from the can't-see-where-you're-going dept.
Submitted via IRC for chromas
Dutch Govt Explains the Risks Behind DNS-Over-HTTPS Move
The Dutch National Cyber Security Centre (NCSC) explains how DNS-monitoring will get more difficult as modern encrypted DNS transport protocols are getting more popular in a fact sheet published this week.
The fact sheet's audience is represented by system or network admins and security officers who want to move to DNS over TLS (DoT) and DNS over HTTPS (DoH) DNS encryptions protocols that offer increased security and confidentiality.
Both DoH and DoT are designed to allow DNS resolution over encrypted HTTPS connections instead of using the currently common plain text DNS lookups.
Google and Mozilla are both running DoH trials for their browsers, with Chrome to upgrade to a provider's DoH server if it present on a pre-defined whitelist or to a shortlist of fallback providers (i.e., Cleanbrowsing, Cloudflare, DNS.SB, Google, OpenDNS, Quad9) if not.
By only upgrading the DNS resolution to DoH if the users' current DNS provider is supported, Google believes that the users' DNS resolution experience will stay the same.
Mozilla's DoH experiments have already been met with criticism from network admins and Linux distro maintainers after the decision to enable DoH by default and using Cloudflare's DoH server rather than a user's existing DNS provider.
Senior scalability engineer Kristian Köhntopp said that Mozilla is "about to break DNS" seeing that Cloudflare will be used for DNS resolution over the default server assigned by system administrators, leading to leaking visited website addresses inside corporate environments to Cloudflare.
Peter Hessler, an OpenBSD developer, tweeted at the time that OpenBSD disabled DoH in their Firefox package in the current releases and will also disabled it in future ones since "sending all DNS traffic to Cloudflare by default is not a good idea."
Related Stories
OpenBSD user Lari Huttunen has a blog post in which he dives into using OpenBSD's rdomain(4) feature to sort work VPNs into separate kernel-level routing tables. This segregates the network traffic in such a way as to prevent traffic in separate routing tables from interacting. With many working from home, insecure work networks have begun to intrude into the home LANs via work-related VPNs. By adding the home network to a work VPN, the LAN becomes merged with work's internal network, usually quite insecure at that. His goal is to keep his personal home devices, especially the IoT items, separate from the now mandatory work-related VPNs on his small-office / home-office network. That way, the work networks can no longer access his appliances.
Problem Statement
Over the years, companies and corporations have become ever more hungry for everything related to their users' geolocation, telemetry, demography, relationsip with one another, interests, convictions, social preferences - you name it. At the same time, users wanting to consume digital services meet a lot of ridiculous restrictions depending on where they live and how they access the Internet. Ecojails, in one form or another are created by multi-national corporations in order to capitalize everything about their users' behavior. In 2020, this has all been exacerbated by everyone suddenly working from home if possible.
Motivation
This is why I wanted to research how identity-based routing could enhance users' privacy in a totally transparent way. I've never been a big fan of VPNs as a security solution, but have come to realize that they have a role to play in privacy. Since soon everything needs to be online to function from a vacuum cleaner to dish washer to toaster, it is increasingly difficult to keep the Internet of Targets at bay. Moreover, our personal telemetry devices feed out a constant stream of information to the ecojail masters, be they Apple, Google, Microsoft, Amazon, Alibaba or Netflix. Taking back control will not be easy and one will evidently need to compromise along the way, but realization is the first step to recovery.
Lari's solution works from tools provided by OpenBSD's base system.
Previously:
(2020) WireGuard Imported Into OpenBSD
(2019) How SSH Key Shielding Works
(2019) Dutch Govt Explains the Risks Behind DNS-Over-HTTPS Move
(2014) OpenSSH No Longer has to Depend on OpenSSL
(Score: 2) by Revek on Saturday October 05 2019, @07:46PM (17 children)
The only disadvantage is to the government spy programs. They keep trying to make this a bad move but the truth is its the best way to secure a individuals privacy.
This page was generated by a Swarm of Roaming Elephants
(Score: 5, Insightful) by fustakrakich on Saturday October 05 2019, @08:28PM (10 children)
Right there in the summary is another disadvantage:
Exactly... Who in their right mind would ever believe that is more secure than your ISP?
La politica e i criminali sono la stessa cosa..
