Hacker News new | past | comments | ask | show | jobs | submit login
UK ISP group names Mozilla 'Internet Villain' for supporting 'DNS-over-HTTPS' (zdnet.com)
156 points by katzeilla 4 months ago | hide | past | web | favorite | 88 comments



> In the UK, ISPs are legally forced to block certain types of websites, such as those hosting copyright-infringing or trademarked content. Some ISPs also block other sites at their discretion, such as those that show extremist content, adult images, and child pornography. These latter blocks are voluntary and are not the same across the UK, but most ISPs usually tend to block child abuse content.

It does give the lie to the "for the children" argument when blocking copyright infringement is mandatory and banning child porn is optional.


What you quoted simplifies and thus obsfucates the situation in the UK.

Child pornogrpahy is obviously illegal, but nearly all of it is actively filtered via the IWF lists.

Legal forcing comes from court orders, of which there have been many of in regard to piracy and many other issues. Don't need court orders to regularly bring down child porn because there are already plenty of active attempts and stuff in place from IWF, ISPs, Police forces etc.

https://en.m.wikipedia.org/wiki/Web_blocking_in_the_United_K...


What the courts said went like this:

_If_ you have a mechanism that you've put together to block some content (in this case the IWF to block child porn porn) then you must also use this mechanism to block stuff the court wants blocked, in this case everything Hollywood has arbitrarily decided it might be a copyright infringement.

But if you don't have a mechanism to block stuff (which A&A does not because why would you want to spend money on that nonsense?) then obviously the court shouldn't order you to go around making Hollywood's life easier and you can ignore it.


No, this is nonsense.

The IWF blocks are completely separate (and use a different mechanism) to the court ordered piracy blocks.

The court ordered piracy blocks only apply to the "big 6" ISPs. A&A doesn't have to comply because they're an insignificant ISP with very few customers.


A different _legal_ mechanism these days, but the only affordable and effective technical countermeasure is DNS blocking, which is why this whole anti-DPRIVE thing happened.

Cleanfeed as originally designed is irrelevant in 2019. It worked by doing transparent HTTP proxying on port 80 and then comparing URLs to a blacklist of hashes. But in 2019 the site can just upgrade you to HTTPS and then you vanish off the radar in Cleanfeed. What's left is yet more DNS blocking.

You might think wait, surely they could do IP blocking? Well, no. Fast flux combined with the address exhaustion means if you do this you'll either underblock so badly you might as well not bother trying, or you'll overblock and get yourselves a reputation as the ISP whose Internet doesn't work. SNI lets your opponents do this to you as much as they want even though very few of their customers are doing anything you actually want to block.

So the other working (but far too expensive) option is "Deep packet inspection" or "Transparent TLS proxies" where you'll watch the ClientHello and drop clients asking for forbidden names in SNI before the connection is encrypted. The UK government's White Paper in 2018 showed no appetite for this extra cost, but even if they go there that's exactly what eSNI fixes - so they'd spend all that money and by the time they ship anything probably it doesn't work anyway.



>but nearly all of it is actively filtered via the IWF lists.

You wish. Those lists can only filter specific sites. Not the myriad of child porn that is shared privately. So those list based blocks might in fact protect some users who inadvertently clicked on the wrong link, not knowing where it would lead. But people actually seeking out this content do not care.

It still would be effective to just inform providers and domain registrars[0].

I'm involved in running a small, non-commercial website that offers instant chat rooms without the need to sign up first. At some point the kiddly diddlers found out about it, and used it as basically a bootstrap tool for their activities. We had to play cat and mouse with them for a while, but have improved our system where most such things get automatically detected now or at least marked as suspicious, and the rest is handled by humans. So I am in the unfortunate position to know a thing or two about how these people operate, or at least those who abused our service.

After they initially find each other, either to "trade" one on one or have a group thing going, they use services such a mega.nz[1] and other file hosters with ever new download URLs, or switch over to messenger services such as kik[2], tox[3] and discord[4] in particular, and use email (in particular protonmail these days) as a backup to finding each other again should their other accounts be taken down.

