
UK Politicians Disapprove of DNS over HTTPS (DoH) - edward
https://twitter.com/edwardbetts/status/1160591833132666880
======
2T1Qka0rEiPr
I'm guessing that almost every user of HN believes the opinion stated in the
article is ignorant / stupid / misguided. I also believe that it's ignorant on
so many levels, and whilst I particularly take issue with the "think of the
children" angle of the article, I find it nevertheless interesting that people
_do_ think this way.

I've spoken with friends and family members on numerous occasions about basic
privacy topics, and they're often met with complete apathy. The "this
endangers our children" rhetoric - though misleading - arguably _does_ have
some logical foundations. A Government who is able to watch over its citizens
could _in theory_ protect them better. It reminds me of the WhatsApp E2E
encryption debates in the UK of a few years ago, shortly after the attacks in
London.

I guess its incumbent on us as technologists, to not merely laugh and scorn at
these comments, but to acknowledge that these things have consequences,
positive and negative. We need to present the under-represented positives -
and at times I find this particularly hard without feeling / coming across as
tin-hatted.

Edit: Just on that last point - I'd love advice if anyone can provide some :)

~~~
yason
I just realised that there might be an actual, political need for something as
brittle and theatrical as DNS blocking, and probably of other things similar,
because there are large masses of untechnical nature for which it really
works.

Of course, _we_ know DNS blocking doesn't fix anything. It's like putting the
bad thing in storage and switching off the light. We know that nearly _anyone_
can route around a blacklist-employing name server in seconds, but it's all
the people but those "anyone" who can't.

And they probably think it's a really good idea. The general masses don't have
to worry about accidentally bumping into dubious content, and it also raises,
to a conscious level, the bar for those who want to bump into it. I mean, if
you have to specifically install or configure things to workaround the DNS
block, you've just validated your questionable intents.

For most people, that probably makes sense similarly to a signpost at a closed
gate that says "Private yard / No pass through". Yeah, undoubtedly some people
will open the gate and try to make the shortcut through the yard but at that
point it will be clearly intentional. It's just that the externalities of DNS
blocking are infinitely higher than blocking pedestrian traffic through a
private yard, and no common people see that.

The rational counter-attack must thus focus on what would be a better
alternative rather than how DNS blocking is flawed by design. How to prevent
families from accidentally finding themselves looking at child porn, or to
make it difficult for uncle Ed to watch naked kids on internet late in the
evening while still preventing the ISPs from MITMing the DNS queries for
everyone else?

~~~
pas
The masses are free to opt-in to babyNet. They can use a SafeDNS provider. It
can be zero-touch even. Just push a DNS / DoH resolver through DHCP for the
customer. (IETF RFC is coming for DoH provisioning.)

But let the default be safe.

Of course this is usually a foreign concept to laypeople.

But to address the "accidentally CP" argument. How does that happen? You have
to "accidentally" type something into Google/Bing/Yahoo and then click
through. Or you "accidentally" have to start somewhere. And if you go to any
for profit pornsite (camsites, streamsites, blablabla), or even just a porn
subreddit, or type porn (or some explicit search terms) into a search
engine.... you don't get to anything illegal. Why? Because that's bad for
business.

So ... it seems like a perfect excuse. It maybe worked for the first closeted
gay senator/representative... but never since. So why are we still talking
about it as something that "accidentally" happens?

------
johnnyapol
The only _valid_ argument I've heard against DNS over HTTPS is that it makes
it harder for institutions / companies to block other DNS servers than their
own internal ones because they simply can't just drop port 53 traffic anymore.
This was brought up to me in the context that many universities enforce their
own DNS servers to help block malware from being able to phone home or filter
access to malicious IPs in general.

I guess in theory, this could still be accomplished by filtering based on IP -
a whole other cat and mouse game. Although, it's not like it wasn't a cat-and-
mouse game before - you could bypass these blocks by running DNS on non-
standard ports unless some form of DPI was being performed.

~~~
teddyh
There are plenty of valid arguments against DoH. If DoH becomes common, it
most likely will resemble the situation with DNS resolvers we have today.
Meaning, there would be the eternal problems inherent to centralization. I.e.
both that the centralizing powers would have enormous power to disappear
something off the internet, but also that the central servers would recieve
huge amounts of constant real-time data of what everybody was doing.

~~~
zrm
We need something to encrypt and authenticate DNS, but that exists in
DNSCurve. The problem with it is that it doesn't try to hide what it is, so an
adversarial middlebox can detect and block it to try to force you to use their
own DNS.

