Hacker News new | past | comments | ask | show | jobs | submit login
UK Politicians Disapprove of DNS over HTTPS (DoH) (twitter.com)
78 points by edward 64 days ago | hide | past | web | favorite | 53 comments

I'm guessing that almost every user of HN believes the opinion stated in the article is ignorant / stupid / misguided. I also believe that it's ignorant on so many levels, and whilst I particularly take issue with the "think of the children" angle of the article, I find it nevertheless interesting that people do think this way.

I've spoken with friends and family members on numerous occasions about basic privacy topics, and they're often met with complete apathy. The "this endangers our children" rhetoric - though misleading - arguably does have some logical foundations. A Government who is able to watch over its citizens could in theory protect them better. It reminds me of the WhatsApp E2E encryption debates in the UK of a few years ago, shortly after the attacks in London.

I guess its incumbent on us as technologists, to not merely laugh and scorn at these comments, but to acknowledge that these things have consequences, positive and negative. We need to present the under-represented positives - and at times I find this particularly hard without feeling / coming across as tin-hatted.

Edit: Just on that last point - I'd love advice if anyone can provide some :)

A classic problem with end-to-end encryption backdoors is that most of the time there is no benefit to users or software vendors to offset the cost and risks they must take on to provide law enforcement access. I can think of just one exception, which is identity based encryption, which allows e.g. email addresses to be used as public keys. IBE requires a master secret key that is used to generate the private keys associated with each user's ID, and therefore has an inherent backdoor, but at least the users can benefit from the reduced complexity of key management.

For the most part backdoors require some kind of central coordination, so there are situations where it is basically impossible to support one. HTTPS is a good example: anyone can run a web server and there is no permission or coordination needed to do so, and so HTTPS backdoors would be difficult to create (otherwise I cannot run my web server without coordinating with whatever authority controls the backdoor, or I cannot run a secure web server without such coordination). That is what the conversation is really about: whether or not we are willing to sacrifice the most useful and valuable aspects of the Internet's design (distributed, loosely coordinated, no-permission-needed), or do without security and hope for the best, for the sake of a law enforcement backdoor.

I just realised that there might be an actual, political need for something as brittle and theatrical as DNS blocking, and probably of other things similar, because there are large masses of untechnical nature for which it really works.

Of course, we know DNS blocking doesn't fix anything. It's like putting the bad thing in storage and switching off the light. We know that nearly anyone can route around a blacklist-employing name server in seconds, but it's all the people but those "anyone" who can't.

And they probably think it's a really good idea. The general masses don't have to worry about accidentally bumping into dubious content, and it also raises, to a conscious level, the bar for those who want to bump into it. I mean, if you have to specifically install or configure things to workaround the DNS block, you've just validated your questionable intents.

For most people, that probably makes sense similarly to a signpost at a closed gate that says "Private yard / No pass through". Yeah, undoubtedly some people will open the gate and try to make the shortcut through the yard but at that point it will be clearly intentional. It's just that the externalities of DNS blocking are infinitely higher than blocking pedestrian traffic through a private yard, and no common people see that.

The rational counter-attack must thus focus on what would be a better alternative rather than how DNS blocking is flawed by design. How to prevent families from accidentally finding themselves looking at child porn, or to make it difficult for uncle Ed to watch naked kids on internet late in the evening while still preventing the ISPs from MITMing the DNS queries for everyone else?

The masses are free to opt-in to babyNet. They can use a SafeDNS provider. It can be zero-touch even. Just push a DNS / DoH resolver through DHCP for the customer. (IETF RFC is coming for DoH provisioning.)

But let the default be safe.

Of course this is usually a foreign concept to laypeople.

But to address the "accidentally CP" argument. How does that happen? You have to "accidentally" type something into Google/Bing/Yahoo and then click through. Or you "accidentally" have to start somewhere. And if you go to any for profit pornsite (camsites, streamsites, blablabla), or even just a porn subreddit, or type porn (or some explicit search terms) into a search engine.... you don't get to anything illegal. Why? Because that's bad for business.

So ... it seems like a perfect excuse. It maybe worked for the first closeted gay senator/representative... but never since. So why are we still talking about it as something that "accidentally" happens?

>How to... make it difficult for uncle Ed to watch naked kids on internet late in the evening

That's already illegal, so uncle Ed gets prosecuted like any criminal.