(Score: 3, Insightful) by sjames on Saturday October 05 2019, @08:41PM (3 children)
This! When there's a short list of DNS providers, there's also a short list of soon to be subverted fishing holes.
(Score: 3, Interesting) by fustakrakich on Saturday October 05 2019, @09:11PM (2 children)
This is not security, the whole HTTPS thing a charade... like so many things in the news these days. It's a three legged emotional support pig (couldn't eat 'im all at once!). It is a tracking trojan.
La politica e i criminali sono la stessa cosa..
(Score: 2) by gtomorrow on Sunday October 06 2019, @03:50PM (1 child)
OMG, did we both have the same joke book as children?! :D
(Score: 1) by fustakrakich on Sunday October 06 2019, @06:24PM
"I thought you said your dog does not bite" [youtube.com]
La politica e i criminali sono la stessa cosa..
(Score: 2, Informative) by Anonymous Coward on Saturday October 05 2019, @08:45PM (3 children)
I don't trust my ISP at all. They are under mandate by local laws to report my complete lookup history if asked by 'government' (or anyone pretending to have the authority - even it's just some random government employee stalking someone).
(Score: 2, Insightful) by Anonymous Coward on Saturday October 05 2019, @08:58PM
And cloudfuck is not?
(Score: 1, Insightful) by Anonymous Coward on Saturday October 05 2019, @09:38PM
So, just because you don't trust your own ISP, you are therefore entitled to determine for all of us that we shouldn't trust our ISP's either? Even when my ISP has to answer to local laws, while most DoH providers are outside the jurisdiction that I'm in?
(Score: 3, Interesting) by number11 on Sunday October 06 2019, @12:50AM
What I trust is my VPNs (which have a good reputation). Their clients (optionally) do DNS requests through them. Since I'm trusting them for other things, it makes sense to trust them for DNS. Cloudflare is probably preferable to the various mega-ISPs, but it is a single potential failure point in the event of powerful adversaries.
(Score: 4, Interesting) by maxwell demon on Sunday October 06 2019, @08:07AM (1 child)
FTFY
The Tao of math: The numbers you can count are not the real numbers.
(Score: 1) by fustakrakich on Sunday October 06 2019, @06:29PM
Damn! Why didn't I think of that [soylentnews.org]?
Sorry
La politica e i criminali sono la stessa cosa..
(Score: 5, Interesting) by RamiK on Saturday October 05 2019, @08:45PM
What's stopping the government from asking cloudflare for the logs? Worse, the encryption means the requests are signed to your session and couldn't have been made from someone parking on your wifi. So, if piracy cases were struck down previously over IPs not being conclusive proof of identity, now cross-referencing IPs and DNS requests will suffice.
The biggest problem is that there's a proven blockchain solution that anonymizes DNS resolution properly ( https://blockchain-dns.info/ [blockchain-dns.info] ) so when Mozila and Google take it upon themselves to promote a centralized, government-friendly solution, you can't help getting paranoid.
compiling...
(Score: 0) by Anonymous Coward on Saturday October 05 2019, @09:12PM
It is a disadvantage to we the users too.
Currently Cloudflare and archive.is is having a bit of a tiff. As an end user I just want to see archive. But until those two straighten it out I can not use 1.1.1.1 as a resolver and see that site unless I play fiddly games with my hosts file.
Also Cloudflare is pretty fast. But not the fastest resolver for me.
I do not care if my ISP sees what I am doing. I *do* care if they change the packets. For example the exact dispute between cloudflare and archive.is. Cloudflare can not resolve because of a misconfig on both parties part and both parties think they are correct. Hence malformed packets is not what I want as an end user. If my ISP is doing that I do not want them either. But you can test it if you want https://www.grc.com/dns/benchmark.htm [grc.com] then work around it. DoH makes it a PiTA to work around it. Cloudflare wants to be above all the rest. That does not seem fair. They want to be the root resolvers. We have those already.
Frankly our ISPs have forced this issue. But instead of fixing it correctly we are just giving the keys to a different 'ISP'.
(Score: 3, Insightful) by Anonymous Coward on Saturday October 05 2019, @09:36PM (2 children)
Nope, there is a disadvantage to users too. Right now, I have a DNS-level block on about 200 tracking domains (including Fecebook's and Google's). This is to prevent data exfiltration from my local network by
spyingmarketing companies.What's stopping the next version of webroaches to use DoH and do an end-run around my self-defense configuration?
