I'm sure that many countries will block Amazon, Google and whatever else if needed. It won't end censorship, it would make life of ordinary people there even harder.
The idea here is, quite obviously, that blocking these services, plus everything that runs on their cloud infrastructure, is too high a price to pay.
That mechanism is well established, if only by these governments previously being unable to just ban internet access outright, even though it was universally perceived as a threat to their control on the flow of information.
But, if they do, they have a tougher sell. They might get away with ”we’re just protecting you from certain sites we deem harmful, and we’re thorough with your best interests in mind” when they block specific sites. It requires a far more gullible public to pull that off if it’s more than half the Internet.
> Currently, SNI in TLS 1.2 has a flaw that allows censors to differentiate between a “real” service and a “fake” service if they are savvy enough to figure it out. Interestingly, SNI in TLS 1.3 fixes this problem by hiding all of the information about the service behind encryption.
That was my thought reading the article. https://tools.ietf.org/html/draft-ietf-tls-sni-encryption-03 indicates this is not a solved problem for TLS 1.3, and the key in DNS solution is still in the experimental phase (though compatible with TLS 1.3)
> If Google Cloud, Amazon Web Services, and Microsoft Azure allow domain fronting with TLS 1.3, censorship countries like China are faced with a binary choice.
This sounds inaccurate to me. If encrypted SNI is applied, the middleman should not be able to figure out which domain you are connecting to, without interrupting the connection. Domain fronting is a technique for prior TLS which you had to disguise the hostname.
Encrypted SNI isn't a feature of TLS 1.3. The article never outright says that it is, but it manages to give that impression.
It was a desirable feature, but it wasn't delivered even for the final drafts at the top of this year, let alone back in 2016 when TLS 1.3 was originally thought to be finished.
The TLS Working Group is going to adopt it (consensus at IETF 102 and on the mailing list was to adopt) but there's a LOT of work needed before Rescorla's rough sketch turns into something you'd want to actually deploy to millions of users.
Here's the email about adopting (Joe is one of the WG chairs) Rescorla's draft.
Note that this is nowhere close to a finished feature. They're not sure whether to do DNS TXT records, whether this should live in a SRV record, some new DNS record (DNS Ops doesn't like TXT, but real world DNS services often don't have fancy new records for years because they're crap). They're not even sure if this should be two documents (one about DNS, one about how you use the keys which you presumably got from DNS) or just one.
Because TLS 1.3 doesn't always (today never) encrypt SNI, a middleman could just insist on refusing connections with encrypted SNI. This becomes a staring contest - do the browsers deploy this anyway, and risk losing customers in places where governments have deployed a technology to prohibit it, or do they blink and hide it in some "Privacy" feature no ordinary users will ever enable.
This article is unfortunately inaccurate. TLS1.3 does not include encrypted SNI. Encrypted SNI is still being worked on by the TLS working group, and isn't in a deployable state.
Thanks for the heads up. I've made some proxy software that routes on SNI. If TLS1.3 drops SNI then I feel like that will accelerate ipv6 adoption because we're going to need a shitload more IP addresses.
TLS 1.3 still has SNI. SNI still transmits server names in the clear, just like always. This enables e.g. blocking a specific hostname without blocking an entire CDN, particularly now that CDNs are trying to stop domain fronting.
Some people were working on encrypted SNI during TLS 1.3's development, so that TLS could encrypt server names sort of like how it encrypts all later traffic. Encrypted SNI didn't make it into TLS 1.3.
Without SNI the only way for a client to talk to this.example rather than that.example over TLS and thus HTTPS is to give this.example and that.example different IP addresses. There aren't enough addresses to plausibly do this in IPv4, but in IPv6 there are plenty (except in some unusual corner cases)
Indeed and I remember the bad old days of burning /24s for IP based virtual hosts in order to provide TLS. our current IPv4 exhaustion was the part I was missing. Cheers.
Sure. If you are a CDN right now you can host multiple customers on one ip. If you are using TLS there are 2 ways to do this:
1. Have a big SAN cert with lots of names.
2. Use SNI to select the correct certificate for that client and route to the correct customer config (and therefore correct origin)
If SNI didn't exist we'd be back to the bad old days of every TLS site requiring a dedicated IP. As ipv4 exhaustion has gotten worse this has gotten more expensive. However if we're using ipv6 then hosting N listeners for N ip addresses, each with their own dedicated cert, is much more scalable.
I believe this article is talking about domain fronting, not the use of encrypted SNI. With domain fronting, you connect to one service, say, amazon.com and put amazon.com in the SNI field. However, once you have a secure connection, you then tell Amazon that you really want to talk to some other website and Amazon routes the connection appropriately. To an outside observer, however, it just looks like you are talking to amazon.com and the only thing that can be done to stop this would be to block all the servers that handle that site.
Seeing how search results are being censored in “free countries” due to things like the DMCA and The Right To Be Forgotten, maybe we shouldn’t look to private companies to fix this issue.
As far as I know, there is no law in Western countries prohibiting domain fronting, so it's not really comparable. What's probably more relevant is Google changing its mind, and deciding it wants to run a censored mainland Chinese service.
This is such a great point. Plenty of censorship here and there laws were written all they could be really abused with impunity (ex: DMCA takedown notices in the court cases facing Cox/Comcast).
That is a totally different issue. This is about ISPs and governments snooping on your browsing, not taking sites down or removing them from search results.
Correct me if I’m misreading, but the link is to a blog post entitled “...an Opportunity ... to End Censorship”. ISPs and governments snooping on your browsing is surveillance, not censorship. Taking down sites and removing them from search results certainly is censorship.
That's the UK government explaining how it's going to enforce a worldwide requirement for Age Verification on all sites with (what it considers to be) pornographic material.
Now regardless of whether you think this policy goal makes any actual sense, or whether a potential regulator would even try to do more than clamp down on UK porn companies that don't do age verification, the mechanism described has two halves to it:
1. UK ISPs voluntarily block non-complaint sites in DNS
2. Hopefully everybody uses their ISP's DNS servers
Why doesn't it say the UK government will make every ISP run all connections through a government-owned proxy to enforce these rules regardless of DNS? Because that would cost an eye-watering amount of money and "We had to raise taxes by 10% for our anti-pornography law" is a guaranteed vote loser. It would also be ineffective but let's see them spend that money first.
It has nothing to do with money. Setting up a DNS like that would not even require raising of taxes by 0.1%.
The reason is that the law is only a political battle. Once the battle and the marketing are over non of this law or how it is or is not implemented. At best you get a bunch of bureaucrats in place that monitor these things and write a report every so often. Those will be ignored until some politician is again interested in fighting this battle.
Encrypted SNI is great for individual privacy but terrible for business/corporate security.
At the moment it is possible to MITM proxy (without the possibility decryption) to inspect the SNI and determine if the host is allowed, and if so the proxy does its own IP resolution and transparently proxies/forwards the TCP traffic. Ie it never engages in the TLS session. This is useful for restricting access from a LAN to services hosted on large cloud provides like AWS, GCP, etc where fixed IPs are not available (well, the third party service/website elects to use a CDN/load balancer/etc without regard to the full security impact).
A good example is PCI DSS and the payment card LAN. You should firewall and lock down so devices can only communicate with necessary services. Along with actual payment services, these LANs often need to allow access out to third party loyalty systems, digital receipt systems, etc that are cloud based.
