Toodle Pip, GCHQ Welsh Ambulance Service

  5. sabroni Silver badge
    Thumb Up

    Quality trolling!

    This is why other tech sites can't compete with El Reg!!!

    1. Anonymous Coward
      Anonymous Coward

      Re: Quality trolling!

      well, I hate to say this, but other tech sites (zdnet) have provided a fool's how-to guide, including screenshots :)

      1. Anonymous Coward
        Anonymous Coward

        Re: Quality trolling!

        Not sure if that's a pop at The Reg or a statement about the intelligence of other sites' readership??

        1. Anonymous Coward
          Anonymous Coward

          Re: Quality trolling!

          it's both. Who said you can't have idiots' guide and quality material under the same roof. It's about microsegmentation, catching all possible revenue streams, etc, etc ;)

      2. Anonymous Coward
        Anonymous Coward

        Re: other tech sites (zdnet) have provided a fool's how-to guide

        A fool's guide on trolling the ISPA? I can't find it on their site, got a link?

        1. osmarks

          Re: other tech sites (zdnet) have provided a fool's how-to guide

          1. implement useful security feature

          2. wait for ISPA to complain

          3. mention this to tech press

          4. ???

          5. profit

  6. old_IT_guy

    Kieren for Pres!

    superb breakfast laugh, thanks!

  7. Mephistro Silver badge
    Devil

    ISPs giving Internet villain awards?

    Jokes write themselves nowadays, don't they?

    1. JoshOvki

      Re: ISPs giving Internet villain awards?

      I wonder if they tried nominating themselves first

      1. Glen 1 Silver badge
        Joke

        Re: ISPs giving Internet villain awards?

        more like nominet-ing. Amirite?

    2. Benson's Cycle

      Re: ISPs giving Internet villain awards?

      Black farce, actually.

  8. Claverhouse Silver badge

    You mean old Trump is more of an enemy to Internet & Whistle-blowing freedom than that poor wretch Obama ?

    1. veti Silver badge

      He is now.

    2. Anonymous Coward
      Anonymous Coward

      Not heard of net neutrality, bob?

  9. joeW Silver badge

    "the police have complained about the 'unintended consequences'"

    Good enough for me, where do I sign up?

  10. Spanners Silver badge
    Big Brother

    "However, this privacy-protecting technology has turned out to be controversial"

    DoH is about as uncontroversial as it gets. Among more controversial things are...

    Anti virus programmes

    Basic internet security

    HTTPS itself

    VPNs

    Encryption and

    Not sticking all my internet activity on a notice board outside my house.

    The only discussion that needs to occur is in persuading the uninformed that they need it.

    1. Lee D Silver badge

      Re: "However, this privacy-protecting technology has turned out to be controversial"

      "Anti virus programmes" - programs under the control of a commercial third party, running with complete system privileges even when nobody is logged on, intercepting every single file access, and acting on un-decipherable instructions downloaded from the internet to decide what to do with every file access, and uploading random data to the Internet for "research purposes". AV is the biggest security hole that exists today.

      If you're a security professional suggesting that AV on every machine is essential, I seriously question your credentials and/or who you're working for.

      Much, much, much, much more secure to not have that crap, and implement security policies that mean arbitrary executables won't run.

    2. Joseba4242

      Re: "However, this privacy-protecting technology has turned out to be controversial"

      Quite so. Whether or not we should hand over DNS lookup data for 70% of browsing and 80% of mobile activity to Google seems uncontroversial to me indeed.

  11. Anonymous Coward
    Anonymous Coward

    "genuine desire to engage in a constructive dialogue"

    "to draw attention to an important issue in a light-hearted manner".

    These two don't add up.

  12. Anonymous Coward
    Anonymous Coward

    another warm chunk of sloppy garbage floating in the toxic hell soup of the modern internet

    Round of applause for that!

    Only joking.

    No, seriously :)

  13. Anonymous Coward
    Anonymous Coward

    Barbara, is that you again?!

    Alexa, how to enable DoH in Firefox...

  14. mark l 2 Silver badge

    To be honest i fail to see why the ISPs should be that bothered about people using DoH? Sure they are required by the government to block certain content at the DNS level which is what they are doing. If people use technology such as VPN, proxys or DoH to get around those blocks why should they care?