(Score: 0) by Anonymous Coward on Saturday October 05 2019, @11:20PM (1 child)
A firewall of port 443 for their resolver IP addresses. Sure, they could add more IP addresses, but they'd have to bootstrap it somehow, in which case the addresses would be made public in the software update or blocked by you regardless, since they'd do so through their own resolver.
(Score: 0) by Anonymous Coward on Sunday October 06 2019, @01:36PM
Unnnnnnh. While you are technically correct, in practice addresses don't always resolve to the same IP not only from day to day but also network location to location (if it's a laptop or toggled a vpn or so on), and "made public in the software update or blocked by you regardless" means before every IP resolution, in theory, a full pull of IPs for the hostfile's entire blocklist would be needed.
(Score: 3, Interesting) by zocalo on Saturday October 05 2019, @10:09PM
Sure, preventing your ISP, government, or any other MitM, from intercepting and listening in on your DNS lookups is a definite plus (in some places much more than others), but DoH is definitely not without its problems and absolutely not a universal panacea for DNS security and privacy concerns. As always, if you *really* care about your privacy and security, then you need to roll your own solution. In this case, getting *nix box running a local recursive DNS/DoH resolver, or a Raspberry Pi running Pi-Hole, would probably be a much better part of a defence in depth solution that just blindily relying on your browser and someone like Cloudflare.
UNIX? They're not even circumcised! Savages!
(Score: 4, Insightful) by eravnrekaree on Saturday October 05 2019, @08:11PM (3 children)
DNS addresses are already "leaked" to ISPs people use often over an unencrypted connection so to suggest sending DNS queries over HTTPS to a cloudfare server is a major downgrade is laughable and absurd, it actually improves matters. But Mozilla/Chrome must allow people to choose to use local DNS configuration or to use DNS over HTTP provider of their choice. Many people have a local DNS configuration and need DNS request to go through a local server, but people can configure local DNS server to forward requests for internet to a DNS over HTTP server.
(Score: 1, Informative) by Anonymous Coward on Saturday October 05 2019, @09:11PM
They aren't though, not in the context of "leaking visited website addresses inside corporate environments". Corporate environments run their own DNS servers, and make all their computers use them, not the ISPs.
(Score: 0) by Anonymous Coward on Sunday October 06 2019, @12:27AM
Your ISP already knows everywhere you go, even without sniffing your DNS, because they can either read the Host HTTP header or the SNI of the TLS handshake.
(Score: 0) by Anonymous Coward on Sunday October 06 2019, @01:43PM
Some people trust their ISP more than Cloudflare.
I know one very small rural ISP who I would trust more than Cloudflare. Yes, if my query isn't in their table it'll go out first and soooomeone at the ISP is looking up a domain, to the eyes of whatever tier of DNS server *they* connect to. Meh.
Some persons in less US-centric nations might also take issue with a US company also. What if their country is at war with the US? Does Cloudflare leak their military's queries? Etc.
(Score: 3, Informative) by Mojibake Tengu on Saturday October 05 2019, @09:05PM (11 children)
DNS is not strictly necessary for the Internet to operate. It is only names. A new, completely different method for resolving names to addresses could be invented and better protocols implemented. There is no need to stick with broken stuff forever. Yes, a Titan's quest, but let's get to start thinking about it.
Respect Authorities. Know your social status. Woke responsibly.
(Score: 1) by fustakrakich on Saturday October 05 2019, @09:16PM (3 children)
We can always keep our own cache, dare I say it? hosts file?? [cue screechy music]
La politica e i criminali sono la stessa cosa..
(Score: 2) by SomeGuy on Saturday October 05 2019, @09:52PM (2 children)
Unfortunately, a host file is a bit of a pain to manage. Is there perhaps software out there that can better cache and keep track of host names? Instead of manually entering IP address, perhaps just refresh names you use at a designated time. Perhaps even with functionality like cross-checking multiple DNS servers, optionally alerting you if a site's IP address changes, or correcting bad ISP DNS servers that redirect non-existent names to advertising.
(Score: 1) by fustakrakich on Saturday October 05 2019, @10:39PM
Run your own DNS server and a web scraper on a Pi?
La politica e i criminali sono la stessa cosa..
(Score: 0) by Anonymous Coward on Sunday October 06 2019, @03:51AM
BIND?
