Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-detection-00

[Alec Muffett <alec.muffett@gmail.com>]

On Wed, 17 Jul 2019 at 22:54, Vittorio Bertola <
vittorio.bertola@open-xchange.com> wrote:

>
> Can I just ask you whether you really think that DoH makes a real
> difference to the proverbial dissident under a dictatorship?
>

Since this is a personal question, I shall answer in the first person.

Yes I do, because my 25+ years experience of trying to get people to use
advanced security tools — Signal, Tor, Briar, SSH, PGP — has led me to the
conclusion that although such tools have their place, the world is best
served by maximising the {privacy, tamperproofness, blocking-resistance}
which is available as-default to the absolute maximum number of people.

This perspective led, in part, why I was chosen as the lead engineer for
adding end-to-end encryption to Facebook Messenger:

https://www.wired.co.uk/article/messenger-secret-messages-end-to-end-encryption

...and in the process of which I had to defend the creation of the same
against the counterarguments made by proponents of the
monitoring-and-safety viewpoint:

https://parentzone.org.uk/secret-conversations-everything-you-need-know-about-facebooks-new-feature


If I were one, I'd already be using stuff like Tor and VPNs.
>

I am familiar with that perspective; to venture off-topic for a moment,
there is in the United Kingdom some legislation arriving, soon, which will
require everyone to verify that they are over 18 before viewing pornography:

https://www.openrightsgroup.org/campaigns/digital-economy-bill-hub/age-verification/

This regulation requires the collection of data which did not need to be
collected before, and ties it to real-world identities; unsurprisingly the
"geek" world falls into two camps, those who say "People should just use
Tor and VPNs" — which is true, but unhelpful at scale and which brings its
own risks of complicit VPN providers, etc — but also there are erudite
essays such as this one, extract:

https://www.girlonthenet.com/2016/10/17/get-round-a-porn-block/

*Do you know how to get round a porn block? If your immediate thought here
> involved something like a VPN or Tor, then congratulations: it sounds like
> should your government implement a porn block you’ll have a reasonable idea
> how to circumvent it. However, can I ask that you please please please stop
> telling me on Twitter that you how to get around a porn block? Allow me to
> explain why.*


...which goes on to explore the theme more usefully than I can in this
email.

Also, I can strongly recommend that you invest a few days of your life
attempting to lecture/teach "security tools" to actual dissidents, or even
just members of the public; to do so is a life-changing experience.

I can recommend "CryptoParties" as a starter in this space:
https://www.cryptoparty.in



> Encrypting the DNS query is nice, but if then there are packets going from
> my computer straight to the forbidden destination, it's also not very
> useful - and if there aren't, then I am possibly already using technologies
> that could transport my DNS queries securely as well.
>

Indeed - I am a (possibly the only?) proponent of DNS-over-HTTPS-over-Onion:

https://github.com/alecmuffett/test-dns-https-onion

...but I am not foolish enough to believe that that will ever benefit more
than a few thousand / tens-of-thousands of people, once implemented.

Whereas in my previous job I literally enabled secure communications for
more than 1 billion people — if they so choose, and I am not convinced that
enough of them chose.

Hence why I welcome seeing Facebook embrace E2E more broadly (
https://www.theverge.com/2019/1/25/18197222/facebook-messenger-instagram-end-to-end-encryption-feature-zuckerberg)
and also why I believe that DOH-BY-DEFAULT-ON-FIREFOX-AND-CHROME is the
only useful route forwards towards adoption and impact.


I think that DoH is much more of value for people that do not need to hide
> their traces completely, but just don't want their DNS traffic tracked and
> monetized.
>

Good security technology seeks to lift all boats:
https://medium.com/@alecmuffett/how-to-help-dissidents-with-technology-lift-all-boats-e6fcb72d0da1

Tor is good — I launched the Onion sites for both Facebook & the New York
Times — but it is not "at scale".

Firefox and Chrome, together, are "at scale" and present a tremendous
opportunity to "shift the needle" back towards
privacy-and-integrity-and-assurance-by-default.


Also, this idea that the Internet will export democracy by providing
> "escape to a free web for oppressed peoples" is... so 90's.
>

That's a strawman.  I am not trying to "export democracy".

I am, as Whitfield Diffie puts it, merely attempting to restore to people
the ability for people to have a private conversation, even with a foreign
webserver.

However, it has to be said that repressive regimes — and the safety-focused
— are communities both which have issues with that goal.

Alec Muffett
Formerly Facebook Security Infrastructure Engineering
Member: Board of Directors, Open Rights Group
Member: Cybersecurity Executive of the British Computer Society
Co-Author, RFC7686
Avid cyclist and chef
Have a good evening, everyone. Hugs.

-- 
http://dropsafe.crypticide.com/aboutalecm