With Encrypted SNI this won’t be possible to do securely anymore. A full MITM TLS decrypting proxy with explicitly configure clients will be required to ensure the encrypted SNI isn’t changed to a malicous host to eg upload captured payment data to. That’s a lot more overhead both in:
1. Configuring clients to use a proxy and custom CA (let’s hope all the various third parties apps support proxy setup and custom CAs, and no cert pinning!)
2. Running a proxy that now it has to do full decryption and encryption (to make sure you aren’t messing with the SNI and going to a host you shouldn’t).
Of course I don’t expect businesses to these lengths until there has been a serious breach exploiting encrypted SNI. Even then I don’t know which side will take action (or if neither side will)— merchants installing MITM proxies (unlikely), or third party service providers ditching load balancers and sticking to fixed IPs on their cloud hosts (less unlikely).
Aren't businesses that are serious about meeting their legal/regulatory obligations for controlling internet access already using full MITM TLS interception with their own CAs?
Given a malicious actor can register any old domain and get a cert for it very easily, I'm not sure what particular threat blocking TLS connections based just on the SNI is actually protecting you from.
Backside covering at the cheapest possible price is the goal. It's not about whether it achieves the regulatory goal, just whether it gets a check on the list.
The previous iteration of backside covering pondered the unencrypted server certificate, on the rationale that if this is a bad guy why do they have a good guy's certificate.
If you know any cryptography, you are now thinking "But, wait, how does that secure anything?" but you aren't the target customer. The target customer verifies that this blocks them from accessing a "Bad" site in Internet Explorer and they're happy to part with $$ instead of the $$$ it would cost to do full blown HTTPS proxy for every connection.
In TLS 1.3 this server certificate is encrypted. So the (perhaps slightly more untrustworthy) client SNI is pondered instead.
What middlebox vendors would prefer not to mention is that in many cases they also figured TLS re-connections are always safe and can be allowed through. After all, if they didn't let bad guys make the original connection, how could those bad guys re-connect? TLS 1.3 exploited this to be "backward compatible" with such crapware, it says all its connections are "reconnections" so they pass through unmolested...
Think of all the small 1-2 employee businesses / mom & pop businesses etc that take credit cards. They have no dedicated IT person. They’d be lucky to have a dedicated LAN for payments (a PCI DSS requirement). Increasing the barriers to compliance for these people is not a good thing. In practice they will just close their eyes and pretend nothing is wrong, or they will just pay the fine charges by the banks for non compliance— which doesn’t improve your credit card security at all.
You can’t tell all these small businesses they can’t take card payments, and you can’t make an already tough job harder, more complex and more expensive without an associated drop in compliance.
1-2 person businesses are likely outsourcing the entire problem of payment processing (and thus, the majority of the PCI controls) to a 3rd party like Stripe. The only PCI compliance needed then is an annual self-attestation which basically asks "Did you change your router's default password?" and "do you apply patches?" [1]
There may be some mildly masochistic tiny businesses that choose to process / store payment details on their own networks and try to manage all the controls needed for that, but in the presence of so many options for outsourcing the problem, this doesn't seem like a particularly rational decision.
> You can’t tell all these small businesses they can’t take card payments, and you can’t make an already tough job harder, more complex and more expensive without an associated drop in compliance.
This is only true if there are no sane alternatives.
For bricks and mortar businesses Stripe won’t help much, still need a chip and PIN reader on premise.
Square on the other hand does let you outsource the entire problem of physical card payments to them, at the cost of much higher fees, as they are the merchant of record so you don’t need to be PCI compliant at all. Which is a real worry as that doesn’t give me much confidence when buying from a square “seller”.
Their card reader originally didn’t encrypt data, and at least one model that did encrypt could be bypassed via tampering https://www.zdnet.com/article/square-reader-to-card-skimmer-... and while their current hardware may or may not have issues, they display a distinct lack of concern for local device security. Defense in depth is the way to go, but with Square you can put your Android/iOS device onto any WiFi network and without any security on who else is on it. Likewise you can download any random app that may look innocent enough but is full of exploits (eg an app that claims to help you manage a customer mailing list so you can grab signups on the same device as you take payments, or an app that claims to help with inventory levels, etc).
Only services necessary for the business should be allowed in/out. If the service can’t be firewalled by simple IP:port then you are left with having to use a proxy to enforce the access control.
No, it makes no practical difference to "business/corporate security" but it's terrible for lazy and incompetent people who wanted to look as though they were effective.
The "full MITM proxy" you mention is, and always has been, the only defined way to make this work. The cheaper, half-arsed solutions you describe earlier cause everybody else pain (socialising costs while privatizing profit) and often don't actually deliver any meaningful security, they're just theatre.
Corporate TLS Middleboxes are the TSA screening of the Internet's security. Everybody knows they're there, everybody complains at the inconvenience, everybody ends up paying the price indirectly, and they claim they're very effective. But independent measures suggest they're basically entirely pointless.
Which independent measures do you refer to? This is for non-decrypting MITM proxies that only use the SNI to validate they are going to the right domain and proxy the TCP data between the two. What’s the attack vector?
How so? If I as the MITM (non-decrypting) proxy intercept the request, look at the SNI to ensure it’s on my whitelist, and then do my own DNS lookup and open my own TCP connection to that IP and relay the traffic between the two, what’s the attack vector?
I agree that whitelisting only "known good" IP addresses (supposing for a moment that there are such things) achieves your goal of preventing bad guys from non-good IP addresses communicating. I observe this has nothing whatsoever to do with TLS.
I'll base my response on your description of how you think this device would work rather than your confusing term "MITM (non-decrypting) proxy".
A1. Alice sends a TCP SYN to 1.2.3.4 port 443 Presumably you intercept this, and synthesise the appropriate SYN-ACK pretending to be from 1.2.3.4 port 443 which Alice ACKs
A2. Alice sends an SSL/TLS ClientHello. It has some parameters you may not understand, and a SNI which says good.example which is on your whitelist
A3. You DNS lookup good.example, the response suggests 5.6.7.8, so you TCP connect to port 443 of 5.6.7.8 and play back Alice's ClientHello and try to stitch things together in your NAT layer.
Meanwhile
B1. Bob sends a TCP SYN to 9.8.7.6 port 443 Presumably you intercept this, and synthesise the appropriate SYN-ACK pretending to be from 9.8.7.6 port 443 which Bob ACKs
B2. Bob sends an SSL/TLS ClientHello. It has some parameters you may not understand, and a SNI which says bad.example which is NOT on your whitelist
B3. You drop or reset Bob's connection, he cannot connect.
Commentary #1: With the imagined comprehensive whitelist AND a following tail wind this doesn't give you anything better than just whitelisting the IPs in a conventional Firewall. Why spend all this extra money? Why involve TLS at all? It's complicated, but what for?
Commentary #2: This ClientHello may not work when redirected to some other IP address. In reality there's a good chance you just cause a fallback and things are pointlessly slower, but in principle it may just not work at all.
Re commentary #1, it is due to websites being hosted on ever changing IPs such as with AWS and GCP allowing them to fire up additional resources easily, or using a fronting load balancer, or even a DDOS protection tool like CloudFront. In these cases only the domain name is known in advance by the intercepting firewall. It can’t get this info via reverse lookup on the requested destination IP (nor should it; reverse dns doesn’t always work and performance doing this for every connection would be bad).
