For privacy concerned netizens, especially UK based ones, I highly recommend checking out DNSCrypt[0]. It securely tunnels all your DNS requests to an endpoint of your choice.
I've used it for about two years and it's very reliable, even on a laptop. I do recommend using it in conjunction with a caching DNS recursor such as Unbound[1] to save bandwidth.
It also works great on OpenWRT if you have that luxury.
For UK residents, please also consider changing to an ISP that cares about your online rights. I only know this one: http://aaisp.net.uk
Not happy with only your ISP and government knowing where you're going online? Install DNSCrypt and add some more third parties to the mix.
[edit] From DNSCrypt's own front page:
Please note that DNSCrypt is not a replacement for a VPN, as it only authenticates DNS traffic, and doesn't prevent "DNS leaks", or third-party DNS resolvers from logging your activity. The TLS protocol, as used in HTTPS and HTTP2, also leaks leaks websites host names in plain text, rendering DNSCrypt useless as a way to hide this information.
This is true. It's more of a DNS MITM protection rather than privacy fix. There are other uses of DNS than just HTTP(S) traffic though: but I'm sure these mass surveillance entities sit on massive reverse DNS databases anyway, rendering the effort mostly useless.
This could easily become illegal for circumventing state censorship. It might already be in places like China (if DNS tunneling helps stop censorship at all)
"We’re exploring a flagship project on scaling up DNS filtering: what better way of providing automated defences at scale than by the major private providers effectively blocking their customers from coming into contact with known malware and bad addresses?"
Because this definitely isn't a step towards state censorship, no siree!
But isn't the truth that it is already implemented in UK ISP's DNS offerings anyway, and that this is just extending the filter so you can't bypass it by changing to a different DNS server?
This should be a textbook case on how to achieve censorship. Start by having it "optional", but not an option a user opts into explicitly, just implicitly in a way they don't understand (by "choosing" their ISP).
Then when 99% of people are already covered, roll it out in a compulsory way across everywhere because "This won't affect most people, just a small number of people".
I think it is safe to say that by 2020 the Internet as we know it today will not exists. All we will have is a bunch of walled gardens, under full surveillance from both the government and corporations. And most people will not even notice or care.
I think it's safe to say you're exaggerating, and while there will be local pockets of utter confusion (North Korea, some US ISPs) on the whole it will be fine.
That's not to say we don't need to fight for rights, to keep this sort of thing from happening, but that I have confidence that we can and will fight these things successfully.
If in 2010 I told you the next presidential candidate for the USA was retweeting 4chan memes, you'd have probably said I was exaggerating. All I'm saying is things are changing quicker than we can imagine.
I don't think I'm exaggerating. When you read this article, and read what corporations are doing, and politicians are advocating, it's easy to see where this is going. In addition to that you have ICANN stewardship transfer, which might make it easier for other countries to influence how the Internet works. We also have growing number of hacks/leaks that will be used to push the "need for firewalls" and "warnings" from experts that "someone" if probing our defences. It all does not make me hopeful that we can keep the internet free.
Between surveillance states, cyber attacks, and probable rising energy costs, it wouldn't surprise me if a lot of things general became much less global. If you want to hear one of the greatest pessimists of our age, I recommend James Howard Kunstler. He's written some books, does some podcast appearances, and keeps a blog. He's the first person I ever saw put forth a convincing argument for why the internet may be a temporary phenomenon.
There's too much money or power otherwise. Perhaps the discussion to have is not about the degrees of surveillance or walled gardens, but public access to mass surveillance records collected by government agencies. If everyone had access to everything, it would be a check on the absolute power of powerful institutions to corrupt them absolutely.
I'm not evangelizing the idea, I just think it's something worth debating and I don't see enough of it yet.
Nah, just point your DNS queries to 8.8.8.8 (two times Adolf Hitler's birthday, easy to remember) and you'll be fine. Or, if Google is blocked, use another root server. Or, if all root servers are blocked, use a VPN. Or, if all VPNs are blocked, invent a distributed DNS system that adds .realuk as a new top-level domain.
If VPNs are blocked then DNS filtering likely is not your only problem. You would already be behind a something akin to the great firewall.
And you also have to consider that when you start using counter-measures then you're already retreating and relying on foreign, more-free societies to support you. What if they succumb to the same thing too which obviously is not so far-fetched since it already happened to your society?
Sometimes you just need to give in on these little things to get on with your life. For example, my friends complain about spam, but ever since I switched my email to 419.ng, it has been a thing of the past for me. I'm sure letting a malicious government institution fully merge its traffic and monitoring into your traffic will simplify your life too.
–---
419.ng freemail, exceptional service for fr33!