TOR also plays a minor role, of course, but TOR's importance is usually overstated in public discussions about child porn, at least as far as I have seen, and we've rarely encountered people sharing hidden services; it's mostly about using TOR as an anonymizing, free "VPN"[5].

The amount of content (aka child abuse media) they share is tremendous. Them sharing 10s of GBs with a few mega links in one go was common.

[0] We had this discussion in Germany ten years back, when the government proposed such filter lists that the ISPs should then enforce. There was a big opposition to that, as people thought the content should be actually removed and perpetrators prosecuted instead of just "hiding" it, and also establishing such a system would make all kinds of other groups eager to get courts to block other content with it, such as alleged piracy sites. Oh, and of course the lack of accountability and transparency was a big issue too.

Turns out most providers will cooperate in taking down content, and the rest can be "made" to cooperate. The German group AK Zensur (NGO) ran an experiment back in 2009, and contacted providers based on leaked government child porn filter lists (mostly from Scandinavian countries). Most providers responded within 12 hours, removing illegal content, but more often than not they did not actually find child porn whatsoever (which the AK Zensur then verified). Most providers further said they had not been contacted previously (good job, law enforcement).

https://ak-zensur.de/2009/05/loeschen-funktioniert.html (German)

[1] mega.nz's model of plausible deniability means they also cannot identify content because they never see the content unencrypted (not even a hash of the unencrypted content). So they can only take down individual URLS and accounts, but cannot take down exact copies of the same file uploaded to other accounts. This, combined with the ease of making new accounts, each of which gets 50GB storage at first, and the feature to "unshare" (invalidate share links; allows people to share content for sometimes just a few seconds, so other people can import it into their own accounts and download later), makes mega very popular not just with content pirates, but also with people sharing child porn.

[2] Easy to use, and easy to use group chats.

[3] Harder to set up, but it claims to allow quasi anonymous decentralized communication incl file sharing if you put it behind a VPN or TOR. We've encountered "how to setup tox" inforgraphics in the past.

[4] Discord used to be a bit wild west, being a new service which hadn't figured out a lot of things yet (kinda like us at the beginning), and probably underestimated the problem (also kinda like us in the beginning). They also made it pretty hard to actually report abuse (something like, "actually join the server, switch to developer mode, toggle some obscure other preference, copy the internal channel ID and write us an email containing that information"). Tho it seems they are doing a lot, lot better recently in banning "servers" involved in child porn.

[5] Which put us in the unfortunate position to proactively ban TOR users from chatting (they can still read). 99% of TOR traffic was either outright malicious stuff like child porn, or spam. Sorry to the remaining less than 1% who played nice.


I hereby propose "Goodwin's Corollary": "As an online discussion grows longer, the probability of a comparison involving Child Porn approaches 1".


Blocking child porn is not optional in the UK.

There is a mandatory block list which all ISPs are required to use, maintained by a private organization - the Orwellian named "Internet Watch Foundation", which is kept secret and is not disclosed for the stated reason that giving details would tell paedophiles where to look. They were responsible for the classification of the German band Scorpions album cover on Wikipedia being classed as child porn and resulting in blocking the Wikipedia page in the UK until that was sorted out. (Dec 7 2008)


A&A:

> We don't provide a filtering service to restrict or limit access to anything on the Internet. When you take services from us you are opting out of any filtering services. The Internet has a lot of good and useful things, but it also has a lot of unpleasant and offensive things. Don't blame us for what you find on the Internet.[...]

> We do not have, in our network, any equipment installed to filter access to any part of the public Internet for our customers as a whole. We aim to give 12 months notice if we ever add any such filtering.

https://www.aa.net.uk/legal/full-terms-services/

In the past, they've spoken out more explicitly against the IWF:

> Not using IWF watch list

> The system deployed now is not effective. It blocks web sites that have been reported, and that is all. It causes side effects (see recent wikipedia incident). It does not block ftp access, email, secure web sites, usenet, irc, peer to peer file sharing, or any tunnelled IP to proxies outside the UK, or indeed any number or simple ways around it. The system does not even try to.[...]