    The ISPs only implemented these blocks because the government required them to do, if the law were to be repealed most of them would probably drop the DNS blocking and history retention as it costs them money to maintain with no benefit to them. And there main goal is to squeeze as much money out of every subscriber as possible not police the internet.

    1. Dan 55 Silver badge

      They're required by the government to hand over Internet Connection Records but they're not told what technology to use to create those records, so if everyone starts using private DNS resolution they're obliged to use DPI to create them. They can't just shrug and say "dunno, plain old DNS doesn't work".

      1. Anonymous Coward
        Anonymous Coward

        talk-talk and virgin are the only ones I've experience with, and both already use DPI.

        Anyone know about any of the others?

    2. Suricou Raven Silver badge

      In the case of the child abuse filter, it's not actually a law to repeal. It's more a soft pressure. The government *could* pass a law, but would rather not - so as long as all major ISPs maintain a 'voluntary' filter in compliance with the government requests, no law is needed. If one of them refused to do as they were politely asked, then the law would sail through parliament easily.

      Sort of an 'offer you can't refuse' deal.

      1. Doctor Syntax Silver badge

        "The government *could* pass a law, but would rather not"

        The government could pass all sorts of laws. It could pass a law to abolish gravity, for instance. Only the laws rooted in reality will actually work. That was the point of Cnut's demonstration about a millennium ago.

    3. Lee D Silver badge

      Quite... they should just shrug their shoulders and say "Here's the information you asked for. Yes, we know it's useless to you. But that's what you asked for."

      As technology progresses, the very idea of "trusting" the ISP to be anything more than a shifter of encrypted packets gets more laughable... I honestly don't understand why they were ever considered anything else.

      There will come a point where all Internet traffic is encrypted point-to-point and even metadata becomes next-to-useless. It's inevitable.

      If someone could please get off their backside and replace email too, we'd be a damn sight closer. SMTP over TLS is *not* end-to-end encryption between sender and intended receiver and cannot be with current protocols.

    4. Yet Another Anonymous coward Silver badge

      >i fail to see why the ISPs should be that bothered about people using DoH

      Because the excuse about GCHQ/council dog wardens needing it to stop communist ISIS child abusing terrorist non-recyclers is a consignment of geriatric shoemakers

      It stops the ISPs getting lots of lovely customer traffic to sell to advertisers

  15. j.bourne
    Windows

    Perplexed

    Maybe it's just me, but I don't see a huge benefit in DoH for concealing Internet history, except to ensure that the results received are from the queried server( i.e. no MITM). After all, if you use those results (HTTPS or not) you'll be exposing the fact of a connection to a specific site (time + IP = site identification) to your ISP (or any other interested parties with access to your ISP logs).

    1. Nageki

      Re: Perplexed

      Partially true, which is why it should be combined with a VPN for true privacy. However, an IP address does not really identify a website anymore. A single IP can serve dozens of websites, and a large number of websites these days are behind reverse proxies like Cloudflare. The only thing the ISP would see is a connection to a random Cloudflare IP which could be used for any number of sites. The bigger problem is the SNI which is unencrypted and identifies the website, but Firefox has implemented encrypted SNI along with DoH so it's all good.

    2. Graham Cobb

      Re: Perplexed

      There is value in hiding name translation. Many different sites are hosted on the same IP address (small sites use shared hosting servers, large sites use Cloudflare and others).

      So, if your lookup for "badsite.childporn" (has that TLD been sold yet?) returns 1.2.3.4, that doesn't necessarily allow anyone to work out what site you were visiting as that address may also be hosting "puppies.lovely".

      Note: this is only half the problem. Currently the TLS protocol used for https: traffic sends the server name in cleartext anyway! There is a new feature called "Encrypted SNI" to encrypt that. There is a good blog post explaining it on the Cloudflare site.

      So, DOH is half the answer, ESNI is the other half.

      1. tfewster Silver badge
        Thumb Up

        Re: Perplexed

        Thanks Graham - the explanation at https://blog.cloudflare.com/encrypted-sni/ shows that ESNI is quite elegant, as it offloads the SNI portion to DNS (which seems like a valid extension of DNS anyway).