I’ve also looked at other options, like dns based firewall rules that are populated by the firewall also being the local dns server and so is able to see the resolved IP(s), but if those IPs are to CloudFront etc then it would be granting access to everything else also hosted by CloudFront etc.
TLS SNI is the only way of knowing where the client is trying to reach — short of the expensive and difficult to deploy explicit/non-transparent HTTPS proxy.
Re commentary #2, since all the TLS traffic is going through the proxy, the original request and any subsequent requests would go to the same IP each time.
If you're whitelisting names that point into arbitrary cloud stuff then you're screwed, the bad guys just get themselves co-located so that you'll happily connect to them because hey, this name was whitelisted and so the IP address must be OK.
TLS SNI does NOT tell you where the client was trying to reach, you've made a classic security mistake of assuming bad guys are honest. Honest people will truthfully write good.example and be allowed past, bad guys will dishonestly write good.example, and thereby connect to bad.example on the same IP address and laugh at your ridiculous "security".
Caching all DNS answers for some indeterminate amount of time makes your security story worse, but even if you do this the worst case stands, ClientHello isn't required to work if you do this. It may work today, in fact it probably does, but it may break with no notice, and it'll be your fault.
You are correct that if the bad guy co-locates at the same IP then it is a problem. However that then becomes an issue with the service that chose to host on a shared IP.
For other services that use dedicated IPs but spin up/down machines based on load etc it is still much more useful and secure than running a proxy with a CA that generates fake certificates, especially when you can’t update the trust root of the client device (often the case with embedded devices and those that are managed by the third party service provider)
Attackers can break into legitimate, low security, websites and use them as attack vectors. It's often easier that attacking the target directly and it's been done for decades.
Also, botnets uses legitimate services to rely C&C traffic. Forums, pastebins, github gits, IRC and email gateways, VMs on AWS and other cloud services...
In my original comment I referred to the need to only allow access to necessary services. No forums, email gateways, IRC, etc. Just whitelisted domains and IPs:ports (if dedicated hosting) of the services required to handle the payments aspect of a business. An attacker would have to break into the sites I whitelisted— in which case the liability falls on the site for not maintaining adequate security. It doesn’t alleviate the need for the merchant to have good security themselves.
Why is the assumption always that AMZN, GOOG and MSFT doesn't want censorship? Especially when they have taken to censorship like duck to water.
Why is the assumption that when given a "binary choice", entities like China, EU, etc would give in to tech companies? Especially when these companies so easily succumbed to US government/media pressure at home where we have a strong tradition of free speech? When a binary choice is created, it's the companies that have given in, not the state.
Why are these tech companies being portrayed as being on the side of "good", while nations are portrayed as being on the side of "bad". The idea that AMZN, GOOG and MSFT have chinese, european or anyone else's best interest at heart while the PRC, EU or any other state doesn't. Did the british east india company have india's best interest at heart compared to mughal india? Considering how suspiciously we view foreign companies ( especially chinese tech companies ), it's odd that we view our own so highly.
But I don't think Google is evil, in the sense of doing bad things because they're bad. At a low resolution, I think it responds to incentives and tries to make as much money as it can get away with. At a higher resolution, it's made up of a lot of people and smaller groups that each have their own incentives to follow, and whose goals don't exactly line up with Google's.
Fighting censorship is nice for PR, supporting censorship is bad for PR. Some (not all!) ways of supporting censorship might help make more money, but good PR also helps make more money, so it's a trade-off. Drawing attention to Google's ability to fight censorship slightly shifts that trade-off.
But not all of Google's decisions are made centrally. Many (almost all, I would guess) people in Google are well-meaning, and I expect they can get away with making good decisions a lot of the time. The people working on TLS probably aren't individually pro-censorship just because they work for Google, which means they may not make pro-censorship decisions unless specifically pressured to.
One mistake we make frequently as tech people is trying to solve human relationship problems with a technology fixes. Censorship has existed for 10,000+ years; encrypted s night isn't going to magically fix it. There isn't an easy answer, just the hard path educate everyone.
Requiring encrypted sni will only mean the little influence thought leaders have in censored countries will be blotted our and replaced with state-run companies.
MITM proxies are a necessary evil, unfortunately, but the internet giants aren't doing a good job letting clients know when their TLS is being intercepted, so we're failing hard on education right now.
Also the makers of the commercial MITM proxies do a terrible job of staying current on TLS specs. This is likely in part due to customers being unwilling to install patches that cause a service interruption, so that should be taken into the design of said devices.
Yeah, I think the recent death of domain fronting and the collateral damage from Russia blocking Telegram are pretty indicative.
Regimes are completely willing to block large chunks of the internet if they can't do targeted blocks. And cloud providers aren't particularly interested in using their customers as collateral.
I expect surveillance prone regimes to just block anything with encrypted SNI.
Why would anybody think that Amazon, Google, or Microsoft are against censorship? Recent events have demonstrated that they love them some censorship, when they do it. Witness the case of gab.ai - Google was happy to pull their app from the Play store. Microsoft didn't mind at all threatening to shut down their Azure account unless they censored a post. The Azure case is particularly amazing. I can't believe the tech press isn't picking up on a supposed cloud provider threatening to shut down someone's account unless they make their website behave in a particular way.
I will say I haven't heard of Amazon censoring anything yet, at least not at a level I would consider massively inappropriate for a cloud services provider. Not selling something on their normal store is one thing, but pulling the plug on an AWS account for website behavior would be something entirely different.
I'm a journalist and have seen a screencap of the takedown that Amazon issued to the Firearms Policy Coalition, which started and maintains the censored site (CodeIsFreeSpeech.com). The takedown erroneously cited a temporary restraining order issued against an entirely different site (defcad.com) as the reason for the sudden, no-warning booting of the site from AWS.
And as you mentioned, Azure just now threatened to pull Gab.ai off its platform over a pair of anti-Semitic posts.
It's easy to side with CloudFlair when they go against a site like The Daily Stormer (Which is so out there it might just fall into Poe's Law).
The fact is that most decent hosting is only available in a handful of industries. Even the CF CEO has had misgivings of his decision and it gets us into a really questionable space.
Platforms should be free to do what they want right? They should be able to deny customers .. just like an airplane company should be allowed to keep people who crazy political opinions from boarding plans right? .. oh and black people too. Oh wait..what?
The freedom of speech in the US is pretty limited to government censorship. But we don't let businesses do whatever they want. They can't keep a certain ethnic group from eating at their restaurant, and in many states they can't choose if their venue allows smoking. The big question is, does speech need to fit into this same framework?
With the recent child protection act that gutted craigslist and took down backpage (an act that is leading to more violence against sex workers in the US and an act that the EFF and ACLU are actively fighting as being unconstitutional), we see the US government holding content hosting companies liable for the criminal actions of their user base. That is disturbing and already a form of government control over what customers a business is allowed to have.
It'd be one thing if censored sites could just go to another provider, but there are only a couple of big providers and their mass has the ability to crush anything they find questionable.
It's actually worse than there being only a couple of big providers.
The problem is that the same sort of people who are trying to shut down sites through legal pressure tactics against Amazon, Google etc are absolutely happy to use illegal tactics too. In particular once sites are booted off large providers onto smaller ones or self hosted sites, that's when the DDoS attacks start. Infowars already saw one, for instance. How many firms can sink large DDoS attacks without needing to kick out the target? Not many.