(Score: 2, Insightful) by Anonymous Coward on Saturday October 05 2019, @10:10PM (2 children)
Namecoin? There have been alternate roots for almost as long as there has been DNS.
The recent court case over NN could have fixed this whole thing by acknowledging that DNS is a switching algorithm (not unlike a routing protocol) that just happens to use readable glyphs (not unlike vanity phone numbers). But being federal courts they've decided in the most unconstitutional way possible. Nice legacy that.
I am confident that in my own case (I use foreign DNS) that the carrier is intercepting DNS which isn't even destined to their servers. I checked by running a series of DNS queries without any other traffic, and found that over time, yes my advertising did change to reflect those lookups. Of course many domain names are trademarked, so the use of them by the carrier by means of surveillance to generate revenue is defacto trademark infringement. But hey, the Federal courts said: "FUCK YOU, YOUR TRADE MARKS, YOUR PRIVACY AND YOUR INTELLECTUAL PROPERTY YOU MOTHERFUCKERS!" to the entire Internet in no uncertain terms just the other day. (yes they said it in all caps.)
TOR moved in the right direction, but it didn't have a workable economic model. There really isn't a reason DNS couldn't be re-engineered to be P2P and crypto-hopped like TOR is. It is only one datagram, so running DNS TOR-style is way way cheaper than running all traffic over TOR. IMHO the best scheme is to have a block chained crypto-hopped p2p resource-lookup with an integrated session-key exchange. That way nameservice was 100% validated, but traffic only needs a single cipher thickness (instead of 3 like TOR uses). A system like that would deprecate both DNS and HTTP at the same time.
Orchidprotocol is working on a nice solution that has an integrated economic model. There is some question as to whether their model will scale.
Protocol dev isn't that hard. It is amazing more people don't do it. I've done it in Perl, which pretty much just uses the C socket handles directly for packet munging. My C isn't very good, so I've never done it in C or C++.
In the case of DNS, the hard part is getting past the requirement for prior knowledge (as in key exchange) for validating the root. If a system is P2P and consensus based, then there is no root. So how do you validate original registration? Blockchain does that, but it won't save you from trademark nazi's. Though now the Fed has basically said that DNS is a state level problem. So then trademarks as domains shouldn't even be adjudicatable at the federal level anymore. Bet those motherfuckers didn't cogitate on that now did they?
Anyhow, happy end of the world. I'm stocking up beer and peanuts. CNN will be running drones over the wreckage of the country, and the cable cabal will have online betting on the victor. That is when you can get CNN. Mostly you'll only get the "United Comcastia News" most of the time since there will be no more United States. That is the direction the judiciary is taking us in. It is unfathomable.
DNS caching is the residual bathroom fart of Internet engineering. But apparently to the courts, it means that extending the sovereign right to appropriate intellectual property onto a few megacorps is totally different than extending the sovereign right to incarcerate onto cotton farmers. It isn't unreasonable to call the carriers defacto agencies of state at this juncture. The courts are saying that the carriers can have their cake and eat it to. Jefferson Davis had similar thoughts.
(Score: 0) by Anonymous Coward on Sunday October 06 2019, @02:02PM
Very interesting, thank you! Your own experiment is fascinating and one I think I ought to try, too. It ought to be 'contagious' across all devices at a given IP as the ISP's data is fed into the identity graphs of advertisers, who will have more granular per-device data. That per-device is much more per-identity than the IP, but without going into common correlations, which would be computationally probably not profitable in this prequantumcomputingusedforadvertising* world, only timing data would be needed. By only emitting the spurious DNS requests when whatever devices are connected and have traffic over a threshold I guess that could be feigned. Then eg. making Bob start getting ads for the /strangest/ things might be feasible? Hm!
Though, at one point I was... surprised. I'm nodding, nodding...
..nodding...
...uuuuunh. Perl works so ridiculously cleanly for this. And yet it feels so wrong, I guess in part because it's essentially restricted to host layer (or even application layer).
*from the German
PS - excellent use of 'unfathomable'.
(Score: 0) by Anonymous Coward on Sunday October 06 2019, @09:29PM
It's easy to run DNS queries over Tor. You'll be limited to UDP traffic. That limitation still allows you to get IP addresses, just not extended DNS info.
That will hide where the query came from. However, a bad exit server could send you dangerous results.