That is a solved problem which requires no technical or legal changes.

100% agreed that this is a less black-and-white issue than many in the HN demographic make it seem to be.

I'm not saying they are equivalent issues, but I do see a lot of parallels between the arguments made for/against weakening encryption and those made for/against gun control. It makes it tough for me to find a logically-consistent viewpoint on both that I feel good about.

The only valid argument I've heard against DNS over HTTPS is that it makes it harder for institutions / companies to block other DNS servers than their own internal ones because they simply can't just drop port 53 traffic anymore. This was brought up to me in the context that many universities enforce their own DNS servers to help block malware from being able to phone home or filter access to malicious IPs in general.

I guess in theory, this could still be accomplished by filtering based on IP - a whole other cat and mouse game. Although, it's not like it wasn't a cat-and-mouse game before - you could bypass these blocks by running DNS on non-standard ports unless some form of DPI was being performed.

There are plenty of valid arguments against DoH. If DoH becomes common, it most likely will resemble the situation with DNS resolvers we have today. Meaning, there would be the eternal problems inherent to centralization. I.e. both that the centralizing powers would have enormous power to disappear something off the internet, but also that the central servers would recieve huge amounts of constant real-time data of what everybody was doing.

We need something to encrypt and authenticate DNS, but that exists in DNSCurve. The problem with it is that it doesn't try to hide what it is, so an adversarial middlebox can detect and block it to try to force you to use their own DNS.

DoH is an evolutionary response to that, because it looks like HTTPS to Cloudflare, which is difficult to reject. And that's terrible for a lot of reasons (inefficiency, complexity, centralization), but it solves the local interference problem. Which means that's what we're unfortunately going to end up with unless we can solve the interference problem another way, i.e. make intermediaries understand that they're going to lose anyway and it's better to allow unmolested UDP DNS/DNSCurve to the endpoint's choice of recursive resolvers than to have everything using DoH to Cloudflare.

There are two available courses of action. Option one: We embrace something like DoH in order to avoid any possibility of blocking and detection. But you then have no simple way to back out from centralization if/when centralization (almost certainly, IMHO) slowly becomes a problem. Monopolies and oligopolies are hard to break once formed, and absolute power corrupts absolutely. Option two: We use DNS like always to avoid problems with centralization, and adopt a secure DNS protocol to avoid spoofing and unauthorized monitoring. If we do this latter thing, and detection and blocking does become a problem (and it might), we can always add some additional layer of security, like HTTPS tunneling, on top, which avoids it. We could even, if it became absolutely necessary, centralize after the fact; but this way, we can avoid it until it would become necessary.

I would prefer not to centralize things in advance, just in case a certain problem develops. I would instead prefer to keep it de-centralized as long as possible, and solve individual problems as they actually occur.

I would also prefer DNSSEC and DoT over DNSCurve, and I would suggest IPsec with opportunistic encryption to be a more pure goal than to tunnel everything over HTTPS, but my preferences in protocols are not important to any of these points, and we don’t need to argue about that.

We're already there. There are already ISPs in some parts of the world redirecting DNS queries to any DNS server to the ISP's DNS server, which gives invalid responses to queries that authenticate the DNS server (DNSCurve) or invalid responses to queries it can read and wants to block (DNSSEC), either of which is an effective denial of service attack. Which drives adoption of ugly DoH.

The root problem where the centralization comes in (because you could actually do DoH to something that isn't Cloudflare), is that you need to trust someone to faithfully and completely answer all of your DNS queries without dropping any of them or sending invalid responses for queries they don't like.

That used to be your ISP, and we had a decentralized solution as long as the ISPs would faithfully answer all queries, but what happens when they don't? You need someone else. "Let everyone choose for themselves" is a theoretical answer, but in practice the average person doesn't know anybody who runs a public recursive DNS server, and Google and Cloudflare are easy and "free", so everybody will end up on them. To prevent that we need ISPs to stop interfering with DNS.

This seems like an authoritarian argument rather than cybersecurity. It’s hard to say what’s a valid or not valid argument, but I think if a university is trying to limit malware, then blocking DNS won’t do too much.

No. Institutions are fully capable of doing whatever filtering they wish. They always were and always will be. Period. Full stop. Howgh.

They can and should secure their network, watch out for data exfiltration anyway, etc.