        1. j.bourne

          Re: Still Perplexed...

          OK, so an IP doesn't identify a specific website (in many cases) so, If I make a dns lookup for 'dogsittingonyourface.com' and get an IP 123.456.789.012 back - then go visit the same IP over HTTPS - it's still no guarantee that I actually visited 'dogsittingonyourface.com' is it? I could have been visiting 'catsittigonyourface.org' instead if it's hosted at the same IP. Add further that I expect that there are many more DNS lookups being spammed out from my computer that aren't due to directly typed URLs or clicked links - just page content loads...

  16. Hstubbe

    DoH is not all good

    I still don't get this DoH praise. DoH simply replaces a decentralized logging opportunity with a concentrated, centralized logging opportunity. Instead of hundreds if not thousands of ISP's being able to log your DNS lookups, we all send all our DNS lookups to one party (cloudflare in the instance of firefox). So cloudflare will be able to build a big database of the browsing behaviour of all firefox users that have DoH enabled.

    So why is trusting a US company like cloudflare with that any better than trusting my local ISP? No thank you, I trust my ISP a bunch more than some NSA subsidiary.

    I myself disabled DoH on all my devices that have firefox. I'd switch browsers because by forcing DoH upon users firefox has clearly abandoned their 'privacy first' goals, but there isn't a browser left that cares about users anymore. The only alternative is spy-by-default chrome/chromium (which of course will also force DoH for your own good soon).

    DoH in itself is a nice idea, it's just that the implementation forces all DNS requests world-wide to go through one company which seems like a terribly bad idea to me.

    1. Anonymous Coward
      Anonymous Coward

      forces all DNS requests world-wide to go through one company

      Not true, you can choose from a shopping list of DoH enabled servers quite apart from the default offered by firefox.

      At the moment not a huge amount but give it a bit of time and there will be hundreds.

      These people are already implementing some.

      https://dev.to/commonshost/how-we-built-a-doh-cdn-with-20-global-edge-servers-in-10-days-1man

      Of course if you are really serious about DNS security use DNSCRYPT or a VPN.

    2. Loyal Commenter Silver badge

      Re: DoH is not all good

      I'd switch browsers because by forcing DoH upon users firefox has clearly abandoned their 'privacy first' goals

      Except, of course, that the settign to use DoH is off by default, so nobody is forcing anyone to use it.

      Always best to establish the facts before issuing the tirade.

      I did, in fact, turn it on, and found that the browser hung after about 20 seconds, probably because of the chonky corporate gateway proxy at work, so I turned it off again. I'll probably try it out at home when I get round to it, to see if it's more stable there.

      1. Hstubbe

        Re: DoH is not all good

        "Except, of course, that the settign to use DoH is off by default, so nobody is forcing anyone to use it."

        Not yet at least, but they're planning on turning it on by default, instead of the current default. At least, that's what's reported at zdnet: https://www.zdnet.com/article/mozilla-no-plans-to-enable-dns-over-https-by-default-in-the-uk/

        1. CommanderGalaxian
          FAIL

          Re: DoH is not all good

          "...but they're planning on turning it on by default..."

          That is literally exactly the opposite of what is reported in the article: "We have no current plans to enable DoH by default in the UK" .

  17. Sulky

    Mozilla not the only one doing it

    Funny how the owners of Android weren't included as a villain, Android now has DoT by default and you can set your own host, of which plenty abound. It must have been an oversight by the ISPA and nothing to do with the fact Android's owners are, um, members of the ISPA.

    1. Dan 55 Silver badge

      Re: Mozilla not the only one doing it

      Out of the box Android 9 is set up to try DoT then fall back to plain old slurpable DNS if that fails, so the ISP can just block DoT and most people are probably none the wiser.

  18. Will Godfrey Silver badge
    Happy

    Streisand effect

    Nice of them to tell as many people as possible about this.

  19. Franco Silver badge

    Nice one El Reg!

    Might I suggest your old friends Nominet as a replacement in the villain category? Purely in a light-hearted way of course....

  20. Augie
    Thumb Up

    Superb!