Tor needs a way for clients to specify which DNS servers to hit. Not easy to securely avoid evil exit servers. On a server you own, you can specify a list of acceptable DNS servers and block all others with a firewall. I never use Google or Cloudflare. Sadly, even OpenDNS thinks it knows best. I don't use them either.
We need all DNS servers to adopt DoT and DoH DNS traffic. DoT could be useful for resolving servers to contact authoritative servers that support DNSSEC and DANE.
(Score: 2) by c0lo on Sunday October 06 2019, @01:44AM (2 children)
Mhhhhh... you need that name in HTTP(s): virtual host (in Apache lingo). IPv6 isn't a full solution.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 1) by Mojibake Tengu on Sunday October 06 2019, @04:02AM (1 child)
Honestly, I don't. Many of my machines are v6only, including their bhyve virtuals and jails. I can myself survive on pure addresses, and actually living on a single hosts file for most of them. But that's not what I am recommending to people. What I suggest is, the world Net may progress to a completely new naming model, liberated from classic DNS weak points and kludges, for example which could be by design 1. decentralized, resilient to dynamic network topology changes 2. not strictly hierarchical but peer-structured 3. carried by tamper-proof protocol, and maybe 4. capable to auto-learn and/or verify chains of trust without some toplevel authority. A complete anti-thesis to what DNS as a totalitarian construct represents. Of course, coexistence is not just option, it's a necessity.
Respect Authorities. Know your social status. Woke responsibly.
(Score: 2) by c0lo on Sunday October 06 2019, @05:57AM
For those to exist it requires more geeks willing work together* and able** to run the decentralized services than the world has at the current time.
* just google "decentralized dns" to see how fragmented the landscape is
** ISP clamp down on protocols/ports and all is just a dream
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by wirelessduck on Tuesday October 08 2019, @03:31AM
AOL Keywords?
(Score: 0) by Anonymous Coward on Saturday October 05 2019, @10:58PM (1 child)
There should be an encrypted standard developed. In parallel, a distributed system, like old OpenNIC. Then, more and more servers go "secure". And then not only browsers, but entire operating systems switch.
Now it looks like a previously rogue company forces users to share visited addresses with them.
(Score: 4, Interesting) by MrGuy on Sunday October 06 2019, @01:37AM
There are 2 distinct problems here, and they both need to be addressed.
One is that DNS messages are sent in clear text. This means any intermediary between you and the DNS server (for example, your ISP or your cell phone network) you’re connecting to can listen in on your DNS traffic. As you note, an encrypted DNS protocol could alleviate this issue. Indeed, that’s precisely what DoT and DoH are.
The second issue is that the server itself can spy on you. It doesn’t matter if your traffic is encrypted over the wire - the DNS server you query knows what you asked for (because it’s the server you called) and who asked (because it needs to know who to send the results to). By default, when you join a network, the router tells you what IP address to send your traffic to and which DNS server to use. Some of this “helpful config” is legacy, some is necessary, but it’s usually transparent to you unless you know what you’re doing and override it. The original intent here was good - DNS is designed to be a recursive highly cacheable protocol, so by running a DNS on your local network could reduce your bandwidth need to the wider world, and make dns resolution faster for frequently hit sites for your users. The idea was good. It’s just nobody considered in the design that your local network admin might be considered an adversary one day, or that DNS resolution requests could be exploited and would need to be secrets. This is the main problem with cell phone networks - you don’t need to snoop on the DNS traffic if it’s always going to a DNS server you run - just listen at the receiving end.
Just encrypting the traffic only eliminates one of these two threats, and it’s not the bigger one. The problem is that whoever the resolver is will know who is looking at what. And the deliberate decision (well meaning) to design DNS in a way that the local network would generally be trusted to be the initial resolver for all DNS queries created a huge privacy issue as soon as network operators got savvy enough to exploit it.
But more generally (to be slightly generous to TFA) it’s true that trusting all your lookups to a single resolver - any resolver - is problematic, no matter how secure your encryption is. Because encryption doesn’t hide data from its intended receiver. You might trust Cloudflare right now. I recall trusting Google to not be evil in the early days of Google DNS.
My view is that the only possible way to have anything resembling a secure system to do name resolution that doesn’t allow the resolver to profile you would be a system architected similarly to TOR, where a network of relays sit between the requester and the resolver.
(Score: 3, Insightful) by Anonymous Coward on Saturday October 05 2019, @11:00PM (7 children)
DNS over HTTPS might be great, but browsers are supposed to ask the OS to do that. The OS needs to make the change.
It is nasty to have a situation where different programs on the same computer are getting different DNS results. Firefox, Chrome, Pidgin, Xchat, fetchmail, ncftp, wget, curl, apt-get, ssh, rlogin, netcat, Wireshark, tftp, ping, traceroute, smbclient, and everything else should all be in agreement.
(Score: 0) by Anonymous Coward on Sunday October 06 2019, @12:13AM (5 children)
"It is nasty to have a situation where different programs on the same computer are getting different DNS results."
I'm sure some of the carriers are spoofing DNS, so there is no way to validate this isn't already happening. It should be simple enough to check. Do a dig on a server halfway around the world and check the round trip times. If it is faster than the speed of light, then you know there is spoofing going on.
(Score: 2) by maxwell demon on Sunday October 06 2019, @08:16AM (4 children)
And how id the provider supposed to figure out from the DNS traffic which program on the same computer has sent out the DNS request? There's no field in the IP header for "name of the program that initiated the request."
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Sunday October 06 2019, @02:10PM (1 child)
Uh, in the context of this question? The provider knows which software because they're using different DNS resolving mechanisms (DNS, DoH, DoT) or explicitly calling different DNS resolvers?
A concrete example - I have tools which are bundled into micro VMs; they might well emit DNS to addresses they have internally configured instead of using the host OS.
(Score: 2) by maxwell demon on Tuesday October 08 2019, @02:53PM
Your internet provider installs software on your computer? My provider certainly doesn't, and I would not accept it if it did.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Tuesday October 08 2019, @02:05PM (1 child)
"There's no field in the IP header for "name of the program that initiated the request.""
that would be the port number field in either the TCP or UDP header.
(Score: 2) by maxwell demon on Tuesday October 08 2019, @02:52PM
No. The source port is a random number which only the local operating system could associate with a program, but certainly not the ISP. The destination port is the DNS port, no matter which program does the DNS request.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Sunday October 06 2019, @03:02PM
"Chrome, Pidgin, Xchat, fetchmail, ncftp, wget, curl, apt-get, ssh, rlogin, netcat, Wireshark, tftp, ping, traceroute, smbclient, and everything else should all be in agreement."
They would be if they were all transported over a single ciphered session protocol. A lot of this stems from the misconception that DNS is an OSI layer 7 protocol. It really isn't. It really should be considered a layer 5 protocol at the highest, and personally I think it should probably run at layer 3 or 4.
A big part of this is a fundamental design flaw in in the OSI model. The OSI model transposed layers 5 and 4. The reason I say that is that an exposed port number is not necessary for routing datagrams. The carriers have used "network management" as an excuse to snoop. If you want optimized traffic, you should be able to volunteer an optimization flag from the transport layer down to the routing layer, but it should not be mandatory.
So basically Berkeley sockets needs to be rewritten from scratch putting a crypto layer between IP and TCP/UDP. After which the carriers can suck it, and the whole problem goes away.
(Score: 3, Interesting) by jmichaelhudsondotnet on Sunday October 06 2019, @09:27AM (2 children)
Some really good comments ITT.
-using cloudflare for dns is like using duckduckgo, the nsa/etc just has to camp the ingress and they have the same data as if they were looking it up on their own servers(which is basically the pentagon, look it up), so anyone proposing this is trying to fix a security hole with a security hole, they are either rubes or think you are.
-notice how moving dns from plaintext to encrypted waited until the first believable evidence that https is trivial to break?
-notice how google and mozilla are proposing a corporate centralized privatized solution where you give up your data for a free service? ffs who is still listening to these people. Fits the pattern of their addon cert, a single point of failure they can turn on and off with a switch.
-the only comment I found here discussing alternative dns tech in detail was downvoted to 0 when I got there, thx though anon(noticing more and more of these early trolly downvotes here admins...)
-DNS and other things are determined by what is called a 'multistakeholder agreement', which is a made up term so they don't have to say it is oligarchical, with so many types of oligarchies involved that it is tiresome to mention them all; no one wants to bring attention to how undemocratic this all is. https://www.icann.org/news/announcement-2014-01-11-en [icann.org]
-Not just the nsa etc is sucking up all of the search data and dns ownership updates, private 'threat intelligence' companies are building giant geo-diverse botnets to act as passive dns listeners to give them a history of who owned every domain in the world and who looked them up when, primarily for brand protection and fraud investigation. This is essentially a giant global hack in dns, that you can build your own mercenary 'request forwarding' servers and spy on the entire internet, for profit.
-Now that we can see the censorship inherent in the public dns system, how it is essentially a global internet enforcement mechanism that allows very few people undemocratic censorhip powers, and potentially even falsification powers, and that not even mozilla is proposing sane solutions, it is reasonable for anyone doing anything other than taking pictures of food on the gram should be looking for an alternative where they have more control.
-my publishing platform, jmichaelhudson.net, is a test case for this as I am writing openly about all of the things that piss off the 'mutlistakeholders' at the top of the food chain. i.e. saying there is no holy land, god doesnt care about hats, mutilating genitals is evil, and financial interest has to be ended, and the wealth of the elite has to be redistributed.
-what this is rapidly heading towards is a situation where actual aliens could land or a dam could break but the people on the seen would try to post about it, but military controllers of the internet could in real time silo alternative narratives, just like happened at Las Vegas, where the eyewitness accounts which dont support the official story at all, can hardly be found. And if so it is managed by a state propagandist like 'Debbie Lu Signon' or 'Caitlin Johnstone'.
-slimy lateral power grabs far as the eye can see, they are building a prison intercom system, not an internet. We have to find a way to build things on the same wires that is outside of their control, there is no other way forward. They are not leaving any space for freedom, there can be no other interpretation for their actions.
thesesystemsarefailing.net
(Score: 2) by jmichaelhudsondotnet on Sunday October 06 2019, @09:35AM (1 child)
One more thing to tack on here,
When it came down to it, who hacked into Hillary's emails(not what they found, everyone agrees that was real including podesta getting wired about being in the pool with children and references to spirit cooking and the eye of minerva),
who hacked Hillary's email is a question to this date no one can answer. During a campaign for arguably the most important job in the world, in the most surveilled internet in the world, literally miles away from the headquarters of the 50 government agencies and the root DNS server in Maryland itself, who are paid billions of dollars to prevent and enforce such things, with ALL OF THE BITS FROM THE WIRES, all we get is
He said, she said. Russians, guccifer, crowdstrike, 17+ spy agencies, michael steel, bozo the clown and snuffelupagus all have equal credibilty and say opposite things.
So anyone who says that this is about the rule of law, security, chasing criminals, catching criminals, the constitution, protecting america, and that you can 'trust us', in the case in this world where it most mattered to provide a clear answer on what happened, the entire american military and police establishment was unable to.
Just like epstein got off the hook, this is about establishing a ruling class which cannot be questioned or called in to question in any way, with a prison intercom network to allow them to more easily enforce their tyranny on us rubes living in our well-decorated cages.
(Score: 0) by Anonymous Coward on Sunday October 06 2019, @02:21PM
Dude, about halfway through your first post, you shouldn't have had that second rip. And 2/3 of the way through, you definitely didn't need the chaser rip. And... then you went and tried the shatter and came back to post again?
Agree this is a great thread! But you lost the thread halfway through yours. Less drugs, more hugs!
Ok a little less jokingly: your delivery here would be hot on a soapbox or in an impassioned dining room discussion. But typed out with the luxury of pacing, it loses a lot of momentum given the claims. "Literally miles away from a root DNS in Maryland" etc are interesting and should be thought provoking (there's a rule that insecurity is safe if the gain from exploiting the insecurity is lower than the loss of exposing the ability to detect/find/exploit that insecurity, which comes to mind). But your delivery makes it hard to resist dismissing as impassioned crackpot.
(Score: 0) by Anonymous Coward on Sunday October 06 2019, @04:57PM
i want what cloudflare has.
obviously their "bind" is massive and load balanced and multi-homed and whatnot, but cloudflare has to get THEIR numbers from somewhere, like we all do, which is "roots.hint"?
so, is that part also dns-over-https or how? 'cause if cloudflare can do "root.hints" then we can do tooo, doh!
also, it should be no business of a application running on a OS to second guess the network configuration of the OS.
so, methinks the OS should get dns-over-https capabilities, which the repressive clubberment and bank-busting hacker avoiding applications then can rely on, doh!
what's next? rollings roads build on roads? sheesh...
(Score: 0) by Anonymous Coward on Monday October 07 2019, @07:23AM
I no longer visit sites that require a CF captcha
oh well there is always more to discover on the net