> We feel sure anyone wanting access to child porn will have no trouble using the 95% of ISPs that use the IWF and there is no reason for them to come to us specially.[...]

> At the end of the day, we are no more of a policeman than a power company powering a counterfeit printing press. We provide a utility - we shift IP packets. Using us for anything illegal is a matter for the police to deal with and the criminals concerned, and not for those companies that provide power, water, gas, or internet that happen to allow those activities.

https://web.archive.org/web/20130430120759/https://www.aa.ne...


That is not correct. The majority of big UK ISPs subscribe to the IWF lists but that's a self-regulatory choice. Many smaller ISPs don't and some even advertise that as an advantage.


It's hard at this point to feel any more anger about the way my government behaves.

We crossed the Rubicon for so many reasons.


A&A (a UK ISP) today donated £2940 to the Mozilla foundation. It's the amount that ISPA membership would have cost them if they were members which of course they are not:

https://twitter.com/aaisp/status/1146803916853645314


Straight to the point. Excellent work from A&A. I am currently with Zen and as they are a member of ISPA I'm going to terminate my account and move to A&A next month.


They're very good, however do watch out if you're a heavy user, there is no "unlimited" for A&A. I think I have 250GB per month, and there's a scheme to carry over a fraction to discourage you burning everything on the last few days (e.g. if you have 100GB of quota left on a 250GB quota, you start the next month with 300GB) but if you're the sort of person who routinely Torrents a whole TV series to "see if I like it" and then throws it away after one episode because you didn't then you are likely to exhaust the smaller quotas before a month end and A&A's prices start to get steep.

I watch a bunch of Netflix, Youtube, play some online games, never came close to my quota, but I know people using 1TB+ per month on other ISPs so YMMV.


I pull 750Gb a month max across 5 people so this is fine. Thanks for the heads up however.


That's worth knowing. Also, as a long-term subscriber to A&A for home/business I can recommend them as being very good as an ISP, too.


Having switched to a&a at work recently, they seem to be operating several levels above the more mainstream business DSL providers we've used.

Their control panel is incredibly functional – containing detailed logs of pretty much everything. They also provide a lot of more technical line control options that you'd otherwise have to phone up and convince somebody to get changed.

We haven't had the pleasure of needing to phone them up yet, but from what I've read about them they're a technically very capable team.


I've subscribed my mother to their FFTC service, upgrading her from ADSL. She lives in the middle of nowhere, and BT have historically cocked up an awful lot with the wiring. Their team know a hell of a lot more about networking than I do, _and_ know who in BT to get on to in order to make sure that the wires get reconnected the right way around (which they weren't!).

I really can't recommend them enough. Sure, it's expensive, but a) I like the feeling that I'm contributing to things I agree with, and b) the people who work there deserve to earn a decent wage. Insofar as broadband has a "first class" product, they offer it.


I applaud the IWF's intentions - I agree with ending child abuse - and am personally quiet happy with effective if draconian measures

the problem there is the effective not the draconian

We know some evil people record these vile acts, but we don't think that banning video cameras will solve the problem - so my gut feeling is that banning abuse images online is less about stopping the crime and more about not being reminded it exists.

So I wonder what the effective solutions to child abuse are?

Something to do with nosey neighbours willing to pry? With school teachers being amazingly sensitive? something to do with spending huge amounts on foster care and social services - something to do with simply getting to know and talk with your neighbours? or something else?

Was childline ever effective?

I don't know - but it's a huge problem with amazing ROI - and well worth spending at least as much as we do on pointless record my browser history projects.


> so my gut feeling

This is absolutely the worst thing about HN.

https://www.youtube.com/watch?v=FzOv14fA-BI

"I don't know anything about zoology, biology, geology, geography, marine biology, crypto zoology, evolutionary theory, evolutionary biology, meteorology, liminology, history, herpatology, paleontology, or archeology, but I think ..."