DoH is an evolutionary response to that, because it looks like HTTPS to
Cloudflare, which is difficult to reject. And that's terrible for a lot of
reasons (inefficiency, complexity, centralization), but it solves the local
interference problem. Which means that's what we're unfortunately going to end
up with unless we can solve the interference problem another way, i.e. make
intermediaries understand that they're going to lose anyway and it's better to
allow unmolested UDP DNS/DNSCurve to the endpoint's choice of recursive
resolvers than to have everything using DoH to Cloudflare.

~~~
teddyh
There are two available courses of action. Option one: We embrace something
like DoH in order to avoid any possibility of blocking and detection. But you
then have no simple way to back out from centralization if/when centralization
(almost certainly, IMHO) slowly becomes a problem. Monopolies and oligopolies
are hard to break once formed, and absolute power corrupts absolutely. Option
two: We use DNS like always to avoid problems with centralization, and adopt a
secure DNS protocol to avoid spoofing and unauthorized monitoring. If we do
this latter thing, and detection and blocking _does_ become a problem (and it
might), we can always _add_ some additional layer of security, like HTTPS
tunneling, on top, which avoids it. We could even, if it became absolutely
necessary, centralize after the fact; but this way, we can avoid it until it
would become necessary.

I would prefer not to centralize things in advance, just in case a certain
problem develops. I would instead prefer to keep it de-centralized as long as
possible, and solve individual problems as they actually occur.

I would also prefer DNSSEC and DoT over DNSCurve, and I would suggest IPsec
with opportunistic encryption to be a more pure goal than to tunnel everything
over HTTPS, but my preferences in protocols are not important to any of these
points, and we don’t need to argue about that.

~~~
zrm
We're already there. There are already ISPs in some parts of the world
redirecting DNS queries to any DNS server to the ISP's DNS server, which gives
invalid responses to queries that authenticate the DNS server (DNSCurve) or
invalid responses to queries it can read and wants to block (DNSSEC), either
of which is an effective denial of service attack. Which drives adoption of
ugly DoH.

The root problem where the centralization comes in (because you could actually
do DoH to something that isn't Cloudflare), is that you need to trust someone
to faithfully and completely answer all of your DNS queries without dropping
any of them or sending invalid responses for queries they don't like.

That used to be your ISP, and we had a decentralized solution as long as the
ISPs would faithfully answer all queries, but what happens when they don't?
You need someone else. "Let everyone choose for themselves" is a theoretical
answer, but in practice the average person doesn't know anybody who runs a
public recursive DNS server, and Google and Cloudflare are easy and "free", so
everybody will end up on them. To prevent that we need ISPs to stop
interfering with DNS.

------
TazeTSchnitzel
> The deployment of the new encryption system […] could[.[…] expos[e] millions
> of people to the worst imagery

Not really. It is difficult to accidentally encounter these kinds of images
because they are so illegal, and for those who are trying, rudimentary ISP DNS
blocking is not going to stop them when Tor exists.

------
binarymax
Ah, the good ole “Think of the Children!” propaganda. What a lazy excuse. It’s
like they didn’t even try.

~~~
sneak
The beauty of this plan is its simplicity and effectiveness. You see it time
and time again for the simple reason that it is tremendously effective;
normal, reasonable people will throw a lot of logical reasoning straight the
fuck out the window when it comes to the safety and well-being of their
offspring. This is normal and common, and we must learn to effectively counter
it, not simply dismiss it, if we are to work against this sort of (again,
normal and common and natural) response.

------
pmoriarty
If we as people who are actually knowledgeable about technology and who care
about privacy are sick of ignorant and scare-mongering politicians turning the
world in to a version of 1984, we really have to become more active in
politics ourselves.. and by doing more than just voting.

You can run for local government, organize, or volunteer, for instance. That
will make much greater difference than simply voting or voicing one's
displeasure on the internet (though doing both of those can help some too,
especially if enough people do so).

------
karmakaze
This is wrong on so many ways:

    
    
      - DoH is impacts a lot more than one area: child protection
      - what exactly would be lost?
        - is the filtering effective? No, anyone so inclined can just use a VPN
        - is there another way to achieve this even with DoH?
        Yes: resolve the URL filter hostnames, filter the IPs
      - faulty logic: we do X *with the intention* to stop bad Y, so don't do Z that hinders X
    

The issue here isn't really about DoH--it's whether the government can
unilaterally decide that freedom of communicating privately is not a right.

Now let's see what's _right_ (?) about this?

    
    
      - good political move to back something emotional people can agree with
        vs. something technical that most don't put in effort to understand privacy+tech
      - government seen as governing: good
      - sensational news, increases positive awareness/brand
    

I think the last point is key, technology has come up fast and most
governments are not up to the task of understanding and making good decisions.
The best they can do is try to _look_ like they're doing good and try to
maintain some some _control_ in the hopes that it will result in the ability
to stay in power. It would be like if a non-technical CEO of a corporation was
in charge of all the security policies for their products.

Whenever these types of issues come up in the media, there's two concurrent
discussions: one who understand the tech and implications and the rest of the
population that reacts by proxy signals. Somehow these groups need to be
connected without a distortion of the message.

------
nvahalik
There are many technologies which are double-edged swords.

Encryption can keep things which need to be kept secret safe. They can also
keep things which ought to be made open safe.

Anything can and will be abused by people who want to use it to hide what they
are doing. That includes criminals.

But if every history-changing invention could have been stopped because of the
potential of abuse, we'd not be where we are today.