If a pressure group or activist employee base can get content off CloudFlare, Google, Amazon and Microsoft then DDoS-wielding ideological zealots will do the rest and then the site is gone for good.
Where does speech go then?
It's a very dangerous game for the people at these content platforms to play. I don't see Republicans sitting back doing nothing as their worldview and voter base is systematically wiped off the internet. Legislation seems likely.
Federated / p2p systems like Mastodon? Non-Web-proper sites based on Dat and IPFS?
/*
If I were an adviser to the conspiracy theorists' insidious world government, I would suggest that pressure on non-consenting opinions be put carefully, to securely remove them form the normal mass Web, but not too strong as to push the normal users away from the (controlled) Web, to harder-to-control media. One way to achieve this is to allow some mild fringe content, and actively demonize any serious non-consenters, so that they'd look way off the chart to general public, thus "worthy" of being censored out.
Dat/IPFS are peer to peer protocols. There is nothing that makes them DDoS resistant, you can just locate each peer rehosting content and blast each one off the net.
But more to the point, being forced onto Dat or IPFS is equivalent to being erased, given that nobody would know how to find or access the new location (Google doesn't index such net spaces).
Finding and blasting every peer is a bit harder, especially since pieces of content are encrypted on peer nodes, AFAICT. It's not any easier than to blast every peer torrenting chinks of a particular file (which, AFAICT, is still unheard of).
> being forced onto Dat or IPFS is equivalent to being erased
Yes, for now it is! It's a wild frontier without amenities for a normal netizen, such as a decent search engine. So the point of censorship is to force every important non-consenter to that wilderness without having enough other people to go there and civilize it, as they civilized the web, the online music access, etc.
I agree. I see this all the time when otherwise reasonable people spout "oh well, Google/FB/Twitter are private companies so free speech argument does not apply to them and that racists/nazis etc aren't owed anything by social media platforms."
This is based on a slippery slope argument: if the major platforms can ban speech inciting violence against Jews and African-Americans, then what's to stop them from doing it for other classes of speech? The answer is that the public outcry for kicking off other kinds of users is likely to be more pronounced and more justified. I'm not shedding any tears for the Daily Stormer or Gab, and I don't view them as canaries in the coal mine.
Relying on public outcry to defend free speech is by definition guaranteed not to work, because the only speech that needs protecting is unpopular speech.
Is it? The public outcry against what these firms are doing is pretty loud. Members of Congress have expressed concern. Even Vox has published stories about Twitter suppressing content from conservative politicians (but no democrats). It has no effect.
Moreover how do you measure "public outcry"? The very point of censorship is to stop public outcry. If the media aren't writing stories and anyone who expresses concern is deemed to be supporting hate speech and banned, then it will look a lot like nobody cares even if many people do.
Step 1 is to normalize censorship for racists. Step 2 is to redefine racism until it captures most of your political opponents, up to and including "supports free speech" as a racist viewpoint.
The post is about resilience to censorship from outside organizations. That is, it's about governments not being able to selectively block content from service providers.
What you're talking about is the service providers themselves deciding what form of speech is allowed on platforms they own. Some may feel that it's inappropriate for Microsoft not extend their platform to white supremacists. Others may think it's inappropriate for service providers not to provide extend their platform to ISIS or Al Qaeda. You may feel that service providers should provide a voice to any possible opinion, but the organizations actually providing the service don't feel this way.
> Recent events have demonstrated that they love them some censorship, when they do it.
I'm not sure that I would conflate running a business with loving censorship.
> I can't believe the tech press isn't picking up on a supposed cloud provider threatening to shut down someone's account unless they make their website behave in a particular way.
What would the headline be exactly? "Business drops client for violating agreement and bringing negative attention to their service."
Why does everyone assume that businesses have a moral obligation or imperative? When a company goes around saying "We value..." they're really saying "By uttering the magic phrase we hope to make more money off you".
No no no, you don't get to throw out gab.ai as an example without expanding on what they wanted censored. For those who don't know what was censored I'll link it as I will not be reposting it: https://heavy.com/news/2018/08/microsoft-threatened-gab-shut...
You muddle the waters greatly when you pretend it was just some free speech issue (Newsflash: FREE SPEECH DOES NOT EXTEND TO NON-GOVERNMENT ENTITIES),
Free speech is a principle that transcends law. They might have no legal requirement to uphold it, as our government does, but these moves were absolutely censorship and absolutely counter to the principle of free speech.
The odiousness of the words in question don't factor into it.
So what? Twitter and many other sites hosted in the cloud are flooded with similar hate speech against other groups, and are typically left alone. See the case of the journalist who got hired at the New York Times despite having a Twitter account riddled with racist hatred directed at white people and men.
These platforms aren't doing censorship because of some systematic application of content rules. They're doing it as part of an overall ideological battle.
I really hate this meme; Randall did the world a great disservice by missing the point and putting it in a format which spread like wildfire for smug people to quote until the end of time. Free speech is a principal which extends farther than a very limited right in US law -- it's not a rule, it's not prescriptive, it's not afforded by any law -- it's an ideal. I don't in any way deny that you can find people who confuse the legal right with the ideal but if you talk to any lawyer for twenty seconds you'll realize that speech is far from the only area where this happens.
What happened is a free speech issue. Did the actions Microsoft took promote the healthy and open exchange of ideas or did they take an action in order to silence? Since Gab is largely a closed community this action wasn't so much protecting people from abuse so much as it was preventing like minded people from talking to each other. And no matter what I think about the things they said I still hold that they ought to be allowed to say them among themselves.
I love how you can say "free speech is an ideal" while simultaneous arguing to limit the free speech of platform holders. The reason free speech only lawfully bounds the government is because the ability to kick bad actors out of your business is an essential free speech to the populous. MS is free to moderate their platform in anyway that doesn't violate US law; that's their exercise of free speech. Groups that disagree can go elsewhere with their business. The "fine" folks over at gab can say what ever they want among themselves; on their own servers, hosted by them. Until then freedom to say what you want is not freedom from the consequences of public opinion.
Now this is where things get interesting. There's a decent argument to be made that internet communication is becoming dominated by a handful of platforms. There may be a point at which you are practically unable to speak on the internet if a half-dozen Silicon Valley companies do not like your opinion. I do not say that we are at this point yet. It is a possible and visible future, though. I think we can consider how we would determine when that domination of internet discussion constitutes a monopoly, and what should be done about it in that case.
We don't allow companies that are monopolies in critical industries to do as they please, in many areas and for many reasons. If there is effectively widespread censorship of speech, who elected Facebook, Google, Amazon, Apple, Microsoft, et all to be the deciders of what gets censored and what does not? If the ability or potential for that is out there, shouldn't it be the democratically elected government that determines what does and does not get censored and not a cabal of private corporations?
You're pretty much proving my point when it comes to confusing the law with what is right. Ignore the law, it's completely orthogonal to the discussion. Free speech isn't prescriptive. Holding it as an ideal doesn't mean you want zero restrictions any more than holding liberty as an ideal means you want anarchy.
Your 'system' is simply unrestricted speech to the powerful and your 'solution' is just a suggestion that Gab's community become powerful enough to speak. Does that sound like free speech to you?
If we lived in a fantasy dystopia inwhich computers were outlawed to all but the silicon valley elite and the rest of the populace had to rent from them or be left in the cold, maybe your argument would have some weight.