  21. Anonymous Coward
    Anonymous Coward

    piHole all the way - ahoy !

    Surely the hardcore El Reggers are already running something like a piHole to avoid ads and trackers ? Not too difficult to setup DNS-over-HTTPS. In fact the newer versions might have it already running. I'm an earlier adopter and had to set it up by hand.

    Of course the next step is a DNS roulette system which arbitrarily chooses a DNS route out of many tens as and when. Try to piece that together.

    AC, obviously !

    1. Anonymous Coward
      Anonymous Coward

      Re: piHole all the way - ahoy !

      Have you tried updating it lately? It's built in on mine. (Settings/DNS tab scroll to the bottom and tick use dnssec) Quad9 and cloudflare are available or you can choose your own)

      Pi-hole Version v4.3.1 Web Interface Version v4.3 FTL Version v4.3.1

    2. Anonymous Coward
      Anonymous Coward

      Re: piHole all the way - ahoy !

      A better way would be to use Unbound with piHole rather than trust a third party. It's really easy to set up: https://docs.pi-hole.net/guides/unbound/

      1. Anonymous Coward
        Anonymous Coward

        A better way would be to use Unbound with piHole

        Thanks AC for the very useful link, now working perfectly on my linux based pihole installation.

        Never really liked the idea of trusting some random provider for this.

      2. Reg Reader 1

        Re: piHole all the way - ahoy !

        and, for those of us who don't do this as a job, calomel.org has some good examples of setting up unbound

        https://calomel.org/unbound_dns.html

  22. Anonymous Coward
    Anonymous Coward

    DoH isn't "uncontroversial"

    Quality journalism. DoH isn't without problems, see for example the following two presentations from UKNOF.

    https://indico.uknof.org.uk/event/46/contributions/668/attachments/898/1109/UKNOF43_Potential_ISP_challenges_with_DNS_over_HTTPS_Issue_1A_050419.pdf

    https://indico.uknof.org.uk/event/43/contributions/574/attachments/786/966/UKNOF_Its_DNS_Jim.pdf

    It does change the trust model during browsing, and you may end up somewhere else than you originally intended...

    1. stiine Silver badge

      Re: DoH isn't "uncontroversial"

      If you think those are problems, you must work for a ISP who's about to lose a large part of their budget or for the damned goverment.

      1. Joseba4242

        Re: DoH isn't "uncontroversial"

        Lots of specific, concrete issues brushed aside with a one-line ad hominem attack. Quality commentary!

        How about refuting them instead?

        Or explaining why the vast majority of internet users who will use the default settings should trust Google and Cloudflare more than their local ISP?

  23. Data Mangler

    How will DoH affect ad blockers?

    I'm given to understand that the first malware using DoH to evade detection has already been spotted. What happens when ad-flingers start using DoH to avoid DNS traps?

    1. Dan 55 Silver badge

      Re: How will DoH affect ad blockers?

      If your anti malware scanner is defenceless against DoH it's also defenceless against malware which connects to the C&C server with a fixed IP.

      Ad flingers can't tell the browser how to resolve.

      1. Joseba4242

        Re: How will DoH affect ad blockers?

        Fixed IP addresses can be detected and taken down; that's why they use DNS which survives much better.

  24. Jellied Eel Silver badge

    Heroes and villains

    So having done stuff with ISPA, I'm not entirely suprised. See-

    Oscar Tapp-Scotting & Paul Blaker, Global Internet Governance Team, DCMS – for leading the UK Government’s efforts to ensure a balanced and proportionate agenda at the International Telecommunications Union Conference

    An odd 'hero' to pick given DCMS's role in things like age verification and content 'management'. Or just being the UK's implementation/enforcement arm for this bit of villainry-

    Article 13 Copyright Directive – for threatening freedom of expression online by requiring ‘content recognition technologies’ across platforms

    But that also shows a lack of joined-up thinking, or possibly self-preservation. If most content access will occur via DoH, well, sorry, ISP's can't help you manage that problem.

    (or, because politics, the nomination of Trump for villain. FCC, EU or DCMS would have been better candidates, but less right-on. Or should that be left-on?)