We know from interviewing the children who were abused that they continue to be traumatised by the knowledge that images of them being raped are still available online.

We also know that fear of people viewing the images causes children to avoid seeking help. Some children feel huge amounts of shame or guilt, and they wrongly[1] think that they will be seen as willing victims.

You're also making the mistake of limiting your thoughts to images created by a local abuser - someone in the same room as the child. You need to remember that some images of CSE are created by the children after they've been groomed.

[1] Although reading any HN thread which mentions images of CSE these children aren't far wrong.


> We know from interviewing the children who were abused that they continue to be traumatised by the knowledge that images of them being raped are still available online.

Unfortunately, banning possession/distribution doesn't actually make things unavailable, so it fails to prevent this harm too... Though I suppose the knowledge that people are trying to track down and eliminate such content may help the victims in question.


>>> available online ... still causes them trauma

Thank you. Consider my opinion changed. There is a clear reason to pursue this course of action, even if it is less effective at the root cause.

Personally I think having my prejudices called out is one of the good things about HN.

I still would love to see research on other approaches to tackling the root problem (i.e. the abuse not the images)

(This would presumably included what properly funded social services look like, how cross-department co-operation can be improved, as well as the more "Big Society" suggestions.)

I mean a frustrating part of this is that in almost always some political issue has had a "yes but in Country X they are trying a new system that has had huge success" and slowly a consensus forms around the right way to tackle the problem - but on CSE I have never come across even the right direction of travel.

Finally I hope the threads you mention in your footnote are at an end - there is no willing victim, this is crime and vile crime at that.

Edit: general tidying


Edit Edit: Rethinking this (frankly being called out is always time for reflection) I suppose my first request for my own education is to get a size of the problem - looking at the Rochdale case in the UK it is seemingly large - and can our knowledge of published images help size the problem.


> We know some evil people record these vile acts, but we don't think that banning video cameras will solve the problem - so my gut feeling is that banning abuse images online is less about stopping the crime and more about not being reminded it exists.

I'm personally always amazed that people seem to think the problem is the recording and not the abuse.


It's both. Legally, child sexual abuse is considered so vile a practice that it's addressed on both supply side and demand side. Criminalizing possession and handling of such recordings is an attempt at reducing demand. It's not a complete solution, but no real world is really solved by a single thing.

Banning video cameras obviously isn't happening, because they're too useful for other things. But if, hypothetically, a company sold cameras magically limited to only recording children, and such cameras would become popular among child pornographers, then you could expect calls for a legal ban on the grounds that denying a few companies the ability to fleece people through market segmentation doesn't outweigh making life more difficult for the child pornographers.


> Criminalizing possession and handling of such recordings is an attempt at reducing demand. It's not a complete solution, but no real world is really solved by a single thing.

My personal opinion is that this does not reduce abuse. It almost certainly reduces demand for abuse videos, and possibly reduces demand for the creation of new abuse videos - but I don't care about those, I care about the kids being hurt. I'd rather have 10 kids a year get abused and the videos end up on YouTube than have 100 kids a year abused with no videos anywhere, if that makes any sense - and if abuse videos are a substitute for actual abuse one might expect that making the videos harder to acquire would make the latter more common.


> It almost certainly reduces demand for abuse videos, and possibly reduces demand for the creation of new abuse videos

And thus it's expected to reduce the abuse done in the process of creating said videos. I provisionally believe your substitution argument. I have no clue if the total abuse is decreasing or increasing here.


It probably depends highly on whether abuse recorded in the videos would have happened anyways. Is the abuser just recording their normal routine, or are they doing things for the camera?


Banning images is a technical problem. Stopping abuse is a social problem.


"Stopping abuse" isn't actionable - e.g. You can't say today I'm going to "stop abuse"(Unless you're an abuser).

Banning images is an actionable measure - with the goal of stopping abuse.