In the world we do live in, speech for your small niche community is literally a 30 dollar raspberry pi and an internet connection away. No one has any moral (or legal authority for that matter) to shut down the nazi chat rooms of others (under your views at least); just like Microsoft and others have no moral obligation to host content that breaks their terms of service and will drive others off of their platform.
Arguing what is "right" in a law abiding society is nonsense. If the laws are flawed you argue against the laws, if they aren't pretending that people or groups of people should conform to your ideals is ultimately a waste of time.
I agree. What I have been saying is that Free Speech means far more than the literal text of the First Amendment and nothing else. Free Speech is a critical cultural norm to the maintenance of Democracy. Free Speech means that all people and all institutions hold as important values to not restrict the speech even of those they disagree with.
Values such as these do not flow from the Government to the people and culture, but from the people and culture to the Government. If the culture is to disregard free speech for certain forbidden opinions, then that will seep into the Government eventually. I fear that if we continue on the path we have been going down for the last few years, we may lose the Freedom of Speech at the Government level in a generation.
>And no matter what I think about the things they said I still hold that they ought to be allowed to say them among themselves.
And they are. No one is stopping them from talking to each other. They however are telling people to stop talking to each other in the office building Microsoft owns and rents out.
Perhaps that's the best analogy? Providing (P|I|S)AAS is a business transaction. Its like renting out commercial space. And landowners turn down potential leases for all kinds of reasons that have nothing to do with money ("we're trying to cultivate a certain image in this area"), and we don't bat an eye. We would think absolutely nothing of a landlord saying "no, local KKK chapter, you cannot set up your lounge here".
But when the space is virtual, it magically changes from a landlord to a speech thing. Even though the activities at the KKK lounge would be, by and large, the same kinds of activities that would happen at stormfront, except perhaps overall less harmful (more potlucks, less extremism).
The landlord isn't stopping them from chatting, he just isn't going to be party to a transaction that actively facilitates it. Why's Microsoft (or Google, or anyone else's) action different?
I'm happy to provide thought experiments to test where you actually lie on this debate. I expect that your views will normally fall on the "no one is under any obligation, even ethically, to provide someone else a speech platform, and refusing to provide someone a platform is not the same as censorship", although I can't say for sure.
> But when the space is virtual, it magically changes from a landlord to a speech thing.
I think it because whenever there is piracy or unauthorized access to entertainment or information resource from cable/media companies comes up, apart from company whose property get stolen, all seem to have sympathy towards culprit . The standard arguments are couched in user freedom rather than taking someone's property without consent. All this is because resource is digital so my access does not deprive other.
So blocking is claimed to harmful, immoral, greed by media or cable companies for things some people want to have. And now non-blocking is considered harmful by social media companies for things some people do not want.
> All this is because resource is digital so my access does not deprive other
It's not surprising that people don't treat something that lacks one of the key aspects of property as property. Especially when the desired enforcement regime for this concept always seems to necessitate encroachment on their actual property!
Copyright applied to individuals is even less enforceable than drug persecution. And we see how well that's working out.
So hate speech is not free speech when the consequences are severe?
The neoconservative movement, for instance, is accused of faking evidence of WMDs in order to get us into a serious war and causing a massive death toll. That accusation is that their speech was lies in order to get us into war. But they are center-right interventionists, many of whom were liberals before 9/11. Is neoconservatism hate speech?
Pro-life protestors claim that abortions in the US have murdered approximately the population of Spain since Roe v Wade. They also point out that Denmark has eliminated babies born with Down's syndrome. Is the pro-choice position hate speech?
I think a fair minded person can draw a distinction between these things, the point of politics is coexisting with people who aren't particularly fair minded and are going to try and game the system. The idea of free speech is that the simplest way to prevent gaming is not giving them a system to game, especially not one as ambiguous and dangerous as hate speech rules.
Joshua, I don't believe it's relevant what they wanted censored; the thing is that they forced them to remove some content or else they would kick them out.
I'm a supporter of extremely strong free speech protection, but this doesn't seem entirely black and white to me.
AWS is a private hosting company, and they may be exposed to legal or authority action based on what their clients host. It seems a lot like the Facebook arguments to me.
If you want to obligate them to support free speech, I think they need to be regulated as carriers otherwise it's not a reasonable standard to hold a private entity to. At least there is more competition in the hosting space than there is for Facebook.
Maybe this is an argument for regulation, but I don't think it's an argument for finger wagging. Either there is some sort of enforcement, or we acknowledge there are alternatives.
That assumes they want to end censorship. Google, for instance, outright participates in political censorship, especially on Youtube - I've seen many right and alt-right youtubers disappear or get strikes for something unimportant that the left does without any repercussions. They also fired Damore for quite mild comments about sex/gender.
How about we don't censor based on what is the most political palatable? Censorship via racism is especially slippery these days, should Sarah Jeong be censored or the NYT taken down for publishing articles written by a racist?
Yeah the article writes “They can either block gigantic swaths of the Internet (and face enormous backlash) or allow SNI to work” but I think China shows that depressingly the enormous backlash is a myth.
TLS 1.3 is just a protocol for transporting encrypting communications. We have had such protocols for a long time. Censorship has continued unabated.
There is no technical solution that can prevent censorship. Censorship is a social issue. If a government policy, or the policy of a privately held corporation, insists on censoring something, it will do so.
Literally the only way a transport protocol could end censorship is if a law were enacted that specifically stated "This protocol may not be circumvented or obstructed by any party, private or public, by any means, for the purpose of censorship.".
Unless TLS 1.3 includes built-in stenography, it will do nothing for censhorship. Oppressive regions have historically used simple throttling/DoS to make encrypted protocols unusable.
The issue with dealing with nation states, is that they actually have the power of physical coercion. Even if you have a technical solution to say domain front, the nation state depending on how big it is, may just make it a crime to domain front a censored site. They can levy civil penalties and possibly even criminal penalties against the company/employees. There is not much benefit to the company to go against a nation state actor.
101 comments
[ 2.5 ms ] story [ 136 ms ] threadThat mechanism is well established, if only by these governments previously being unable to just ban internet access outright, even though it was universally perceived as a threat to their control on the flow of information.
Isn't this (Encrypted SNI) was the one been extensively discussed here: https://news.ycombinator.com/item?id=17538390 ?
This is great. I hope CDNs like Cloudflare etc deploy it ASAP. Also, deprecate previous TLS versions as ASAP so it can be more effective.
This article is premature?
Is there an official word from Microsoft that they allow it or just "they didn't ban it yet"?
This sounds inaccurate to me. If encrypted SNI is applied, the middleman should not be able to figure out which domain you are connecting to, without interrupting the connection. Domain fronting is a technique for prior TLS which you had to disguise the hostname.
It was a desirable feature, but it wasn't delivered even for the final drafts at the top of this year, let alone back in 2016 when TLS 1.3 was originally thought to be finished.
The TLS Working Group is going to adopt it (consensus at IETF 102 and on the mailing list was to adopt) but there's a LOT of work needed before Rescorla's rough sketch turns into something you'd want to actually deploy to millions of users.
Here's the email about adopting (Joe is one of the WG chairs) Rescorla's draft.
https://www.ietf.org/mail-archive/web/tls/current/msg26842.h...
Note that this is nowhere close to a finished feature. They're not sure whether to do DNS TXT records, whether this should live in a SRV record, some new DNS record (DNS Ops doesn't like TXT, but real world DNS services often don't have fancy new records for years because they're crap). They're not even sure if this should be two documents (one about DNS, one about how you use the keys which you presumably got from DNS) or just one.