~~~
brokenmachine
The premise that needs to be fought is the suggestion that there can be no
such thing as a private conversation.

------
madaxe_again
Their own letter undermines the very point they’re trying to make.

They say “there 144,000 internet users [ed: from where in the world?] on some
of the worst _dark-web_ child sexual abuse sites”.

Dark web. Tor. Not impacted by DNS over HTTPS whatsoever.

------
esotericn
Well, that's alright.

UK disapprove of UK Politicians.

Need a source? Course you don't[1].

[1] [https://www.ipsos.com/ipsos-mori/en-uk/politicians-remain-
le...](https://www.ipsos.com/ipsos-mori/en-uk/politicians-remain-least-
trusted-profession-britain)

They can't even bloody solve basic stuff like building houses or you know,
that EU thing. DNS over HTTPS is probably down there with encouraging uptake
of Klingon.

------
kd3
While DNS over HTTPS has benefits, we should really be looking into
distributed or p2p DNS.

~~~
betterunix2
DNS is already distributed...

~~~
yjftsjthsd-h
Revolvers as used in practice, particularly DoH as in this context, are fairly
centralized.

------
einarfd
It's hard to be worried about any new legislation coming out of a parliament
that has been hard at work the last few years, showing that they wouldn't even
be able to organise a piss up in a brewery.

------
lazylizard
1\. Now if someone says something is broken i look at nsswitch. I dig. 2\. If
they build this into the browser i hope there's a button for endusers to beg
mozilla foundation for help when some web page doesn't load. 3\. Personally
I'm fine with it. Clourdflared is an acceptable way to roll this together with
the rest of name resolution.

~~~
lazylizard
But actually now already people can hide behind socks5. Dns n all. Just that
people usually dont use it.

Whatever....

------
d2mw
They can fight it on the basis of censorship, and I'll support them on the
basis of a decentralized Internet that does not rely on some folk who leaked
private data all over the Internet a few years ago.

Fuck DoH. It's political and technical centralization under the tired old
banner of "freedom!" when reality is absolutely the opposite. It'll be abused
in a heartbeat the moment it has majority share, assuming folk like CloudFlare
don't already have people working full time on how to profit from the data, or
formulating policies on which sites they shut down that they never hosted in
the first place

If you're new to this game, it always progresses the same tired old way:

\- it's optional, you don't need it, but if you use it your life will become
1000% better and starving orphans in China will learn about democracy

\- we're using it for just this one particular service you might need it for
but it's fine because that particular service is totally optional and you have
a "choice" between 3 vendors who all accidentally depend on this new thing,
because they're all playing the same game

\- we rolled out a new feature but it's only available to newer clients, you
probably genuinely do need this feature, and the choice to avoid the new
service seems to be less and less appealing

\- we don't have people working full time on the older product any more, and
it's full of bugs, and we're struggling to support it

\- we've made some commercial agreement you weren't expecting that interacts
somehow with our adjusted position thanks to the new service. somehow you've
become the product without any warning, but you're so far down the river it's
much less effort to stay put than try to undo becoming the product

\- we've encountered a bug and made a huge negative PR fuss around the old
service. it's officially insecure and you will catch cancer if you continue
using it

\- [3 months later] we're deprecating the old service

\- [1 year later] captivity achieved

~~~
userbinator
"An enemy of an enemy is a friend."

As someone who uses HOSTS files and DNS-level blocking/MiTM proxy on my
network to control what gets to my endpoints, I like how you think.

------
mnd999
That’s sort of a reason to like it, even if the general everything-is-http
approach to these problems annoys me.

------
Jerry888
—-------—------------- (~~) !! /\

Rofl politicians are not very well informed the gov already can see all
traffic generated in DoH due to a built in flaw that is waiting to be fixed
which i have no doubt will be "fixed" with open access built in as normal

------
exabrial
dnscurve never made an impact unfortunately :(

------
dansimau
For those who disagree with the position taken in the article: Out of
curiosity, what would you do to deal with online child pornography instead?

~~~
smcl
That’s an insane argument that will just be continuously abused to erode
privacy until everything you do is under surveillance by the government.

Oh you’re against DNS over HTTPS? Oh so you _want_ our children to be abused?
You’re for encryption? Sounds like someone doesn’t care about child porn. Oh
you won’t share your Password with the government? Hiding something?