Not saying it's a good one.


"Something to do with nosey neighbours willing to pry? With school teachers being amazingly sensitive? something to do with spending huge amounts on foster care and social services - something to do with simply getting to know and talk with your neighbours? or something else?

Was childline ever effective?"

All of the above basically. Unfortunately council funding cuts are having a detrimental effect on foster care and social services. So that part isnt as good as it should be.


I personally would have been a lot more comfortable with a different DNS protocol if

1) the companies pushing them didn’t limit it to just their product (and instead added it to the C runtime resolver)

2) didn’t limit it to their servers (that’s honestly pretty concerning)


Firefox allows you to use any resolver you wish. It just isn't a feature exposed in the UI, and instead you have to use about:config.

Specifically you'll need to set:

- network.trr.bootstrapAddress: To a secure DNS provider you trust (to get the HTTPS DNS resolver's IP/bootstrap DNS over HTTPS). e.g. 1.1.1.1

- network.trr.mode: To 2 (DNS-over-HTTPS is first choice, fallback to OS), 3 (DNS-over-HTTPS only otherwise fail, recommended)

- network.trr.uri to the URL of your DNS-over-HTTPS provider. e.g. https://cloudflare-dns.com/dns-query

If you set all three (and mode to 3), it is a completely bespoke, highly secure DNS solution. That's what I use at work for any personal browsing.


The problem isn't the lack of a configuration option, it's when the default is to ignore the one configured in the operating system.

Suppose I have all my devices configured to use my local DNS where I've added names for my other local devices or changed the ones for some names because local devices should use the RFC1918 addresses instead of the internet ones that are routed differently. Suddenly Firefox on every device is using Cloudflare even though nobody ever told it to, and now I have to go touch every device and fix it, including when they're BYOD and the owners want them to "just work" and resolve the names correctly without me having to touch them.

Then the same thing all over again when Chrome does it or any other application.


I would also add the following for Encrypted SNI:

  network.security.esni.enabled = true
Check by running all four tests i.e. Secure DNS, DNSSEC, TLS 1.3 & Encrypted SNI at https://www.cloudflare.com/ssl/encrypted-sni/


This is really the issue. DoH is a little ugly/slow, but the security improvement over vanilla DNS is real. There are superior alternatives like DNSCurve but DoH > plaintext DNS even if DNSCurve > DoH.

The problem is implementing it in the application instead of the operating system. The owner of the device should be able to choose their DNS server in one place (including one that blocks or redirects domains the user actually wants to) and not have to keep after a dozen separate applications all with their own settings that ignore the user's globally stated preferences.

Mozilla could do everyone a favor and produce a free independent DoH implementation for each platform they support that allows it to be used by the OS resolver in every application and have its configuration set all in one place. Extra points for supporting DNSCurve as well.


There are instructions on how to route all operating system DNS requests through DoH here: https://developers.cloudflare.com/1.1.1.1/dns-over-https/clo....

One advantage that DoH has over DNSCurve is that it is much harder to detect or block due to it being encapsulated as https traffic.


> There are instructions on how to route all operating system DNS requests through DoH here

Then the next step is to get operating systems to ship it by default and support DoH as a DHCP option:

https://tools.ietf.org/html/draft-peterson-doh-dhcp-00

> One advantage that DoH has over DNSCurve is that it is much harder to detect or block due to it being encapsulated as https traffic.

If you're using a network subject to active adversarial man in the middle attacks like that then you probably want to be sending all your traffic through some kind of encrypted tunnel rather than only DNS.


Yes but many such active adversarial networks prevent most traffic besides http/tls leaving the network. DoH solves this problem.


> Yes but many such active adversarial networks prevent most traffic besides http/tls leaving the network. DoH solves this problem.

So do VPN tunnels over HTTPS/TLS.

