Tells me everything I ever wanted to know about ISPA. Did they even notice the juxtaposition of recognising Sir Tim Berners-Lee with an award for a campaign to "protect the open and free nature of the Internet" and simultaneously branding Mozilla a "villain" for their work on DoH?
AAISP's twitter post on it was amazing ... snark personified, and why they are one of the best ISP's in the UK - technically brilliant management of their network and all around decent people.
So they built a content-blocking feature based on a design flaw that can be trivially bypassed? And now the people who are bypassing the flaw are villains?
I’ve been gleefully watching DNS over HTTPS break all kinds of things that are terrible practices, including ISPs that hijack NXDOMAIN responses for SPAM search pages even when using other DNS providers.
Here’s to hoping someone comes up with better solutions for captive portal redirects, though.
I believe there's been a better solution to captive portal redirects for quite some time now, via the medium of DHCP and/or RAs - https://tools.ietf.org/html/rfc7710.
I've seen almost universal adoption of it (at hotels, airports, etc). Since around 2 years ago nearly all the networks I connect anounce their portals through DHCP.
It's almost like the purpose of an ISP is to transmit internet traffic to the internet for you--not to filter traffic, block certain ports, lie about DNS responses, or otherwise have anything to do with the actual content of your communications. Imagine if the telephone company listened to you calls to block prohibited topics, replaced the other person's responses with ads, and opposed people who tried to talk in code.
It's definitely a Good Thing that technical measures are rendering this garbage unworkable.
Should be easy to work around in the short term. The browser just needs to request a well-known "test" domain (like example.com) and detect if it gets a redirect. Keeps portals working without compromising the privacy of real DNS lookups.
The problem is that if you're using something like stubby[1] then there's no easy way to temporarily tell it to use another DNS server to resolve the name you need to get to the captive portal. At least as far as I can tell, it doesn't offer that feature. You would need to be able to resolve whatever domain the captive portal is using as well, so you couldn't just hardcode it into `/etc/hosts` either.
My workaround for using captive portals with DoH is to authenticate on my phone first, then disable WiFI on the phone, then basically run this script to switch my laptop to my phone's MAC addr.
DoH doesn't bring any privacy or censorship circumvention, it still allows ISPs to mine and monetize browsing history all they want, only creating temporary inconvenience. It lets more parties to get your data though and is more friendly to state mass surveillance.
Try to search DoH on HN, these issues were discussed many times before. Essentially DoH leaks more data to more third parties, without being able to withhold that data from those who already can get it, hence violating privacy, not improving it.
There are other ways to protect the users. The people deciding on these awards should inform themselvs better on the whys of it. Instead of labeling perhaps ISPA should look into collaboration with Mozilla instead?
My biggest problem with Mozilla's DNS over HTTPS is their partnership with CloudFlare
Cloudflare is not a supporter for Free and Open Internet, and is just as much a danger to online privacy as the rest of the Large Technology Companies like Google and Facebook
Edit: The Undying Support for CloudFlare is amusing, reminds me of all the defenders of Google years ago until they turned evil... Power Corrupts, the key is to not give these companies the power. The amount of data the flows through CloudFlare's various products should be alarming to anyone that understand Computer Science, history, etc. Sad that many here are willfully ignorant to the threat CloudFlare poses
Cloudflare doesn't welcome you if you don't let it track you and run arbitrary code it injects. You can verify that by disabling javascript and/or using proxies, vpns, tor.
Bad headline by TechCrunch. This is not an "internet group" (which in context implies something like ICANN). It's a UK-specific business association of ISPs who have an interest in preventing browsers from assisting user privacy.
Here are some great instructions on how to get set up with Stubby, which is a DNS over HTTPS resolver you can run on Linux. I was able to get it working fairly quickly. The instructions apply to pretty much any distro (I got it working on both Arch and Ubuntu). You can also easily set it up to work with dnsmasq to do caching.
It's also possible (and I recommend) to set up the dns resolver for the LAN to be unbound (openbsd's recursive dns server, supports DNS over HTTPS), thus allowing all devices in the lan to transparently use DNS over HTTPS.
Alternatively, there's dnscrypt-proxy, but it's somewhat slow and eats way too much ram.
Oh yes, use DNS over HTTPS for your privacy. Just look at these organizations that oppose it. While I'm at it, you totally can't break into an Apple iPhone™ and all the cool pedophiles should be using that, for safety.
DNS over HTTPS does nothing for privacy and merely takes control from the DNS providers or user. Companies want to be able to run everything over HTTPS so you can't block any of it without blocking all of it. They can go to Hell.
41 comments
[ 20.4 ms ] story [ 148 ms ] threadWas glad to see my ISP (Netcalibre) is not a member and sponsors the Open Rights Group instead: https://twitter.com/lchost/status/1147090360226783233
AAISP should also be commended for donating an amount equal to the ISPA membership fees directly to Mozilla: https://twitter.com/aaisp/status/1146803916853645314
That's how you end up with that kind of apparent outward cognitive dissonance.
He's the chief geek at AAISP.
https://www.revk.uk/2019/07/doh-and-vpns-and-trust.html
That's some top-notch work there, ISPA.
Here’s to hoping someone comes up with better solutions for captive portal redirects, though.
Unsure why we've not yet seen much adoption.
I've notice the DHCP announcements on all those places.
It's definitely a Good Thing that technical measures are rendering this garbage unworkable.
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+...
```
sudo systemctl stop NetworkManager wpa_supplicant avahi-daemon
sudo ifconfig <your_interface_name> down
sudo macchanger <your_interface_name> --mac="$1"
sudo systemctl start NetworkManager wpa_supplicant avahi-daemon
sudo ifconfig <your_interface_name> up
```
It's stupid and hacky, but it works perfectly 99% of the time.
Now, everyone (who uses Firefox) gets this feature and apparently soon it will also be enabled by default:
"...the goal of deploying DoH by default for our users" : https://blog.mozilla.org/security/2019/04/09/dns-over-https-...
https://news.ycombinator.com/item?id=20362548
https://news.ycombinator.com/item?id=20358300
Cloudflare is not a supporter for Free and Open Internet, and is just as much a danger to online privacy as the rest of the Large Technology Companies like Google and Facebook
Edit: The Undying Support for CloudFlare is amusing, reminds me of all the defenders of Google years ago until they turned evil... Power Corrupts, the key is to not give these companies the power. The amount of data the flows through CloudFlare's various products should be alarming to anyone that understand Computer Science, history, etc. Sad that many here are willfully ignorant to the threat CloudFlare poses
how so?
Apparently Cloudflare also has some kind of daemon you can run on Windows, but I don't know if I would recommend that route.
https://wiki.archlinux.org/index.php/Stubby
After setting up dnsmasq I did not notice any performance hit, and in fact it worked more reliably than my previous DNS settings.
Alternatively, there's dnscrypt-proxy, but it's somewhat slow and eats way too much ram.
DNS over HTTPS does nothing for privacy and merely takes control from the DNS providers or user. Companies want to be able to run everything over HTTPS so you can't block any of it without blocking all of it. They can go to Hell.