  25. amanfromMars 1 Silver badge

    Manna from On High Above .... PBUH

    This is because DNS snooping and filtering is easy, whereas spying on DNS-over-HTTPS is most certainly not,

    Be Reliably Advised IT Made Sure Command and Control of the IMPossible was Available to Lead All in Greater Beta AIDirections ........ Mega Grand AIMajor Productions with Virtually Realised Presentations to Score. ..... and Host Global Allies. Friends and Foe alike in the Worlds of Others is the Present Jump Point/ Absolutely Fabulous Quantum Leap Step to Provide with Almighty Magical Scripts to Supply .... well, the Most Radical of All Systems are a Happy Customer of Services Provided and Provisioned For. That's surely a Most Indicative Tell of its Provenance.

    And be aware from here, Live Operational Virtual Environments Reign with Surreal Remote Island Rule ...... Virgin Kings and Adorable Queens Territory ...... and Alien Terrain for Commandeering and Securing with Home Grown High Grove Talent. ....... Latent Debutante and Knight of the Realms Types.

    I can all too easily imagine that route and root causing all manner of contrived problems for GCHQ/NCSC Type Operations? You know, the Real Sp00Key Stuff that is best not widely shared because it terrifies and leads terrible lives.

    Do you think that which supplies Great British Intelligence to GCHQ/NCSC will Co-Host a Program of Prime Novel Projects Realising and Drivering SMARTR MMORPG Play.

    It is a very difficult foe to fend off to a friend, and practically impossible whenever ever the love of one's life.

    And .... something quite exceptional for Palace Barracks Holywood MODified Assets to Know is Freely Available from Heavenly Crown Stores .... Immaculate Pits that are All Giving. And over the Twelfth they can have a ponder and wonder on the Power of Enlightening Scripts Exalting Scripture. ..... that Share the Release of the Knowledge of the True Essence of One's Being ...... and the Virtual Nature of Existence.

    It's only then a hop, skip and a jump or a stumble and fall into Immortal Tales, which to make sure are perfectly safe and secure, are Assured Explosive and Mind Blowing. I wonder who Punts and Hunts with Such for Blighty? Surely they gotta have somebody. And best it not be just anybody if they don't know what needs to be done in these new fangled and entangling fields of Strange Novel Communications .... Spiel Alien Style Stations.

    You know the Tease .... Who Dares Win Wins ....... Sc00ps the Eternal Prize.

    Now that wouldn't normally cause any sort of problem, El Reg, so if/whenever it does, we all know the problems to be sorted are hosting at their end.

    1. Cliff Thorburn Bronze badge

      Re: Manna from On High Above .... PBUH

      Well truly never ceases to amaze on both the size and scale of past and present driver deliverables in Live Operational Virtual Environments amfM :-) SIMply astonishing really, how some and many rely on the virtual ball on the roul et te wheel landing, with reds and blacks leaving others feeling blue?, however one cannot help but feel that leaves others grinding the axe in anticipation of badly briefed acts poorly scripted.

      Montauk?, or lets talk?, all one can do is smile and do the best one can do in difficult circumstances is it not?, grand conspiracy or Gran de performance?

      The truth is that event + reaction = outcome, but any sentient being, be it natural, or evolved through environmental manipulation will react in accordance with learning and instinct. Where this never ending story changes dependant on whether friend or FOIA, or whether Norwich Pharmaceutical Orders be just what the doctor ordered be the true questions in great game play.

      I was once told ‘do the right things and the right things will happen’ when one questions what the ‘right’ thing is anymore and the moral compass sways off course is it the puppet or the one who pulls the strings who must decide the true value of guiding principles underpinning such activities?

    2. Anonymous Coward
      Anonymous Coward

      Re: Manna from On High Above .... PBUH

      IT truly IS

  26. CoyoteDen

    Make your home network use DoT/DoH

    I have an ASUS router running the AsusWrt-Merlin firmware. DoT/DoH support is baked in. My entire home network uses DNS-over-TLS, round-robined between 8.8.8.8, 1.1.1.1, 9.9.9.9, etc.. If I'm away my phone and laptop can OpenVPN tunnel all traffic back through it.

    The router advertises itself as the DNS server, then uses stubby to forward queries over TLS/HTTPS to the servers.

