2019-07-04

DoH and VPNs and trust

We live in a strange world - where trust is a complex issue.

Once upon a time we would all trust the "authorities", i.e. the police and our own governments, but increasingly we live in a world where a lot of people have good reason (not criminal reasons, even) not to trust people.

The Internet is an especially complicated area where international players of all sorts come in to play, with commercial and political and criminal reasons to cause you concern.

The Internet protocols have been built on a lot of trust, but now we see some new mechanisms to help, two of these being DoH and VPNs.

DoH

DNS over https is one element, with DNSSEC being another. Using DoH means you use an https request to some external server to make your DNS requests.

An https request looks much like any other, and could as easily be your accessing facebook as accessing a DoH server. It is not something that can be snooped on, or selectively blocked.

If you do not trust your ISP to provide "clean" DNS without filtering or snooping, DoH allows you to choose someone else to trust. This is the problem, you have to trust someone, but you have a choice of who you trust.

In addition to DoH, you can also use DNSSEC to validate the accuracy of the responses. Using DoH means someone in the middle cannot snoop, or easily do any selective blocking. But whoever offers the DoH service could.

VPN

A VPN provider works in much the same way - you effectively choose a different "ISP" to provide your Internet access via the ISP you use. Again, choosing who to trust.

I was surprised how popular our own (unencrypted) L2TP service has been at A&A. In time we'll be offering IPsec based virtual ISP services too, I am sure.

Browsers doing DoH

Mozilla are working on using DoH in browsers, which means someone (like an ISP) cannot snoop, or selectively block, DNS requests. It is sad that this is even necessary. Note that AAISP do not filter or block any DNS, and have no plans to.

Oddly this upset ISPA, who has considered making Mozilla their "Internet villain" this year for DoH work.

This seems odd. If an ISP has an order to block some DNS, then they cannot block DoH, but so what? they are complying still!

I was surprised ISPA took that stance, even as a joke award for Internet villain. I can only hope they do not select them as the villain.

So A&A have donated the same amount as an ISPA membership, £2,940, to Mozilla. We have not been ISPA members for some time, but this is the first time I felt ISPA were perhaps taking views I did not really agree with.

We all benefit from the work of Mozilla so much every day, this seemed well worthwhile.

3 comments:

  1. As I see it, ISPA's trying to claim that as long as DNS blocking can be said to work against most customers most of the time they won't be forced to use a form of blocking that would actually work against smart people. This kind of compromise never ends well.

    If Mozilla sets a default DoH provider, said provider instantly becomes a target to be compromised…

    ReplyDelete
  2. Re: A&A's L2TP sorta-"VPN":

    I've wanted to use that before on previous smartphones, but for some reason only the latest version of Android (9, I think) appears to support L2TP *without* encryption (i.e. IPsec), and of course now that I have the technical means to use it, I have no need for it any more!

    (I don't exactly recall what I was wanting to use it for back then, but I think it was due to mobile networks - probably then-T-Mobile - blocking certain things, either websites or stuff like VoIP, but *not* blocking L2TP as far as I could tell... But my latest phone - Huawei's Mate 20 Pro - has Android's native SIP client disabled, it seems ��)

    I'm still planning to set up some kind of VPN server on my MikroTik router at home, for various privacy reasons when I'm not on a trusted network. Now that we have two 80/20 lines here (well, 65/20 + 70/20...), relaying traffic via home isn't such a big deal :)

    And if I ever implement my idea of having a backup home Internet connection wherein my MikroTik router is connected to my "server closet" Raspberry Pi via Ethernet, which then connects to my phone's WiFi hotspot, thus allowing everything on the home network to access the Vodafone-filtered-Internet via several extra layers of NAT, I may consider using your L2TP service over that so that we can get our IPv4+v6 addresses over that NAT chain and skip the blocking... �� (The Raspberry Pi hop is because I don't think the MikroTik would act as a WiFi client to my phone, though I could be wrong!)

    ReplyDelete
  3. I don't think we've ever lived in a world where you should trust the authorities (maybe people used to trust them more than they do now, but I think that trust was probably always quite misplaced).

    It does seem to me that people are increasingly distrusting smaller entities (ISPs, governments even) and instead placing their trust in Google, Facebook and Microsoft (who you could argue are in many ways bigger and more powerful than governments). Sometimes there are good reasons - a few ISPs have a history of meddling with traffic, many do not; Snowden demonstrated that governments aren't too trustworthy. But I'm wholly unconvinced that people should put their trust in the big tech companies instead - there's ample reason not to trust them either!

    That said, on the whole, I think the trust model that has evolved / is evolving works well for personal users. But I think it's completely broken for corporate or education environments though, because the whole thing is designed such that the "trusted endpoint" of a connection is the end user.

    Ignoring personal devices for a minute, consider a business environment where the network and all of the devices are owned by the business. I would argue that the trusted endpoint is the business, not the user themselves. There are a myriad of reasons why the encryption/decryption of traffic to/from third party services should happen at the network border rather than on the end-user's device: scanning traffic for malware, for confidential data being leaked (not necessarily intentionally), automated checking that internal passwords aren't being reused on third party services, etc.

    At the moment, this kind of "decryption at the border" can't happen* because the whole trust model is designed about the end user being the trusted party and everything in the middle being hostile. My position is that (when it comes to business related traffic), if the user can't trust their employer then they have bigger problems, and there is ample reason for the employer not to trust all of their users simply because users are notoriously bad at doing stuff securely.

    (*) You can Man-In-The-Middle the connections if you install a certificate on each end device, which is fine. Except that:
    1. A lot of the apps published by "big tech" companies use certificate pinning, which breaks this kind of legitimate MITM setup. Again, no way for the device owner to override this because its built into each app.
    2. Obviously isn't going to work at all for end-to-end encrypted protocols such as Whatsapp.
    3. Google have set the defaults on Android such that apps don't trust user installed certificates, and there is no way for the device owner (i.e. the business) to override this without rooting the device, which simply isn't feasible for most devices.

    Which brings me onto another point on the current trust model: Google, Apple, etc. have all decided that neither the users, nor the device owners can be trusted and therefore don't get root access to their own devices. This is a terrible situation because now the vendors are the only "trusted" parties and therefore the only ones who can make decisions affecting peoples' privacy. They make these decisions and then everyone is subjected to them without any recourse. Case in point - Google's decision to distrust certificates that have been installed by the device owner.

    ReplyDelete

Comments are moderated purely to filter out obvious spam, but it means they may not show immediately.

The first council rant, and my apologies

So, as predicted, I got cross over recycling. Yay, someone predicted this would happen... We have the recycling bags (and we now have the gr...