Because TLS 1.3 doesn't always (today never) encrypt SNI, a middleman could just insist on refusing connections with encrypted SNI. This becomes a staring contest - do the browsers deploy this anyway, and risk losing customers in places where governments have deployed a technology to prohibit it, or do they blink and hide it in some "Privacy" feature no ordinary users will ever enable.
Some people were working on encrypted SNI during TLS 1.3's development, so that TLS could encrypt server names sort of like how it encrypts all later traffic. Encrypted SNI didn't make it into TLS 1.3.
1. Have a big SAN cert with lots of names.
2. Use SNI to select the correct certificate for that client and route to the correct customer config (and therefore correct origin)
If SNI didn't exist we'd be back to the bad old days of every TLS site requiring a dedicated IP. As ipv4 exhaustion has gotten worse this has gotten more expensive. However if we're using ipv6 then hosting N listeners for N ip addresses, each with their own dedicated cert, is much more scalable.
They are too scared of their main website being blocked at ISP's just because your small site uses their servers as a domain front.
It is nothing to do with censorship where the actual source is removed, as with the right to be forgotten and DMCA takedowns.
https://www.gov.uk/government/uploads/system/uploads/attachm...
That's the UK government explaining how it's going to enforce a worldwide requirement for Age Verification on all sites with (what it considers to be) pornographic material.
Now regardless of whether you think this policy goal makes any actual sense, or whether a potential regulator would even try to do more than clamp down on UK porn companies that don't do age verification, the mechanism described has two halves to it:
1. UK ISPs voluntarily block non-complaint sites in DNS
2. Hopefully everybody uses their ISP's DNS servers
Why doesn't it say the UK government will make every ISP run all connections through a government-owned proxy to enforce these rules regardless of DNS? Because that would cost an eye-watering amount of money and "We had to raise taxes by 10% for our anti-pornography law" is a guaranteed vote loser. It would also be ineffective but let's see them spend that money first.
The reason is that the law is only a political battle. Once the battle and the marketing are over non of this law or how it is or is not implemented. At best you get a bunch of bureaucrats in place that monitor these things and write a report every so often. Those will be ignored until some politician is again interested in fighting this battle.
At the moment it is possible to MITM proxy (without the possibility decryption) to inspect the SNI and determine if the host is allowed, and if so the proxy does its own IP resolution and transparently proxies/forwards the TCP traffic. Ie it never engages in the TLS session. This is useful for restricting access from a LAN to services hosted on large cloud provides like AWS, GCP, etc where fixed IPs are not available (well, the third party service/website elects to use a CDN/load balancer/etc without regard to the full security impact).
A good example is PCI DSS and the payment card LAN. You should firewall and lock down so devices can only communicate with necessary services. Along with actual payment services, these LANs often need to allow access out to third party loyalty systems, digital receipt systems, etc that are cloud based.
With Encrypted SNI this won’t be possible to do securely anymore. A full MITM TLS decrypting proxy with explicitly configure clients will be required to ensure the encrypted SNI isn’t changed to a malicous host to eg upload captured payment data to. That’s a lot more overhead both in:
1. Configuring clients to use a proxy and custom CA (let’s hope all the various third parties apps support proxy setup and custom CAs, and no cert pinning!) 2. Running a proxy that now it has to do full decryption and encryption (to make sure you aren’t messing with the SNI and going to a host you shouldn’t).
Of course I don’t expect businesses to these lengths until there has been a serious breach exploiting encrypted SNI. Even then I don’t know which side will take action (or if neither side will)— merchants installing MITM proxies (unlikely), or third party service providers ditching load balancers and sticking to fixed IPs on their cloud hosts (less unlikely).
Given a malicious actor can register any old domain and get a cert for it very easily, I'm not sure what particular threat blocking TLS connections based just on the SNI is actually protecting you from.
The previous iteration of backside covering pondered the unencrypted server certificate, on the rationale that if this is a bad guy why do they have a good guy's certificate.
If you know any cryptography, you are now thinking "But, wait, how does that secure anything?" but you aren't the target customer. The target customer verifies that this blocks them from accessing a "Bad" site in Internet Explorer and they're happy to part with $$ instead of the $$$ it would cost to do full blown HTTPS proxy for every connection.
In TLS 1.3 this server certificate is encrypted. So the (perhaps slightly more untrustworthy) client SNI is pondered instead.
What middlebox vendors would prefer not to mention is that in many cases they also figured TLS re-connections are always safe and can be allowed through. After all, if they didn't let bad guys make the original connection, how could those bad guys re-connect? TLS 1.3 exploited this to be "backward compatible" with such crapware, it says all its connections are "reconnections" so they pass through unmolested...
You can’t tell all these small businesses they can’t take card payments, and you can’t make an already tough job harder, more complex and more expensive without an associated drop in compliance.
There may be some mildly masochistic tiny businesses that choose to process / store payment details on their own networks and try to manage all the controls needed for that, but in the presence of so many options for outsourcing the problem, this doesn't seem like a particularly rational decision.
> You can’t tell all these small businesses they can’t take card payments, and you can’t make an already tough job harder, more complex and more expensive without an associated drop in compliance.
This is only true if there are no sane alternatives.
[1] https://www.pcisecuritystandards.org/documents/PCI-DSS-v3_2_...
Square on the other hand does let you outsource the entire problem of physical card payments to them, at the cost of much higher fees, as they are the merchant of record so you don’t need to be PCI compliant at all. Which is a real worry as that doesn’t give me much confidence when buying from a square “seller”.
Their card reader originally didn’t encrypt data, and at least one model that did encrypt could be bypassed via tampering https://www.zdnet.com/article/square-reader-to-card-skimmer-... and while their current hardware may or may not have issues, they display a distinct lack of concern for local device security. Defense in depth is the way to go, but with Square you can put your Android/iOS device onto any WiFi network and without any security on who else is on it. Likewise you can download any random app that may look innocent enough but is full of exploits (eg an app that claims to help you manage a customer mailing list so you can grab signups on the same device as you take payments, or an app that claims to help with inventory levels, etc).
Only services necessary for the business should be allowed in/out. If the service can’t be firewalled by simple IP:port then you are left with having to use a proxy to enforce the access control.
The "full MITM proxy" you mention is, and always has been, the only defined way to make this work. The cheaper, half-arsed solutions you describe earlier cause everybody else pain (socialising costs while privatizing profit) and often don't actually deliver any meaningful security, they're just theatre.
Corporate TLS Middleboxes are the TSA screening of the Internet's security. Everybody knows they're there, everybody complains at the inconvenience, everybody ends up paying the price indirectly, and they claim they're very effective. But independent measures suggest they're basically entirely pointless.
Inspecting SNI is ineffective against the majority of threats including blocking botnet traffic.
I'll base my response on your description of how you think this device would work rather than your confusing term "MITM (non-decrypting) proxy".
A1. Alice sends a TCP SYN to 1.2.3.4 port 443 Presumably you intercept this, and synthesise the appropriate SYN-ACK pretending to be from 1.2.3.4 port 443 which Alice ACKs
A2. Alice sends an SSL/TLS ClientHello. It has some parameters you may not understand, and a SNI which says good.example which is on your whitelist
A3. You DNS lookup good.example, the response suggests 5.6.7.8, so you TCP connect to port 443 of 5.6.7.8 and play back Alice's ClientHello and try to stitch things together in your NAT layer.