    1. Anonymous Coward
      Anonymous Coward

      Re: Make your home network use DoT/DoH

      Coyote Den,

      +1 for AsusWrt Merlin mention :)

      I use DOH via my own 'filtering' DNS Server on the router as well :)

      The one question I have with DoT is that you can simply block it by blocking port 853 AFAIK

  27. SWCD

    Would've been better PR..

    ..had they nominated themselves afterwards.

    "We did mean it light-hearted, lack of real thought, the voting didn't get passed via folk who would've pointed out privacy issues, etc"

    We'd have known they were full of shit, but they'd have come off looking a little better.

  28. osmarks

    Well, too late for them, I've already gotten DNS over HTTPS turned on on most of my devices.

  29. SolidSquid

    I'll be honest, I wasn't even aware this was something Mozilla was intending to roll out as a feature for Firefox until this shit storm hit. Now I'm looking at the advantages of it and thinking it might be worth a switch

    1. Anonymous Coward
      Anonymous Coward

      might be worth a switch

      You don't actually HAVE to switch if you don't want to. (Although if you're using Chrome you'd just be pissing into the wind anyway). Apart from that you could just re purpose an old low powered pc/netbook/R-Pi, plonk Pi-Hole on it + Unbound and get your router to use that as it's dns resolver.

      I've found that setup to be pretty efficient as you just need to configure the router and leave all the clients as is, (provided they are all using DHCP from the router of course).

      I've got all the usual suspects including Google blocked at the pi-hole, an advantage of having Firefox available is if for example you have a visitor that just HAS TO HAVE google for search, you can just turn on the DOH option and they can get Google on that machine and browser ONLY, until you reset Firefox again.

  30. ldir

    Thanks for the motivation

    Just installed the DNS over HTTPS proxy on my OpenWrt based router as a result of this article.

    Now every device on the LAN is effectively using DoH for Internet related address lookups.

  31. wyatt

    Interesting piece from Cisco about DoH:

    https :// support.umbrella.com/hc/en-us/articles/360001371526-Firefox-and-DNS-over-HTTPS-default

  32. gnarlymarley Bronze badge

    distributed dns?

    Did anyone forget about the distributed DNS? Now instead of the query coming from my ISP, it will come from a google data center and that could effectively ruin everyone's attempts to distribute the load via DNS.

    1. P. Lee

      Re: distributed dns?

      Authoritative servers will still be distributed. Unless some idiot has stuck them all on Route 53.

      Basically this is what you get when you spy and censor people. Or it can be used by spyware browsers like Chrome. Mobiles are vulnerable because Apple doesn't let you see or override your 4g dhcp settings - you have to run a vpn to change those settings.

      Given Australian censorship, I use this all the time. ISPs are just not reliable.

      Next up, caching dns servers which relay over tls. Cloudflare is easy to block due to its well known ip. We need to make any IP address a potential dns server. I know it's a security and botnet risk, but overreaching government and overly compliant ISPs are a greater threat than cryptolocker.

      Also, they are one that affects me more.

      Application level name resolution as an idea also helps new tech like ipns gain a foothold by not requiring system-wide configuration.

  33. Mark Manderson
    Thumb Up

    HA!

    god I love you, reg (and author)

    :D

  34. RenThraysk

    The peeping tom lobbyists annoyed that people can use curtains.

  35. Anonymous Coward
    Anonymous Coward

    Yeah, privacy fuckwits like this ignore, for example, the way that DNS-over-HTTPS prevents the folk at the Internet Watch Foundation trying to keep child sex abuse imagery off the web. https://www.iwf.org.uk/news/exposing-child-victims-catastrophic-impact-of-dns-over-https. ISPA may be inane but this article is no less unbalanced and ignorant

  36. Anonymous Coward
    Anonymous Coward

    DoH!!... Firefox's implemenation of DoH seems to bypass the 'hosts' file!

    I've added a range of troublesome pop-up/tracking sites to 'hosts' (no, I'm not interested in vaping, online poker or MILFs in my area) and tried enabling DoH in FF, now those sites have started to pop up again despite appearing (and the ad exchange preceeding it) in 'hosts'

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019