They should disable ever kind of network traffic that does not go through their auditing/filtering proxy (HTTP, DNS, SMTP or whatever).

If they want to support bring-your-own-device, great, configure said devices, set up proxy-auto-configuration, hand out "how to set up your device to work on corp-wifi" flyers, and in general, they have their IT team, let them work and they will figure this out.

The old way of just MITM-ing was always bad for at best it was/is lazy, but in reality it's quite unprofessional and counter-productive for security.

Just out of curiosity, though, how could I block network traffic that did not use a specific DNS server to progress? Even on public wifi, like Amtrak, where I am required to use a captive portal on first connect before anything can be done, I can, after accepting their TOS, re-load dnscrypt-proxy and be back on my merry way. In addition, some things don't even need DNS to function at all (what if I memorized the IP? What if the IP is hard-coded in?)

They could probably say "drop all requests to, etc." but nothing is stopping me from running my own DoH resolver that they would have to manually scan for.

They could always just have a whitelist or force you to use their TLS cert so they can decrypt everything, and they'd just block anything that they can't filter. If they're using a whitelist and you need to access something, they check it out and add it to the whitelist if it seems reasonably secure.

That being said, I absolutely hate all the filtering crap, so I actively avoid working for any company that decides it needs to see everything I'm doing online.

>I actively avoid working for any company that decides it needs to see everything I'm doing online

So in the interview, you actually ask, "do you have a filtering proxy to monitor workers internet traffic?"

> The deployment of the new encryption system […] could[.[…] expos[e] millions of people to the worst imagery

Not really. It is difficult to accidentally encounter these kinds of images because they are so illegal, and for those who are trying, rudimentary ISP DNS blocking is not going to stop them when Tor exists.

Ah, the good ole “Think of the Children!” propaganda. What a lazy excuse. It’s like they didn’t even try.

The beauty of this plan is its simplicity and effectiveness. You see it time and time again for the simple reason that it is tremendously effective; normal, reasonable people will throw a lot of logical reasoning straight the fuck out the window when it comes to the safety and well-being of their offspring. This is normal and common, and we must learn to effectively counter it, not simply dismiss it, if we are to work against this sort of (again, normal and common and natural) response.


If we as people who are actually knowledgeable about technology and who care about privacy are sick of ignorant and scare-mongering politicians turning the world in to a version of 1984, we really have to become more active in politics ourselves.. and by doing more than just voting.

You can run for local government, organize, or volunteer, for instance. That will make much greater difference than simply voting or voicing one's displeasure on the internet (though doing both of those can help some too, especially if enough people do so).

This is wrong on so many ways:

  - DoH is impacts a lot more than one area: child protection
  - what exactly would be lost?
    - is the filtering effective? No, anyone so inclined can just use a VPN
    - is there another way to achieve this even with DoH?
    Yes: resolve the URL filter hostnames, filter the IPs
  - faulty logic: we do X *with the intention* to stop bad Y, so don't do Z that hinders X
The issue here isn't really about DoH--it's whether the government can unilaterally decide that freedom of communicating privately is not a right.

Now let's see what's right(?) about this?

  - good political move to back something emotional people can agree with
    vs. something technical that most don't put in effort to understand privacy+tech
  - government seen as governing: good
  - sensational news, increases positive awareness/brand
I think the last point is key, technology has come up fast and most governments are not up to the task of understanding and making good decisions. The best they can do is try to look like they're doing good and try to maintain some some control in the hopes that it will result in the ability to stay in power. It would be like if a non-technical CEO of a corporation was in charge of all the security policies for their products.

Whenever these types of issues come up in the media, there's two concurrent discussions: one who understand the tech and implications and the rest of the population that reacts by proxy signals. Somehow these groups need to be connected without a distortion of the message.

There are many technologies which are double-edged swords.

Encryption can keep things which need to be kept secret safe. They can also keep things which ought to be made open safe.

Anything can and will be abused by people who want to use it to hide what they are doing. That includes criminals.

But if every history-changing invention could have been stopped because of the potential of abuse, we'd not be where we are today.

The premise that needs to be fought is the suggestion that there can be no such thing as a private conversation.

Their own letter undermines the very point they’re trying to make.

They say “there 144,000 internet users [ed: from where in the world?] on some of the worst dark-web child sexual abuse sites”.

Dark web. Tor. Not impacted by DNS over HTTPS whatsoever.

Well, that's alright.

UK disapprove of UK Politicians.

Need a source? Course you don't[1].

[1] https://www.ipsos.com/ipsos-mori/en-uk/politicians-remain-le...

They can't even bloody solve basic stuff like building houses or you know, that EU thing. DNS over HTTPS is probably down there with encouraging uptake of Klingon.

While DNS over HTTPS has benefits, we should really be looking into distributed or p2p DNS.

While DoH has benefits, the way Mozilla, Cloudflare propose to get it deployed is mostly detrimental to privacy, merely leaking and centralizing everyone's data to another party.

Seems like decentralized overlay p2p networks is becoming the only way to ever get privacy on the internet.

Ethereum Name Service

DNS is already distributed...

Revolvers as used in practice, particularly DoH as in this context, are fairly centralized.

It's hard to be worried about any new legislation coming out of a parliament that has been hard at work the last few years, showing that they wouldn't even be able to organise a piss up in a brewery.

1. Now if someone says something is broken i look at nsswitch. I dig. 2. If they build this into the browser i hope there's a button for endusers to beg mozilla foundation for help when some web page doesn't load. 3. Personally I'm fine with it. Clourdflared is an acceptable way to roll this together with the rest of name resolution.

But actually now already people can hide behind socks5. Dns n all. Just that people usually dont use it.


They can fight it on the basis of censorship, and I'll support them on the basis of a decentralized Internet that does not rely on some folk who leaked private data all over the Internet a few years ago.

Fuck DoH. It's political and technical centralization under the tired old banner of "freedom!" when reality is absolutely the opposite. It'll be abused in a heartbeat the moment it has majority share, assuming folk like CloudFlare don't already have people working full time on how to profit from the data, or formulating policies on which sites they shut down that they never hosted in the first place

If you're new to this game, it always progresses the same tired old way:

- it's optional, you don't need it, but if you use it your life will become 1000% better and starving orphans in China will learn about democracy

- we're using it for just this one particular service you might need it for but it's fine because that particular service is totally optional and you have a "choice" between 3 vendors who all accidentally depend on this new thing, because they're all playing the same game

- we rolled out a new feature but it's only available to newer clients, you probably genuinely do need this feature, and the choice to avoid the new service seems to be less and less appealing

- we don't have people working full time on the older product any more, and it's full of bugs, and we're struggling to support it

- we've made some commercial agreement you weren't expecting that interacts somehow with our adjusted position thanks to the new service. somehow you've become the product without any warning, but you're so far down the river it's much less effort to stay put than try to undo becoming the product

- we've encountered a bug and made a huge negative PR fuss around the old service. it's officially insecure and you will catch cancer if you continue using it

- [3 months later] we're deprecating the old service

- [1 year later] captivity achieved

"An enemy of an enemy is a friend."

As someone who uses HOSTS files and DNS-level blocking/MiTM proxy on my network to control what gets to my endpoints, I like how you think.

There are FOSS DoH servers, and you're welcome to run your own, with a free cert from Let's Encrypt. You could easily run a logging-free DoH server for anyone to use, also. There's no lock-in here, and I can't see any way that lock-in could be introduced later, either.

Society is only one Android release away from most consumer traffic metadata being tunnelled by default through a new instrument of political policy, thanks to a company who not so long ago wouldn't even let you select which _search engine_ you used. Do you really suppose the same company will start adding URL input boxes to their initial setup screen? If they even put such a text box in the settings, what percentage of users would actually customize it?

So the effect is not just the local mobile telco's DNS would be subverted, but every mobile telco's DNS, and if you tried to explain what's happening to the typical person it impacted, they'd give you a puzzled look before promptly switching the topic to last night's football game. Thankfully this is a completely fabricated scenario and there is no possibility whatsoever it could even remotely play out.

Given this one scenario, what value or weight does a single bearded guy's raspberry pi stashed in a closet have when it comes to worldwide DNS policy? I wonder how resilient a site like The Pirate Bay would be given an environment where DNS filtering is suddenly under the majority control of a tiny handful of companies all under American or western ownership. But DoH of course is about freedom, not about censorship. It's about preventing censorship, right!

(Apologies for the style of reply -- these are obviously not genuine questions)

edit: these unexplained downvotes are fascinating

I suspect there is support for what you are trying to say. However your communication style is unclear (especially the over use of sarcasm and rhetorical questions) and you don't actually try to support any of the points you do make. I don't see it as a positive contribution to the conversation so I down voted you.