Dear sir or madam the crown prince of Contantanople is having trouble transferring his considerable fortune..
"what better way of providing automated defences at scale than by the major private providers effectively blocking their customers from coming into contact with known malware and bad addresses?"
By designing a system for distributing filter rulesets to the endpoints. Works fairly well for in-browser malware blocking and adblocking. And if users can retrieve rulesets from configurable sources, it allows them to tune how aggressive their filtering is, and avoids turning every rule into a potential national censorship row.
By comparison, making ISPs do DNS filtering is of middling effectiveness and screams of "just give me all the control and trust me to sort it all out."
This means they'll be able to collect statistics information only to be stored onto your household web history list. This is just another attempt at mass data collection.
It's not like it wasn't being done before by intercepting DNS requests but this way its legal.
This also paves the way to ISP 's requiring to conform and building an infrastructure to associate an subscriber id to a given DNS request.
Because we can avoid registering a .co.uk domain, but we can't stop a foreign government forcing a Certificate Authority to issue a certificate for our domain.
If the US government were to force the root zone key holders into issuing a false update for the .is top level domain, for example, that should rightly be treated as an act of war, and be detected before it could be used. Such an expensive attack could only be used once, and would achieve nothing.
I've answered this totally bogus argument so many times, I'm going to take a different tack this time and put you on the spot.
Tell me: what's the TLD you'd choose for your new site if protection from governments was your goal? We already know: it's not .IO, which is is controlled by GCHQ. Which one is it? Are we all getting .IS names in your bright DNSSEC future?
I trust the Icelandic government more than the least trustworthy of all the CAs trusted by my browser (plus the least trustworthy of all the governments that have power over any of the CAs trusted by my browser).
Alternatively I could (in theory) set up my own generic TLD, like Apple has done. Here is their DNSSEC practice statement:
But if your site is hosted under a .COM, .ORG, .NET, .US, .CO.UK, .ORG.UK, or .IO name, or, for that matter, under a generic TLD managed by any company domiciled in the US, UK, Canada, or Australia, your feeling is: it's just fine that the NSA gets to swap in its own TLS keys for your own whenever it wants.
Do you have another TLD besides .IS you might "trust more than the least trustworthy CA in your browser"? Could you name it?
If you are relying on the CA system to secure your website, it is equally insecure no matter what TLD your site is under. DNSSEC at least gives you the possibility of moving away from .COM, .ORG, etc to a top-level you trust.
You still haven't said what your threat model is, though. The fact you mentioned "protection from governments" earlier suggests that the threat model you are envisaging is "I am trying to run a website that will be attacked by every country in the world". If that's your threat model, I would be interested to know what technology you suggest to counter that threat.
Alternatively, if your threat model only includes "US, UK, Canada, or Australia" then there are various other TLDs that are more trustworthy than the Turkish or Chinese governments (no disrespect to those countries). For example, the TLDs of .ch, .dk, .li and .lu. Even .de and .fr should be managed in ways that are independent from the 5 Eyes.
I can't believe anyone thinks this is the Internet we should be forklifting the DNS out to build. The one where we have to decide which spy agency is going to escrow our TLS keys when we pick a domain name. It's the same day as the announcement of the Snowden pardon appeal drive, and we're saying "fuck it, all of .COM's TLS keys should just go straight to NSA".
Why are you so focused on "all of .COM's TLS keys" when, under the current CA system, all TLS keys for all domains go straight to NSA and any government that controls a CA (e.g. Turkey and China, etc.)?
A situation where people can avoid the governments they don't trust is strictly better than this, but you seem to be arguing that it is strictly worse.
(a) They do not (go ahead and try to get a Google Mail cert).
(b) They need not (CA's can be --- and have been --- and will probably within a few weeks be again --- untrusted by browsers)
(c) It is insane --- as in, "definition of insanity" insane --- to double down on a hierarchical PKI controlled by governments as a response to problems with the CA system. It is literally the opposite of the direction we should (and are!) going in.
I note: in no exchange we have ever had about this issue have you ever so much as rebutted my contention that adopting DNSSEC+DANE would escrow .COM TLS keys with the US government. That's unsurprising, because my contention is true. But I'd like to point it out anyways.
(a) The fact that I can't (or won't) get a fake cert for Google Mail doesn't really prove anything. I am not the NSA. I assume you wouldn't accept the challenge if I asked you to produce a fake (but cryptographically valid) DNSSEC response for mail.google.com.
(b) Waiting a few months after an attack for a CA to be shut down is not as much comfort as being able to choose in advance which ccTLD or gTLD you are under. As I keep saying, with DNSSEC, the malfeasance of a third party trust source has no effect on your security, unlike the existing case with CAs.
