bboard

Posted by DonJon

Posted by CaptainJistuce
It has been brought to my attention that my posts about FF1

for context that was me. bleh no sense in keeping it in PM now i guess...

hard to believe the first game came out like 4 years before i was even born...some of you guys must be approaching 40 then...damn, actually "Birthdays today: Ramsis (40) " so it seems

Posted by sureanem
What's wrong with DNS over HTTPS? Fixing ISP MITM attacks once and for all is a commendable idea. Not allowing hosts file blockers is a shame, but it really would not be a problem if you did your ad blocking like everyone else.

Posted by sureanem

Posted by CaptainJistuce
As an option, sure.
As a mandatory thing... ugh. I ALREADY can't use large portions of the internet with older computers solely because modern HTTPS servers require recent encryption standards that old browsers don't support(because Google punishes them for being back-compatible), and those same sites often don't offer an HTTP alternative(because Google punishes them for being back-compatible).

What is even the point of owning an Ultra 10 and a PowerBook 190 if I can't fuck about on the internet with them?

HTTPS is also a mistake which ought to be thrown out and redone with modern technology.

The whole deal is that it has to be violently killed off - if DNS is allowed to coexist peacefully, what will happen is just that malicious actors will NXDOMAIN the use-application-dns.net record and then filter as usual. This is a golden opportunity in which the financial incentives for once line up with freedom, and it should not be squandered!

But this is a completely ham-fisted way of going at things which should never be supported. How is Firefox to know you're using a trusted DNS server? The model of "because I tell it so" has clearly been shown to fail. The matter of fact remains: whether you like it or not, googleads.g.doubleclick.net does resolve to an ad domain, and this is not up to you to decide. There is such a thing as an objective truth, and this should not be interfered with - rather the filtering ought to be done on the level of the user-agent - that which represents the user, unlike the other components. When you bring a device to somewhere which does not implement your censorship, or the regulator decides to DNS block politically sensitive websites, what then?

Treating filtering of content as a supported behavior is a "good intention," and such should fail as violently as possibly.

Posted by tomman
The only sites I was able to open were this board (over HTTP) and n-gate (which does not need HTTPS).

Posted by sureanem

Posted by CaptainJistuce
Backwards-compatibility is of value.
I don't think that "if someone can't afford a new computer, they should be banned from the internet" is a good attitude, and that's where we're headed. Current versions of Firefox and Chrome won't run on anything older than Windows 7. That ALREADY leaves a lot of people out in the cold. There is nothing wrong with their Vista and XP machines, but browser vendors said we can't use them anymore and websites said we can't use old browsers.
If you want to tell me privacy needs to be aggressively pursued at the cost of breaking existing browsers, you need to make sure that new browsers are available for older systems.

Well, while it's regrettable, that is the way things work anyway, so then it only makes sense that this should be made a basic underlying assumption and worked with from there.

I mean, who the hell is too poor to afford anything but a PowerBook 190? Poor people use low-end/used/old smartphones, and they handle the Modern Web™ just fine.

Why does it need to be made sure that newer browsers exist for older systems? In theory, there is nothing preventing anyone from making or backporting a browser if they feel the existing alternatives are inadequate, and in practice, Vista and below are exceedingly rare nowadays - heavy enough of an edge case that anyone using XP as a daily driver certainly knows what they're getting themselves into.

Also, there's a financial incentive to NOT change the DNS infrastructure. ISPs use their status as "your DNS server" to serve ads on failed lookups instead of returning an error. Commercial filter software relies on DNS being transparent.
Hell, commercial interests are trying to sabotage TLS 1.3, because enterprise software relies on flaws in TLS1.2 to do things that were easier to implement without abusing TLS1.2 in the first place.

Sorry, but nope. There ought to exist a mechanism right now to tell my network "this domain is untrusted and nothing on my network should be allowed to connect to it", and... oh, wait, such a mechanism does exist, and it is local DNS entries.

How can Firefox tell it is really you, the user, of which it is the agent, though? Such cases are a hundred to one compared to corporate/national attacks. You could rewrite the sentence as such, and it would still make as much sense;
There ought to exist a mechanism right now to tell my country "this domain is terroristic and nobody in my country should be allowed to connect to it", and... oh, wait, such a mechanism does exist, and it is local DNS entries.

DNS does not exist for the sake of censorship, it exists to provide name resolution - arguing its raison d'etre is that it should exist to do poor name resolution seems like a queer idea.

If such bad actors do concern you, the proper course of action is an IP block.

Instead, Firefox and Chrome want to block websites based solely on Google's "dangerous website" list. And we've already seen how THAT works. How much worse will it be when Google has the power to be overtly malicious instead of overtly inept and subtly malicious?

Google already has the power to be overtly malicious, so there is no scenario in which this changes anything. That Firefox implements their blocklist is regrettable, but as the saying goes, he who pays the piper calls the tune.
With that said, what does Google have to do with DoH? They run 8.8.8.8, and I would imagine they can run a DoH server too, but by my understanding so could I if I were so inclined.

Personally, I think it's a moot point in the long run. For applications requiring privacy, Tor is the only suitable option

Posted by sureanem

Well, I get it in theory. But I can't say I know of anyone actually using these extreme legacy devices. The poor people I know either use old Android phones with cracked screens and whatever, or old laptops with the "free" upgrade to Windows 10. To my knowledge, Windows 10 runs on pretty much anything that Vista does, to varying degrees of performance.

And you don't just get to say "it's regrettable, but that's how it is" while proselytizing for the changes that MAKE it the way it is.
It is only in the last few years that breaking changes to the internet have become a thing, and they are almost without exception done to give people a false sense of security.

Well, how exactly have these things broken? I wouldn't think it's due to the security theatre. Moore's law is a far more probable explanation. If I want to log in to my bank, doing this in an old browser which doesn't support JavaScript is not possible either.

Without DoH, we would still have the problem of "legacy devices are legacy for a reason," so it can hardly be blamed for this development.

This includes Micky Mouse places like China and Africa though. If you just look at civilized places it's practically zero. The SHS for instance puts XP at <0.10% while Linux clocks in at 0.80%. Consider that Steam also has a lot of people from those places, and the real ratio probably turns out to be 20 to 1 or something like that.

I would also like to point out that Linux obeys the standards of the web and runs modern browsers, unlike Windows XP, and having your website support Linux often requires no additional effort - good luck running Ubuntu Warty in 2019.

DNS intentionally provides a multi-tiered system where a local DNS server can override a remote one. It has ALWAYS been intended that you can specify your own name resolution.

Hell, the original DNS implementation was user-side only. HOSTS.TXT, MOTHERFUCKERS!

Yes, and SMTP was originally intended to be anonymous because that's how post offices worked. That didn't turn out too good and now we're layers and layers of bandaids in, with the end result being that you now have a few 'good' mail providers who authenticate you via cell phone and chuck all the rest's into the spam folder or even kill them silently. Far better then to rip off the bandaid and kill the archaic service that is DNS.

Translation: Privacy doesn't exist.

What do you mean? Tor is plenty private, and many websites which have trouble with clearnet already today find themselves with no other choice but to use it. If censorship/snooping continues it seems as if this development too should continue, but that hardly means privacy is dead.

Let's go through a list of problems with regular HTTP over clearnet
...
* This also goes for whoever runs your network

This is a feature, not a bug.

...we should use blockchain...

DNS-over-TLS is made to be easy to be blocked. Here's what Paul Vixie has to say on the matter:

Posted by Paul Vixie
DoH is an over the top bypass of enterprise and other private networks. But DNS is part of the control plane, and network operators must be able to monitor and filter it. Use DoT, never DoH.

Posted by Paul Vixie
if your network operator is me in any form, then none of those bypasses [VPNs] will work, because i defend my control plane, which includes dns. i think the IETF was way wrong to standardize DoH since not all network operators are malicious -- my enterprise and home nets are examples

Posted by Paul Vixie
That's inverted. A network operators who defends their control plane may be more worried by outside actors than by it's users. Defensive tunneling from my house or work is not in your interest or mine. Don't do it. Esp not by default. Please.

Posted by Paul Vixie
Nope[, DoH is not about protection against untrusted local networks]. DoH will be the default setting for many BYOD, and will mindlessly bypass security policy. Not at all like DoT, which can be filtered by any network operators with ease, to force local resolver use. DoH is a big F.U. to ALL network operators.

Does this sound like a man you trust with making your standards?
I'm not going to call into questions Mr. Vixie's allegiances here, but I will say that if I were tasked with writing satire to make DoT proponents look bad, this is exactly what I would write.

Posted by Kawa

Posted by CaptainJistuce
Trufax, my hosts file contains one entry: "facebook.com 192.168.0.1"

What, not even "localhost 127.0.0.1"?

Posted by sureanem

Also, Hr. Hipp (the SQLite guy) looks really badass in the image on his Wikipedia page, like the villain in an anime series or perhaps a Bond movie.

Posted by sureanem
That the US government made it is not all too relevant here - the purpose was to help their CIA spooks communicate easier with HQ, as well as to facilitate fomenting color revolutions in the second world. To try and put backdoors in it would have been like drilling holes in your gun in case someone else steals it - not exactly ideal.

Posted by sureanem

Posted by CaptainJistuce
Navy, actually. Not CIA.
And the point is that if it was actually that secure, they wouldn't have released it to the public.

Navy made it, but the main beneficiaries inside the US government sure are the CIA.

It does not follow. By that line of reasoning AES and the like should have backdoors too since it was standardized by the US government, not to talk about Bitcoin. Historically, the US government's backdoors have only been of the kind that they were damn sure an adversary couldn't exploit, so something of the public/private key kind (e.g. Dual_EC_DRBG) would have been their only choice.

And as for that, it's hardly the dried-and-shut case of "NSA uses their superior cryptography skills to hide invisible backdoors in every single cryptography algorithm freely available on the open market" - people knew something was up even in the early 2000's. IBM got some mystery meat S-boxes for DES from the NSA, and everyone thought they were backdooring it, but they were actually making it more secure:

Controversies arose out of classified design elements, a relatively short key length of the symmetric-key block cipher design, and the involvement of the NSA, nourishing suspicions about a backdoor. Today it is known that the S-boxes that had raised those suspicions were in fact designed by the NSA to actually remove a backdoor they secretly knew (differential cryptanalysis). However, the NSA also ensured that the key size was drastically reduced such that they could break it by brute force attack (the computing power to brute force DES however did not exist in 1975).

(As an aside, it must be a very painful position to be in to have everyone accusing you of introducing backdoors when you were actually trying to help them stay safe but being unable to tell them because you would endanger them)

The US government has realized extreme geopolitical gains from the Internet in general and Tor in particular, and this alone pays for it a thousand times over.

The US is already an open society, and as such the damage from even perfect cypherpunk-style anonymity is negligible, especially when compared to what that might do to China/Iran/Russia, and what it already has done to a whole host of countries before.

Posted by Kawa
Physics engines were a mistake.

Posted by Kawa
Civilization was a perfectly good game. The only mistake was Nuclear Gandhi.

Posted by Kawa
Are you sure you're bragging about the right number here?