Meanwhile
B1. Bob sends a TCP SYN to 9.8.7.6 port 443 Presumably you intercept this, and synthesise the appropriate SYN-ACK pretending to be from 9.8.7.6 port 443 which Bob ACKs
B2. Bob sends an SSL/TLS ClientHello. It has some parameters you may not understand, and a SNI which says bad.example which is NOT on your whitelist
B3. You drop or reset Bob's connection, he cannot connect.
Commentary #1: With the imagined comprehensive whitelist AND a following tail wind this doesn't give you anything better than just whitelisting the IPs in a conventional Firewall. Why spend all this extra money? Why involve TLS at all? It's complicated, but what for?
Commentary #2: This ClientHello may not work when redirected to some other IP address. In reality there's a good chance you just cause a fallback and things are pointlessly slower, but in principle it may just not work at all.
I’ve also looked at other options, like dns based firewall rules that are populated by the firewall also being the local dns server and so is able to see the resolved IP(s), but if those IPs are to CloudFront etc then it would be granting access to everything else also hosted by CloudFront etc.
TLS SNI is the only way of knowing where the client is trying to reach — short of the expensive and difficult to deploy explicit/non-transparent HTTPS proxy.
Re commentary #2, since all the TLS traffic is going through the proxy, the original request and any subsequent requests would go to the same IP each time.
TLS SNI does NOT tell you where the client was trying to reach, you've made a classic security mistake of assuming bad guys are honest. Honest people will truthfully write good.example and be allowed past, bad guys will dishonestly write good.example, and thereby connect to bad.example on the same IP address and laugh at your ridiculous "security".
Caching all DNS answers for some indeterminate amount of time makes your security story worse, but even if you do this the worst case stands, ClientHello isn't required to work if you do this. It may work today, in fact it probably does, but it may break with no notice, and it'll be your fault.
For other services that use dedicated IPs but spin up/down machines based on load etc it is still much more useful and secure than running a proxy with a CA that generates fake certificates, especially when you can’t update the trust root of the client device (often the case with embedded devices and those that are managed by the third party service provider)
You're back to seeing SNI requests for cdn12345.catpics.com which happens to be the same as command-and-control.suspicious-site.kp
Also, botnets uses legitimate services to rely C&C traffic. Forums, pastebins, github gits, IRC and email gateways, VMs on AWS and other cloud services...
Why is the assumption that when given a "binary choice", entities like China, EU, etc would give in to tech companies? Especially when these companies so easily succumbed to US government/media pressure at home where we have a strong tradition of free speech? When a binary choice is created, it's the companies that have given in, not the state.
Why are these tech companies being portrayed as being on the side of "good", while nations are portrayed as being on the side of "bad". The idea that AMZN, GOOG and MSFT have chinese, european or anyone else's best interest at heart while the PRC, EU or any other state doesn't. Did the british east india company have india's best interest at heart compared to mughal india? Considering how suspiciously we view foreign companies ( especially chinese tech companies ), it's odd that we view our own so highly.
But I don't think Google is evil, in the sense of doing bad things because they're bad. At a low resolution, I think it responds to incentives and tries to make as much money as it can get away with. At a higher resolution, it's made up of a lot of people and smaller groups that each have their own incentives to follow, and whose goals don't exactly line up with Google's.
Fighting censorship is nice for PR, supporting censorship is bad for PR. Some (not all!) ways of supporting censorship might help make more money, but good PR also helps make more money, so it's a trade-off. Drawing attention to Google's ability to fight censorship slightly shifts that trade-off.
But not all of Google's decisions are made centrally. Many (almost all, I would guess) people in Google are well-meaning, and I expect they can get away with making good decisions a lot of the time. The people working on TLS probably aren't individually pro-censorship just because they work for Google, which means they may not make pro-censorship decisions unless specifically pressured to.
One mistake we make frequently as tech people is trying to solve human relationship problems with a technology fixes. Censorship has existed for 10,000+ years; encrypted s night isn't going to magically fix it. There isn't an easy answer, just the hard path educate everyone.
Requiring encrypted sni will only mean the little influence thought leaders have in censored countries will be blotted our and replaced with state-run companies.
MITM proxies are a necessary evil, unfortunately, but the internet giants aren't doing a good job letting clients know when their TLS is being intercepted, so we're failing hard on education right now.
Also the makers of the commercial MITM proxies do a terrible job of staying current on TLS specs. This is likely in part due to customers being unwilling to install patches that cause a service interruption, so that should be taken into the design of said devices.
Regimes are completely willing to block large chunks of the internet if they can't do targeted blocks. And cloud providers aren't particularly interested in using their customers as collateral.
I expect surveillance prone regimes to just block anything with encrypted SNI.
I will say I haven't heard of Amazon censoring anything yet, at least not at a level I would consider massively inappropriate for a cloud services provider. Not selling something on their normal store is one thing, but pulling the plug on an AWS account for website behavior would be something entirely different.
https://freebeacon.com/issues/gun-rights-activists-posted-gu...
I'm a journalist and have seen a screencap of the takedown that Amazon issued to the Firearms Policy Coalition, which started and maintains the censored site (CodeIsFreeSpeech.com). The takedown erroneously cited a temporary restraining order issued against an entirely different site (defcad.com) as the reason for the sudden, no-warning booting of the site from AWS.
And as you mentioned, Azure just now threatened to pull Gab.ai off its platform over a pair of anti-Semitic posts.
https://www.businessinsider.com/microsoft-gab-azure-cloud-an...
So these infrastructure providers are absolutely involved in censorship right now.
https://fightthefuture.org/article/the-new-era-of-corporate-...
It's easy to side with CloudFlair when they go against a site like The Daily Stormer (Which is so out there it might just fall into Poe's Law).
The fact is that most decent hosting is only available in a handful of industries. Even the CF CEO has had misgivings of his decision and it gets us into a really questionable space.
Platforms should be free to do what they want right? They should be able to deny customers .. just like an airplane company should be allowed to keep people who crazy political opinions from boarding plans right? .. oh and black people too. Oh wait..what?
The freedom of speech in the US is pretty limited to government censorship. But we don't let businesses do whatever they want. They can't keep a certain ethnic group from eating at their restaurant, and in many states they can't choose if their venue allows smoking. The big question is, does speech need to fit into this same framework?
With the recent child protection act that gutted craigslist and took down backpage (an act that is leading to more violence against sex workers in the US and an act that the EFF and ACLU are actively fighting as being unconstitutional), we see the US government holding content hosting companies liable for the criminal actions of their user base. That is disturbing and already a form of government control over what customers a business is allowed to have.
It'd be one thing if censored sites could just go to another provider, but there are only a couple of big providers and their mass has the ability to crush anything they find questionable.
The problem is that the same sort of people who are trying to shut down sites through legal pressure tactics against Amazon, Google etc are absolutely happy to use illegal tactics too. In particular once sites are booted off large providers onto smaller ones or self hosted sites, that's when the DDoS attacks start. Infowars already saw one, for instance. How many firms can sink large DDoS attacks without needing to kick out the target? Not many.
If a pressure group or activist employee base can get content off CloudFlare, Google, Amazon and Microsoft then DDoS-wielding ideological zealots will do the rest and then the site is gone for good.
Where does speech go then?
It's a very dangerous game for the people at these content platforms to play. I don't see Republicans sitting back doing nothing as their worldview and voter base is systematically wiped off the internet. Legislation seems likely.