There is also happy eyeballs. Use DNSCurve and DoH at the same time and accept whichever answers first, which will be DNSCurve whenever it isn't blocked. Then in a few years when middleboxes have given up trying to block DNSCurve because the alternative is no advantage to them, we can deprecate inefficient DoH to a strict fallback and eventually be rid of it entirely (because they couldn't block DNSCurve anymore if it was 95% of DNS traffic).


So they nominated Firefox for implementing DNS over HTTP but not Chrome? Does anyone know their rationale for that?


Signed up to post this. This is because Google are a member of ISPA: https://www.ispa.org.uk/members/?letter=G%2CH%2CI

The other nominees for Internet Villain were Donald Trump and EU article 13. But they chose Mozilla. Clearly ISPA has an agenda and cannot be trusted.


less lawyers on retainer to establish a precedent?

you are talking about dirty politicians, who are standing against something initially designed to twart oppressive regimes such as China's great firewall... any dirty trick in book is fair game to them.


If the UK disapproves I'll be sure to use it! Only gotcha is screw this per-application stuff, will want the whole computer doing it. But that shouldn't be too hard to rig up on Linux.

https://tools.ietf.org/html/draft-huitema-quic-dnsoquic-05 oooo.

https://github.com/jedisct1/dnscrypt-proxy does a few good protocols.


so true. the fact that browsers have dns resolvers is weird.

to me only the kernel could do it, and it would limit outgoing port 53 by default to every other process.

if I want to set configuration on my hosts file I damn sure want everything to follow it, not have to worry about thousands of applications that might or might not use it.


On Linux (and probably macos, windows), the kernel doesn't do DNS name resolution. The kernel provides the network stack which does IP, and also TCP and UDP. On Linux you need a tool that can do DNS operations, like NetworkManager, dhcpcd, dhclient, systemd-resolved. You could use selinux to restrict port access.


"The Net interprets censorship as damage and routes around it."

-John Gilmore


Obligatory reminder that this was said about packet routing, not about application-layer protocols.


I'm a bit of an internet novice so excuse me if this is dumb but won't the ISP still know which IP I've connected to? Just because I haven't conveniently looked it up in their giant DNS dictionary doesn't mean they can't just follow the traffic, right?


Yes, you're right that they will know to which server you have connected (HTTPS has nothing to do with it), but they might not know which site you have tried to access because some servers will host many sites.

Edit, to clarify: this depends on the protocol, as someone has noted further down, but in principle you could have an encrypted protocol in which case the ISP (or any other routing node) could only with which server you have exchanged packets.


It is possible to host multiple domains at the same IP address. In case a site uses e.g. Cloudfare, there can be a very large number of sites hosted at the same IP address. Hence, it is not always possible to figure out what website is being visited based on the IP address.


They will indeed know the IPs, and the SNI domain name information from HTTPS connections which don't encrypt that.


Note, on Firefox if you enable the DoH and the esni mechanisms in about:config. Then that information is encrypted to cloudflare hosted sites. At that point, they can't even use deep packet inspection to identify which sites were visited.


No HTTPs is encrypted.

Edit oops I thought OP said what they communicate not what IP.


But how does that tie in with SNI? The specs say that the client sends the intended hostname as part of the TLS handshake, can the ISP sniff the hostname from that handshake?

[edit] as per wikipedia, https://en.wikipedia.org/wiki/Server_Name_Indication:

The desired hostname is not encrypted, so an eavesdropper can see which site is being requested. This helps security companies provide a filtering feature and governments implement censorship. [..] As of mid 2018, an upgrade called Encrypted SNI (ESNI) is being rolled out in an "experimental phase" to address this risk of domain eavesdropping. On March 1, 2019, Daniel Stenberg stated that Mozilla Firefox supports ESNI.


Which is why encrypted SNI is in development



You can sniff SNI which will still reveal hostnames. In certain cases though, you can use 'domain fronting'. That is using a different Host in the HTTPS header than is included in SNI. If that other hostname is served by the same ip address and certificate, then that server might just forward your HTTPS message to the host requested in the HTTPS header.


I'm split here. Obviously this nomination only speaks well of Mozilla, but regarding DoH itself, isn't it a... problematic technology when it comes to user freedom? With DoH, how is Pi-hole going to work? Not sure if I like browsers working around the OS on this one; this should really be a user-configurable OS-level service.


Your pi can be set up as a DoH server, of course!


From what I read however, it can't be set to work OOTB for everyone on my network; I'd have to go on every machine and every Internet-connected application to try and change it, hoping all the applications would let me (if I read correctly, Chrome won't?).



DNS is the last cleartext channel for ISP's to monitor browsing. This isn't about "porn" at all. Even with HTTPS ISP's have long been able to snoop DNS to find all the sites you visit.

This data is extremely valuable for marketing since the ISP also knows who you are and where you live. And using DNS bypasses tracker blocking.

This is all about ISP's getting mad that their advertising revanue is being cut off. And possibly a lot of pressure from governments to keep "metadata" like DNS requests in the clear


I can see why the gov't would have something to say about DoH, but even though the article specifically asks "why do ISPs hate it?", it doesn't actually answer why ISPs themselves would have a hat in the ring. Surely they cannot be blamed if DoH prevents them from sniffing users' traffic?


I don't know if it's the reason, but...

Most UK ISPs run advertising portals on DNS-not-found redirects, DoH would remove those redirects.


This is almost certainly the reason. The first thing I do on any internet connection in the UK is change the DNS out for one that isn't broken...


ISPs can make money selling behavioral data to aggregators. Domain names are more valuable for this than bare IPs.


Maybe they fear this will mean they need to do blocking outside the DNS level? I'd certainly be sweating as an ISP if I need to start doing SNI inspection to block certain domains. That takes some decent packet inspection infrastructure.


DoH -> DNS over HTTP.


DNS over HTTPS.


Oh no, suddenly ISPs are relegated back to their role as common carriers of data!


Is there any good local DNS proxy server that transforms classic DNS to DNS-over-HTTPS, for applications that don't implement it natively (such as Desktop Chromium) ?


dnscrypt-proxy[1], though you'll have to use something like iptables to redirect all DNS traffic to it

[1] - https://github.com/jedisct1/dnscrypt-proxy


DoH is plugging a security hole. ISPs and other entities were using that security hole to implement features for their users. The correct response is for them to use a different method of implementing their features that does not compromise user security.

Their whole argument against DoH is ridiculous.


I believe ISP level blocking in the UK can already be easily bypassed simply by not using your ISPs DNS servers.


Yeah, I’m surprised that anybody thinks that DNS blocking is sufficient for anything save ad blocking.


This is pretty standard in the UK under the current political climate. The Conservative Government about 2 years ago was hell bent (and probably still is) on getting rid of "strong encryption" and wants backdoors in pretty much everything.

Both major political parties are pretty censorious and many of the smaller parties aren't much better.


> many of the smaller parties aren't much better

There is certainly one which is much better; and maybe it's a total coincidence, but they seem to be the punching bag of the major parties. ;- )


Well I doubt you and I are thinking of the same party. TBH almost all of them are garbage.


Which?


Liberal Democrat’s.

They’ve been thrown under the bus for entering a coalition government and choosing to support alternative voting over scrapping tuition fees.

Since they were a minority player they didn’t have much choice in fighting that ultimatum, but I understand why people feel scorned. Even if the conservatives are doing many, many more heinous things daily.

As a nice conincidence the “NoToAV” campaign (lit. “No alternative vote”) was undertaken by the same people who drove the leaveEU campaign, they used remarkably similar tactics too. “AV will cost £250m, that should fund our army!” And such.

https://images.app.goo.gl/Z4GP93UTWMgaVmLQ6

I mention it because it was funded by the same conservative doners. So the Lib Dem’s lost both ways.


[flagged]


> The Liberal Democrats are still actively fighting against the historic Leave vote which means they cannot be trusted as they don't respect the people's will.