(c) Switching from a "chain is as strong as its weakest link" model to one where you can be free from any subset of governments you choose is a strict improvement and very much the right direction to be going in.
In response to your note: you have made many claims on this site, and I have rebutted those made in discussions I have been involved in, but I don't remember you making the "escrow" claim in one of the discussions I was involved in. I do remember seeing it recently, though, and laughing to myself about it, trying to work out what was going through your mind when you made that claim. Eventually I realised that by "escrow" you mean "The US government could force Verisign to issue a fake DNSSEC response for a website under .COM", i.e. a situation which is strictly better than "The US government could force Verisign to issue a fake TLS certificate for any website with any domain name." Presumably you would call that key escrow too.
I hope I have understood you correctly, and that this counts as a rebuttal, but it's 03:30 here so I'll have to leave this interesting discussion for the night. I look forward to hearing what you have to say in this or another thread soon.
In a DANE world, every TLS certificate for a site under .COM is validated through the DNS, and the USG, which controls the DNS for .COM, can silently swap in its own identity for that of any of those sites.
They don't get the bits of your private key exponent. They don't need them; the DNSSEC key escrow system is subtle enough to let people think their secret keys matter.
In a CA world, every TLS certificate for a site under . is validated through trusting the CA, and the USG, which controls various CAs capable of issuing certificates for any site, can silently swap in its own identity for that of any of those sites.
They don't get the bits of your private key exponent. They don't need them; the CA key escrow system is subtle enough to let people think their secret keys matter.
And? The CA system is already deployed. DNSSEC is not. Why would we deploy another compromised PKI, one that can't be separated from governments, one that would force most huge sites to abandon their current domains to avoid USG spying, when we could spend a fraction of that energy getting CT deployed?
I readily accept that we need Certificate Transparency deployed, not least to deter malfeasance in the DNS (which is a more tractable problem as the list of TLDs is relatively small and well known in advance). Hopefully you also accept that DNSSEC (or something very similar to it) is needed to ensure the integrity of DNS responses (and to give us authenticated denial of existence, and so on).
The question then becomes "Is the amount of work to use DANE on top of DNSSEC (and potentially changing the TLD of my domains, depending on my threat model) too great to justify the extra security of being insulated from malfeasance by unrelated third parties (i.e. any of the CAs in the world)?"
I think that reasonable people can disagree about both the amount of work and the amount of extra security, and it is probably a different balance for each domain being considered. I don't think it is reasonable, though, to say that DANE as a technology shouldn't exist and be available to people who would benefit from it.
No, I do not accept that something like DNSSEC is needed. I do not think the DNS needs integrity. I think the CA system needs to be repaired, and then we need to stop pretending that the DNS is more important than it actually is. After all, we don't have plans to create "ARPSEC" or "DHCPSEC", either.
Nobody benefits from DANE. DANE takes the existing broken CA system we have now, retains it, because a large fraction of the deployed base of browsers can't actually handle DANE lookup queries, and then adds a new hierarchical PKI that is suborned by governments from the very beginning.
There is no amount of extra work we should spend to deploy DANE or DNSSEC. In fact: the potential deployment of DANE merits some work to prevent it from happening.
In fact, next month's Icelandic government could be the Pirate Party, but I would rather trust Iceland not to elect an anti-privacy government than trust all CAs in the world not to be subverted by any anti-privacy government (indeed, some of them already have been).
"Trusting all the existing CAs" is literally the status quo, though, right? So whatever it is you are proposing as a replacement needs to be strictly better than that. I've made my case for how DANE is better, but what exactly are you proposing as an alternative? Is it just "trusting all the existing CAs, and distrusting them a few months after they have been caught (using CT) breaking the rules"?
You earlier argued that the strength of the CA system is that they "can be --- and have been --- and will probably within a few weeks be again --- untrusted by browsers", but that just sounds like you're saying "the good thing about the CA system is that it keeps failing, and our repeated belated steps to punish malfeasance do not work as a deterrent".
Again, I look forward to reading what you propose instead of the CA system and DANE.
I think it's part of the state's mandate to provide security to the citizens, offline and online. Unfortunately I haven't really seen alternative plans that don't give the state more power at the same time.
It doesn't matter the "real" reasons behind this kind of decision, unless people are presented with a sane alternative.
I've used it for about two years and it's very reliable, even on a laptop. I do recommend using it in conjunction with a caching DNS recursor such as Unbound[1] to save bandwidth.
It also works great on OpenWRT if you have that luxury.
For UK residents, please also consider changing to an ISP that cares about your online rights. I only know this one: http://aaisp.net.uk
0: https://dnscrypt.org
1: https://unbound.net