Federated / p2p systems like Mastodon? Non-Web-proper sites based on Dat and IPFS?
/*
If I were an adviser to the conspiracy theorists' insidious world government, I would suggest that pressure on non-consenting opinions be put carefully, to securely remove them form the normal mass Web, but not too strong as to push the normal users away from the (controlled) Web, to harder-to-control media. One way to achieve this is to allow some mild fringe content, and actively demonize any serious non-consenters, so that they'd look way off the chart to general public, thus "worthy" of being censored out.
*/
But more to the point, being forced onto Dat or IPFS is equivalent to being erased, given that nobody would know how to find or access the new location (Google doesn't index such net spaces).
> being forced onto Dat or IPFS is equivalent to being erased
Yes, for now it is! It's a wild frontier without amenities for a normal netizen, such as a decent search engine. So the point of censorship is to force every important non-consenter to that wilderness without having enough other people to go there and civilize it, as they civilized the web, the online music access, etc.
Moreover how do you measure "public outcry"? The very point of censorship is to stop public outcry. If the media aren't writing stories and anyone who expresses concern is deemed to be supporting hate speech and banned, then it will look a lot like nobody cares even if many people do.
What you're talking about is the service providers themselves deciding what form of speech is allowed on platforms they own. Some may feel that it's inappropriate for Microsoft not extend their platform to white supremacists. Others may think it's inappropriate for service providers not to provide extend their platform to ISIS or Al Qaeda. You may feel that service providers should provide a voice to any possible opinion, but the organizations actually providing the service don't feel this way.
I'm not sure that I would conflate running a business with loving censorship.
> I can't believe the tech press isn't picking up on a supposed cloud provider threatening to shut down someone's account unless they make their website behave in a particular way.
What would the headline be exactly? "Business drops client for violating agreement and bringing negative attention to their service."
Why does everyone assume that businesses have a moral obligation or imperative? When a company goes around saying "We value..." they're really saying "By uttering the magic phrase we hope to make more money off you".
You muddle the waters greatly when you pretend it was just some free speech issue (Newsflash: FREE SPEECH DOES NOT EXTEND TO NON-GOVERNMENT ENTITIES),
The odiousness of the words in question don't factor into it.
These platforms aren't doing censorship because of some systematic application of content rules. They're doing it as part of an overall ideological battle.
What happened is a free speech issue. Did the actions Microsoft took promote the healthy and open exchange of ideas or did they take an action in order to silence? Since Gab is largely a closed community this action wasn't so much protecting people from abuse so much as it was preventing like minded people from talking to each other. And no matter what I think about the things they said I still hold that they ought to be allowed to say them among themselves.
We don't allow companies that are monopolies in critical industries to do as they please, in many areas and for many reasons. If there is effectively widespread censorship of speech, who elected Facebook, Google, Amazon, Apple, Microsoft, et all to be the deciders of what gets censored and what does not? If the ability or potential for that is out there, shouldn't it be the democratically elected government that determines what does and does not get censored and not a cabal of private corporations?
Your 'system' is simply unrestricted speech to the powerful and your 'solution' is just a suggestion that Gab's community become powerful enough to speak. Does that sound like free speech to you?
In the world we do live in, speech for your small niche community is literally a 30 dollar raspberry pi and an internet connection away. No one has any moral (or legal authority for that matter) to shut down the nazi chat rooms of others (under your views at least); just like Microsoft and others have no moral obligation to host content that breaks their terms of service and will drive others off of their platform.
Arguing what is "right" in a law abiding society is nonsense. If the laws are flawed you argue against the laws, if they aren't pretending that people or groups of people should conform to your ideals is ultimately a waste of time.
Microsoft should be under no more obligation to enable the spread of hate by hosting it online than a business hosting it in physical space.
Values such as these do not flow from the Government to the people and culture, but from the people and culture to the Government. If the culture is to disregard free speech for certain forbidden opinions, then that will seep into the Government eventually. I fear that if we continue on the path we have been going down for the last few years, we may lose the Freedom of Speech at the Government level in a generation.
And they are. No one is stopping them from talking to each other. They however are telling people to stop talking to each other in the office building Microsoft owns and rents out.
Perhaps that's the best analogy? Providing (P|I|S)AAS is a business transaction. Its like renting out commercial space. And landowners turn down potential leases for all kinds of reasons that have nothing to do with money ("we're trying to cultivate a certain image in this area"), and we don't bat an eye. We would think absolutely nothing of a landlord saying "no, local KKK chapter, you cannot set up your lounge here".
But when the space is virtual, it magically changes from a landlord to a speech thing. Even though the activities at the KKK lounge would be, by and large, the same kinds of activities that would happen at stormfront, except perhaps overall less harmful (more potlucks, less extremism).
The landlord isn't stopping them from chatting, he just isn't going to be party to a transaction that actively facilitates it. Why's Microsoft (or Google, or anyone else's) action different?
I'm happy to provide thought experiments to test where you actually lie on this debate. I expect that your views will normally fall on the "no one is under any obligation, even ethically, to provide someone else a speech platform, and refusing to provide someone a platform is not the same as censorship", although I can't say for sure.
I think it because whenever there is piracy or unauthorized access to entertainment or information resource from cable/media companies comes up, apart from company whose property get stolen, all seem to have sympathy towards culprit . The standard arguments are couched in user freedom rather than taking someone's property without consent. All this is because resource is digital so my access does not deprive other.
So blocking is claimed to harmful, immoral, greed by media or cable companies for things some people want to have. And now non-blocking is considered harmful by social media companies for things some people do not want.
It's not surprising that people don't treat something that lacks one of the key aspects of property as property. Especially when the desired enforcement regime for this concept always seems to necessitate encroachment on their actual property!
Copyright applied to individuals is even less enforceable than drug persecution. And we see how well that's working out.
The neoconservative movement, for instance, is accused of faking evidence of WMDs in order to get us into a serious war and causing a massive death toll. That accusation is that their speech was lies in order to get us into war. But they are center-right interventionists, many of whom were liberals before 9/11. Is neoconservatism hate speech?
Pro-life protestors claim that abortions in the US have murdered approximately the population of Spain since Roe v Wade. They also point out that Denmark has eliminated babies born with Down's syndrome. Is the pro-choice position hate speech?
I think a fair minded person can draw a distinction between these things, the point of politics is coexisting with people who aren't particularly fair minded and are going to try and game the system. The idea of free speech is that the simplest way to prevent gaming is not giving them a system to game, especially not one as ambiguous and dangerous as hate speech rules.
? It was widely reported.
AWS is a private hosting company, and they may be exposed to legal or authority action based on what their clients host. It seems a lot like the Facebook arguments to me.
If you want to obligate them to support free speech, I think they need to be regulated as carriers otherwise it's not a reasonable standard to hold a private entity to. At least there is more competition in the hosting space than there is for Facebook.
Maybe this is an argument for regulation, but I don't think it's an argument for finger wagging. Either there is some sort of enforcement, or we acknowledge there are alternatives.
There is no technical solution that can prevent censorship. Censorship is a social issue. If a government policy, or the policy of a privately held corporation, insists on censoring something, it will do so.
Literally the only way a transport protocol could end censorship is if a law were enacted that specifically stated "This protocol may not be circumvented or obstructed by any party, private or public, by any means, for the purpose of censorship.".