They're the only party that are, instead of 48% of the population being left behind they're actually supporting them. Regardless of your stance on brexit being a good thing or a bad thing there are certain facts that are being ignored. One of which is that "brexit" is a nebulous concept which keeps changing depending on the direction of the wind. I distinctly remember all prominent leave politicians saying we could stay part of the single market. Now they say that was never the plan. This is treating the UK population as intellectually bankrupt.

I'm not saying there's no reasons to _not_ back the lib dems, they've never truly held the chalice so we can't necessarily trust everything they say, it's easy to make such promises when you have no chance of actually winning or have dealt with the realities of ruling.

But perpetuating the "will of the people" meme is incorrigible considering that even the referendum that took us into the EU was followed up with a confirmatory referrendum 2 years after.


> But perpetuating the "will of the people" meme is incorrigible considering that even the referendum that took us into the EU was followed up with a confirmatory referrendum 2 years after.

That was the EEC, a dramatically less powerful and important collaboration which has morphed gradually into something that would be unrecognizable to those who voted in the affirmative to join the EEC.

Furthermore, that was some decades ago; there has since been born a whole generation of people who are now legal adults, and a similar number of people have since passed away. A referendum of that vintage, on the topic of a substantially different organization, is surely less relevant than a recent referendum with a clear morally (even if not legally) binding result, on the current organization.

P.S. maybe it's not great to paint people as “perpetuating the ‘will of the people’ meme” rather than simply being of the opinion that the referendum represents the will of the people.


My point wasn't about what the previous referendum was regarding, just that it was necessary to have a confirmatory referendum back then and it's somehow the worst thing ever when a confirmatory referendum is insinuated now. I believe a minority of people (even up to 40% potentially) feel like they'll be robbed of a "win" if the vote is put to the people now. And thus are incredibly defensive of anyone being allowed to vote again.

It's also a tangially related point but the referendum was organised when glastonbury was happening and since the demographics state that young people tend towards remain, and they were essentially denied a vote. Since 34% of all people didn't vote, and it's such a slim majority I don't buy the argument that it's "the will of the people", it's the will of some people, and it has polarised the country.

The fact is that people didn't actually know what they were voting for, everyone had a different version of brexit in mind, most were absolute fantasy. There are a lot of people who are anti-EU due to decades of defamation by ruling parties and our mass media.

Regarding my last point the EU had to set up a site to defend itself, but, as you likely know: disinformation is hard to counteract.

https://blogs.ec.europa.eu/ECintheUK/euromyths-a-z-index/

My statement about "will of the people" being a meme follows directly the definition of memetics:

> Memetics describes how an idea can propagate successfully, but doesn't necessarily imply a concept is factual

People are always saying it's the will of the people but they're unwilling to possibly have another referendum, they're unwilling to accept that people have been lied to, and they're unwilling to accept that brexit as described has changed.

Here's all the prominent leavers saying we would stay in the single market if people voted leave:

https://www.youtube.com/watch?v=0xGt3QmRSZY

So it's not fact, but it's a soundbite that gets repeated ad infinitum.


If you don't vote it is taken that you aren't bothered by the outcome. There are plenty of ways you can cast your vote in the UK, this includes postal vote or nominating someone else to cast your vote. If someone didn't vote because they were at a music festival well that they could have voted in an using an alternate manner.

The turnout for the vote in 2016 was very high compared to a general election. Some say the highest ever.

This idea that it isn't the will of the people is I feel just sour grapes.


[flagged]


Please don't take HN threads further into flamewar. This comment is a noticeable step in that direction. Also, the site guidelines ask you not to use allcaps for emphasis. Would you mind reviewing them?

https://news.ycombinator.com/newsguidelines.html


There's a high premium here placed on civility, even if sometimes enforcement can seem... not exactly equal.

Nonetheless, you'll have a better time on Hacker News with less accusatory and loud tone. Your points lower down in this reply are spot on, but because of the "ASCII YELLING" and accusatory tone, it'll probably remain flagged (only visible to people who specifically turn on a feature to view flagged replies).




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: