
UK ISP group names Mozilla 'Internet Villain' for supporting 'DNS-over-HTTPS' - katzeilla
https://www.zdnet.com/article/uk-isp-group-names-mozilla-internet-villain-for-supporting-dns-over-https/
======
Macha
> In the UK, ISPs are legally forced to block certain types of websites, such
> as those hosting copyright-infringing or trademarked content. Some ISPs also
> block other sites at their discretion, such as those that show extremist
> content, adult images, and child pornography. These latter blocks are
> voluntary and are not the same across the UK, but most ISPs usually tend to
> block child abuse content.

It does give the lie to the "for the children" argument when blocking
copyright infringement is mandatory and banning child porn is optional.

~~~
morelikeborelax
What you quoted simplifies and thus obsfucates the situation in the UK.

Child pornogrpahy is obviously illegal, but nearly all of it is actively
filtered via the IWF lists.

Legal forcing comes from court orders, of which there have been many of in
regard to piracy and many other issues. Don't need court orders to regularly
bring down child porn because there are already plenty of active attempts and
stuff in place from IWF, ISPs, Police forces etc.

[https://en.m.wikipedia.org/wiki/Web_blocking_in_the_United_K...](https://en.m.wikipedia.org/wiki/Web_blocking_in_the_United_Kingdom)

~~~
tialaramex
What the courts said went like this:

_If_ you have a mechanism that you've put together to block some content (in
this case the IWF to block child porn porn) then you must also use this
mechanism to block stuff the court wants blocked, in this case everything
Hollywood has arbitrarily decided it might be a copyright infringement.

But if you don't have a mechanism to block stuff (which A&A does not because
why would you want to spend money on that nonsense?) then obviously the court
shouldn't order you to go around making Hollywood's life easier and you can
ignore it.

~~~
DanBC
No, this is nonsense.

The IWF blocks are completely separate (and use a different mechanism) to the
court ordered piracy blocks.

The court ordered piracy blocks only apply to the "big 6" ISPs. A&A doesn't
have to comply because they're an insignificant ISP with very few customers.

~~~
tialaramex
A different _legal_ mechanism these days, but the only affordable and
effective technical countermeasure is DNS blocking, which is why this whole
anti-DPRIVE thing happened.

Cleanfeed as originally designed is irrelevant in 2019. It worked by doing
transparent HTTP proxying on port 80 and then comparing URLs to a blacklist of
hashes. But in 2019 the site can just upgrade you to HTTPS and then you vanish
off the radar in Cleanfeed. What's left is yet more DNS blocking.

You might think wait, surely they could do IP blocking? Well, no. Fast flux
combined with the address exhaustion means if you do this you'll either
underblock so badly you might as well not bother trying, or you'll overblock
and get yourselves a reputation as the ISP whose Internet doesn't work. SNI
lets your opponents do this to you as much as they want even though very few
of their customers are doing anything you actually want to block.

So the other working (but far too expensive) option is "Deep packet
inspection" or "Transparent TLS proxies" where you'll watch the ClientHello
and drop clients asking for forbidden names in SNI before the connection is
encrypted. The UK government's White Paper in 2018 showed no appetite for this
extra cost, but even if they go there that's exactly what eSNI fixes - so
they'd spend all that money and by the time they ship anything probably it
doesn't work anyway.

------
rwmj
A&A (a UK ISP) today donated £2940 to the Mozilla foundation. It's the amount
that ISPA membership would have cost them if they were members which of course
they are not:

[https://twitter.com/aaisp/status/1146803916853645314](https://twitter.com/aaisp/status/1146803916853645314)

~~~
m0xte
Straight to the point. Excellent work from A&A. I am currently with Zen and as
they are a member of ISPA I'm going to terminate my account and move to A&A
next month.

~~~
tialaramex
They're very good, however do watch out if you're a heavy user, there is no
"unlimited" for A&A. I think I have 250GB per month, and there's a scheme to
carry over a fraction to discourage you burning everything on the last few
days (e.g. if you have 100GB of quota left on a 250GB quota, you start the
next month with 300GB) but if you're the sort of person who routinely Torrents
a whole TV series to "see if I like it" and then throws it away after one
episode because you didn't then you are likely to exhaust the smaller quotas
before a month end and A&A's prices start to get steep.

I watch a bunch of Netflix, Youtube, play some online games, never came close
to my quota, but I know people using 1TB+ per month on other ISPs so YMMV.

~~~
m0xte
I pull 750Gb a month max across 5 people so this is fine. Thanks for the heads
up however.

------
lifeisstillgood
I applaud the IWF's intentions - I agree with ending child abuse - and am
personally quiet happy with _effective_ if draconian measures

the problem there is the effective not the draconian

We know some evil people record these vile acts, but we don't think that
banning video cameras will solve the problem - so my gut feeling is that
banning abuse images online is less about stopping the crime and more about
not being reminded it exists.

So I wonder what the effective solutions to child abuse are?

Something to do with nosey neighbours willing to pry? With school teachers
being amazingly sensitive? something to do with spending huge amounts on
foster care and social services - something to do with simply getting to know
and talk with your neighbours? or something else?

Was childline ever effective?

I don't know - but it's a huge problem with amazing ROI - and well worth
spending at least as much as we do on pointless record my browser history
projects.

~~~
DanBC
> so my gut feeling

This is absolutely the worst thing about HN.

[https://www.youtube.com/watch?v=FzOv14fA-
BI](https://www.youtube.com/watch?v=FzOv14fA-BI)

"I don't know anything about zoology, biology, geology, geography, marine
biology, crypto zoology, evolutionary theory, evolutionary biology,
meteorology, liminology, history, herpatology, paleontology, or archeology,
but I think ..."

We know from interviewing the children who were abused that they continue to
be traumatised by the knowledge that images of them being raped are still
available online.

We also know that fear of people viewing the images causes children to avoid
seeking help. Some children feel huge amounts of shame or guilt, and they
wrongly[1] think that they will be seen as willing victims.

You're also making the mistake of limiting your thoughts to images created by
a local abuser - someone in the same room as the child. You need to remember
that some images of CSE are created by the children after they've been
groomed.

[1] Although reading any HN thread which mentions images of CSE these children
aren't far wrong.

~~~
lifeisstillgood
>>> available online ... still causes them trauma

Thank you. Consider my opinion changed. There is a clear reason to pursue this
course of action, even if it is less effective at the root cause.

Personally I think having my prejudices called out is one of the good things
about HN.

I still would love to see research on other approaches to tackling the root
problem (i.e. the abuse not the images)

(This would presumably included what properly funded social services look
like, how cross-department co-operation can be improved, as well as the more
"Big Society" suggestions.)

I mean a frustrating part of this is that in almost always some political
issue has had a "yes but in Country X they are trying a new system that has
had huge success" and slowly a consensus forms around the right way to tackle
the problem - but on CSE I have never come across even the right direction of
travel.

Finally I hope the threads you mention in your footnote are at an end - there
is no willing victim, this is crime and vile crime at that.

Edit: general tidying

~~~
lifeisstillgood
Edit Edit: Rethinking this (frankly being called out is always time for
reflection) I suppose my first request for my own education is to get a size
of the problem - looking at the Rochdale case in the UK it is seemingly large
- and can our knowledge of published images help size the problem.

------
swiley
I personally would have been a lot more comfortable with a different DNS
protocol if

1) the companies pushing them didn’t limit it to just their product (and
instead added it to the C runtime resolver)

2) didn’t limit it to their servers (that’s honestly pretty concerning)

~~~
Someone1234
Firefox allows you to use any resolver you wish. It just isn't a feature
exposed in the UI, and instead you have to use about:config.

Specifically you'll need to set:

\- network.trr.bootstrapAddress: To a secure DNS provider you trust (to get
the HTTPS DNS resolver's IP/bootstrap DNS over HTTPS). e.g. 1.1.1.1

\- network.trr.mode: To 2 (DNS-over-HTTPS is first choice, fallback to OS), 3
(DNS-over-HTTPS only otherwise fail, recommended)

\- network.trr.uri to the URL of your DNS-over-HTTPS provider. e.g.
[https://cloudflare-dns.com/dns-query](https://cloudflare-dns.com/dns-query)

If you set all three (and mode to 3), it is a completely bespoke, highly
secure DNS solution. That's what I use at work for any personal browsing.

~~~
zrm
The problem isn't the lack of a configuration option, it's when the default is
to ignore the one configured in the operating system.

Suppose I have all my devices configured to use my local DNS where I've added
names for my other local devices or changed the ones for some names because
local devices should use the RFC1918 addresses instead of the internet ones
that are routed differently. Suddenly Firefox on every device is using
Cloudflare even though nobody ever told it to, and now I have to go touch
every device and fix it, including when they're BYOD and the owners want them
to "just work" and resolve the names correctly without me having to touch
them.

Then the same thing all over again when Chrome does it or any other
application.

------
tremon
So they nominated Firefox for implementing DNS over HTTP but not Chrome? Does
anyone know their rationale for that?

~~~
m0xte
Signed up to post this. This is because Google are a member of ISPA:
[https://www.ispa.org.uk/members/?letter=G%2CH%2CI](https://www.ispa.org.uk/members/?letter=G%2CH%2CI)

The other nominees for Internet Villain were Donald Trump and EU article 13.
But they chose Mozilla. Clearly ISPA has an agenda and cannot be trusted.

------
Ericson2314
If the UK disapproves I'll be sure to use it! Only gotcha is screw this per-
application stuff, will want the whole computer doing it. But that shouldn't
be too hard to rig up on Linux.

[https://tools.ietf.org/html/draft-huitema-quic-
dnsoquic-05](https://tools.ietf.org/html/draft-huitema-quic-dnsoquic-05) oooo.

[https://github.com/jedisct1/dnscrypt-
proxy](https://github.com/jedisct1/dnscrypt-proxy) does a few good protocols.

~~~
ggg2
so true. the fact that browsers have dns resolvers is weird.

to me only the kernel could do it, and it would limit outgoing port 53 by
default to every other process.

if I want to set configuration on my hosts file I damn sure want everything to
follow it, not have to worry about thousands of applications that might or
might not use it.

~~~
krferriter
On Linux (and probably macos, windows), the kernel doesn't do DNS name
resolution. The kernel provides the network stack which does IP, and also TCP
and UDP. On Linux you need a tool that can do DNS operations, like
NetworkManager, dhcpcd, dhclient, systemd-resolved. You could use selinux to
restrict port access.

------
dreamcompiler
"The Net interprets censorship as damage and routes around it."

-John Gilmore

~~~
TeMPOraL
Obligatory reminder that this was said about packet routing, not about
application-layer protocols.

------
jimbob45
I'm a bit of an internet novice so excuse me if this is dumb but won't the ISP
still know which IP I've connected to? Just because I haven't conveniently
looked it up in their giant DNS dictionary doesn't mean they can't just follow
the traffic, right?

~~~
TazeTSchnitzel
They will indeed know the IPs, and the SNI domain name information from HTTPS
connections which don't encrypt that.

~~~
kd913
Note, on Firefox if you enable the DoH and the esni mechanisms in
about:config. Then that information is encrypted to cloudflare hosted sites.
At that point, they can't even use deep packet inspection to identify which
sites were visited.

------
TeMPOraL
I'm split here. Obviously this nomination only speaks well of Mozilla, but
regarding DoH itself, isn't it a... problematic technology when it comes to
user freedom? With DoH, how is Pi-hole going to work? Not sure if I like
browsers working around the OS on this one; this should really be a user-
configurable OS-level service.

~~~
chillydawg
Your pi can be set up as a DoH server, of course!

~~~
TeMPOraL
From what I read however, it can't be set to work OOTB for everyone on my
network; I'd have to go on every machine and every Internet-connected
application to try and change it, hoping all the applications would let me (if
I read correctly, Chrome won't?).

~~~
bradknowles
See [https://developers.cloudflare.com/1.1.1.1/dns-over-
https/clo...](https://developers.cloudflare.com/1.1.1.1/dns-over-
https/cloudflared-proxy/) and [https://docs.pi-hole.net/guides/dns-over-
https/](https://docs.pi-hole.net/guides/dns-over-https/) and
[https://openwrt.org/docs/guide-
user/services/dns/doh_dnsmasq...](https://openwrt.org/docs/guide-
user/services/dns/doh_dnsmasq_https-dns-proxy)

------
nullwasamistake
DNS is the last cleartext channel for ISP's to monitor browsing. This isn't
about "porn" at all. Even with HTTPS ISP's have long been able to snoop DNS to
find all the sites you visit.

This data is extremely valuable for marketing since the ISP also knows who you
are and where you live. And using DNS bypasses tracker blocking.

This is all about ISP's getting mad that their advertising revanue is being
cut off. And possibly a lot of pressure from governments to keep "metadata"
like DNS requests in the clear

------
curt15
I can see why the gov't would have something to say about DoH, but even though
the article specifically asks "why do ISPs hate it?", it doesn't actually
answer why ISPs themselves would have a hat in the ring. Surely they cannot be
blamed if DoH prevents them from sniffing users' traffic?

~~~
NikkiA
I don't know if it's the reason, but...

Most UK ISPs run advertising portals on DNS-not-found redirects, DoH would
remove those redirects.

~~~
jen20
This is almost certainly the reason. The first thing I do on any internet
connection in the UK is change the DNS out for one that isn't broken...

------
llao
DoH -> DNS over HTTP.

~~~
cadence-
DNS over HTTPS.

------
tinus_hn
Oh no, suddenly ISPs are relegated back to their role as common carriers of
data!

------
antpls
Is there any good local DNS proxy server that transforms classic DNS to DNS-
over-HTTPS, for applications that don't implement it natively (such as Desktop
Chromium) ?

~~~
pmoriarty
dnscrypt-proxy[1], though you'll have to use something like iptables to
redirect all DNS traffic to it

[1] - [https://github.com/jedisct1/dnscrypt-
proxy](https://github.com/jedisct1/dnscrypt-proxy)

------
ilovecaching
DoH is plugging a security hole. ISPs and other entities were using that
security hole to implement features for their users. The correct response is
for them to use a different method of implementing their features that does
not compromise user security.

Their whole argument against DoH is ridiculous.

------
fryry
I believe ISP level blocking in the UK can already be easily bypassed simply
by not using your ISPs DNS servers.

~~~
jnwatson
Yeah, I’m surprised that anybody thinks that DNS blocking is sufficient for
anything save ad blocking.

------
davesmith1983
This is pretty standard in the UK under the current political climate. The
Conservative Government about 2 years ago was hell bent (and probably still
is) on getting rid of "strong encryption" and wants backdoors in pretty much
everything.

Both major political parties are pretty censorious and many of the smaller
parties aren't much better.

~~~
microcolonel
> _many of the smaller parties aren 't much better_

There is certainly _one_ which is much better; and maybe it's a total
coincidence, but they seem to be the punching bag of the major parties. ;- )

~~~
gmac
Which?

~~~
dijit
Liberal Democrat’s.

They’ve been thrown under the bus for entering a coalition government and
choosing to support alternative voting over scrapping tuition fees.

Since they were a minority player they didn’t have much choice in fighting
that ultimatum, but I understand why people feel scorned. Even if the
conservatives are doing many, many more heinous things daily.

As a nice conincidence the “NoToAV” campaign (lit. “No alternative vote”) was
undertaken by the same people who drove the leaveEU campaign, they used
remarkably similar tactics too. “AV will cost £250m, that should fund our
army!” And such.

[https://images.app.goo.gl/Z4GP93UTWMgaVmLQ6](https://images.app.goo.gl/Z4GP93UTWMgaVmLQ6)

I mention it because it was funded by the same conservative doners. So the Lib
Dem’s lost both ways.