I hate CloudFlare as much as the next guy but you can change the DoH server, can't you? I hope Firefox will expose the option in the interface and not in about:config. But we all know how Mozilla are...

you appear to have jumped to step 2 in the masterplan, and completely skipped step 1. It's not even mandatory yet, but when it is, the choice will be between N<10 providers, most of them almost certainly American companies

Why would DoH become mandatory?

I can't see into the future, unfortunately, but you're welcome to bookmark the parent comment and set a calendar entry to compare it with reality about once every 6 months. It's possible to speculate, though. Google have been engaged in open war against ISPs for most of the past 10 years, it is in their every interest to commoditize the pipe between the consumer and the datacentre as far as possible. Removing DNS from the link is eliminating another source of risk

For Mozilla, I'm not sure, but they often follow Google's lead, and there is a strong case for Google to go that route

In any case if it ever starts defaulting to on in any browser, it's very likely the others will follow suit, as it's easy to imagine quite a lot of PR around the security benefits of the brave new world

That’s sort of a reason to like it, even if the general everything-is-http approach to these problems annoys me.

—-------—------------- (~~) !! /\

Rofl politicians are not very well informed the gov already can see all traffic generated in DoH due to a built in flaw that is waiting to be fixed which i have no doubt will be "fixed" with open access built in as normal

dnscurve never made an impact unfortunately :(

For those who disagree with the position taken in the article: Out of curiosity, what would you do to deal with online child pornography instead?

That’s an insane argument that will just be continuously abused to erode privacy until everything you do is under surveillance by the government.

Oh you’re against DNS over HTTPS? Oh so you want our children to be abused? You’re for encryption? Sounds like someone doesn’t care about child porn. Oh you won’t share your Password with the government? Hiding something?

Do the same thing you do for other illegal things: throw the law at the people hosting them, and if those people are international, use good ole diplomatic levers to get the countries in question to shut them down.

Look, child pornography is deeply troubling, but so are lots of other things in life that people don't call for mandatory, obtrusive government censorship to prevent. The mandatory DNS blocking to prevent child porn is not particularly effective. In non-technical terms, DNS blocking is effectively the same as taking down the sign on the front door: it doesn't prevent anyone from getting to it, if they know where to look, and even people who might trap unwitting visitors into traveling to these sites can still do so (you can use IP addresses in lieu of domain names in links).

Indeed, if you know the DNS addresses of places to avoid, you actually know enough information to take more proactive action: for example, you could mandate that the IP addresses these sites use (or even the ISPs who host them!) are made to be unreachable, which would make it much, much more difficult to actually access these sites. Blocking only the DNS address is pretty much doing the barest minimum to look like you're tackling the problem.

First step would be to stop creating an environment where discussion of the issue can't even happen. Blocking content featuring the sexualization of children from spreading is a good goal but a better goal is to prevent it from being produced in the first place. We need better ways of making that happen, including providing ways for those who are mentally ill and want help overcoming it to get it. It's not an easy problem to combat and there probably will never be a perfect solution but instantly losing all semblance of rational though at the mere mention of the subject isn't helping much.

Stop routing traffic to/from ASes that host child pornography.

I mean, this is not about some deep darknet stuff or tor hidden services (where DNS filtering would not be effective anyways), so my question is why isn't government able to shut these sites down? And if the sites are hosted on uncooperative ISP then I think dropping the traffic is appropriate response.

As others have mentioned, if you know enough to make a blanklist, you know enough to go after the sites that host it. Better yet, instead of playing whack-a-mole with blocking sites (it's incredibly cheap to get a new IP/domain), go after those who make it (set up a sting and arrest a ton at once).

If a site is in another jurisdiction, you can still distribute a list of sites to ISPs, and ISPs can report suspicious activity to the police (so they can get a warrant for closer monitoring).

If you block it, you just alert people to which sites are more likely to have illegal content, which can encourage them to access it through other means (VPN, Tor, etc). I honestly don't see any real value in it from a practical perspective, and the only real "benefit" is it gives the government an excuse to add other stuff to the list it doesn't like.

First step: stop using a nuclear warhead to kill a wolf. The only worst thing to do would be to destroy humanity, so child pornography will be permanently dealt with.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact