Nottingham: Internet protocols are changing
Nottingham: Internet protocols are changing
Posted Dec 12, 2017 19:03 UTC (Tue) by Wol (subscriber, #4433)In reply to: Nottingham: Internet protocols are changing by Cyberax
Parent article: Nottingham: Internet protocols are changing
If private organisations want to break the internet at the border, that's fine, but ISPs (providers of a public service) should support public protocols. Then all this rubbish wouldn't be needed!
DNS is broken? The reason we can't design a new protocol and fix it, is because the public infrastructure assumes we are using "DNS over port 53" and will break any replacement! Dumb, dumber, and absolutely ********* stupid. :-(
Cheers,
Wol
Posted Dec 12, 2017 19:48 UTC (Tue)
by fest3er (guest, #60379)
[Link] (13 responses)
The owner of a private internetwork has the duty to inspect all data that passes through her perimeter firewall and to drop all packets and conns that carry malware whether it enters or leaves her network.
The problem is not what ISPs do. Rather, the problem is that ISPs are not held to be 'common carriers'. They want to lock their captives into using, and paying for, any and all services and advertising the ISPs can dream up. They require users to pay for internet access and bandwidth and they want to force users to pay for the extra bandwidth that all their advertising 'partners' use. Were ISPs common carriers, they would have to provide equal access to all traffic; they would not be allowed to interfere with internet traffic.
The proper solution is to employ host-to-gateway, gateway-to-gateway, and gateway-to-host opportunistic encryption. This would allow owners and operators of private internetworks to detect and drop malware and other traffic that they do not want on their networks without having to jump through hoops imposed by well-meaning but misguided internet mavens.
Posted Dec 12, 2017 20:19 UTC (Tue)
by josh (subscriber, #17465)
[Link] (10 responses)
Those don't solve the problem that end-to-end encryption does, and once you have end-to-end encryption then opportunistic encryption is pointless.
Posted Dec 12, 2017 20:40 UTC (Tue)
by Wol (subscriber, #4433)
[Link] (9 responses)
I always used to describe my then ISP (Demon) as an Internet *ACCESS* Provider because that's what they were - "here's an IP address, here's a physical (dial-up) link, off you go!". Everything else (mail, web server, spam filtering, etc etc) was opt-in.
If ISPs provided the physical infrastructure and packet routing AND THAT WAS ALL, then half of today's problems would go away!!! By all means they can provide extra opt-in services, but stop providing "can't opt out" services that break the system!!!
If "end to end" encryption is an opt-in, great. But don't force it on me, just so's you can fix problems that shouldn't exist!!! (Which also puts banks etc - looking after MY money - into a catch-22 :-(
Cheers,
Posted Dec 12, 2017 21:04 UTC (Tue)
by josh (subscriber, #17465)
[Link] (7 responses)
Posted Dec 14, 2017 2:47 UTC (Thu)
by Garak (guest, #99377)
[Link] (6 responses)
Posted Dec 14, 2017 9:38 UTC (Thu)
by josh (subscriber, #17465)
[Link] (5 responses)
All HTTP should go away in favor of HTTPS. That's not "using encryption blindly", that's a reasonable response to established threat models.
Posted Dec 16, 2017 12:47 UTC (Sat)
by Wol (subscriber, #4433)
[Link] (4 responses)
What about those of us who don't use the web? Or are you saying that the ONLY port in use should be (80)80?
Plus, at the end of the day YOU are DICTATING to ME what I should use. NOT acceptable!
(I may agree with you - I may think https is better than http - but I might think the exact opposite FOR MY USE CASE!)
Cheers,
Posted Dec 16, 2017 17:31 UTC (Sat)
by josh (subscriber, #17465)
[Link] (3 responses)
I never claimed it was. Please stop making up things I haven't said and then yelling at me about them.
> What about those of us who don't use the web?
I never said anything about non-http protocols. I do think that protocols that don't have end-to-end encryption should be carefully evaluated, and many of them should go away as well, but my previous comment *only* talked about http and https.
> Or are you saying that the ONLY port in use should be (80)80?
I never said that. (And in any case, port 80 is the insecure one, so I certainly wouldn't be saying *that*, for multiple reasons.)
You seem to be attempting to force an angry confrontation, and I'm not interested. If you want to use insecure protocols, you can always find ways to do so; if you control the software on both ends, you can have them communicate by any means you wish. The tools and infrastructure that the majority of people use will continue to steer people towards secure protocols more and more strongly, so that the path of least resistance becomes safer. Security is often a usability problem, and I applaud the many people working to make the defaults both more secure and more usable.
Posted Dec 17, 2017 0:49 UTC (Sun)
by Wol (subscriber, #4433)
[Link] (2 responses)
If you actually look, you will see all along that I am merely reacting to other people telling me what I should or should not do. You were telling me I should not be using plain http. Why not? And to be honest I've seen use cases where http is better than https (mostly a large volume of static pages, iirc).
If other people secure their networks with the result that I can't communicate, well, I'll cross that bridge when I come to it. But to give a silly example of "security is a bad thing", would you recommend that everyone keeps their doors locked to keep strangers out? Sounds like a good idea, until you realise that the whole point of a shop is to welcome random strangers ...
(I regularly come across reference to "security theatre" - actions that LOOK like they improve matters, until you actually look carefully and realise that they do very little, or even make matters worse!)
Cheers,
Posted Dec 17, 2017 1:12 UTC (Sun)
by pizza (subscriber, #46)
[Link]
.... during "normal business hours". And said doors will be locked during other times.
You picked a rather poor analogy.
Posted Dec 17, 2017 3:01 UTC (Sun)
by josh (subscriber, #17465)
[Link]
HTTPS is, at this point, down in the noise with respect to computation. You're certainly not going to become CPU-bound serving static pages over HTTPS.
> If other people secure their networks with the result that I can't communicate
What is preventing you from communicating using encryption? You seem to be phrasing your responses as if HTTPS is a non-starter for you.
> (I regularly come across reference to "security theatre" - actions that LOOK like they improve matters, until you actually look carefully and realise that they do very little, or even make matters worse!)
HTTPS is not one of those things, however.
Posted Dec 13, 2017 1:42 UTC (Wed)
by interalia (subscriber, #26615)
[Link]
Posted Dec 12, 2017 22:10 UTC (Tue)
by mpr22 (subscriber, #60784)
[Link] (1 responses)
Imposition of a duty to actively MITM every single outbound connection would have some... interesting interactions with various kinds of confidentiality law.
Posted Dec 13, 2017 9:19 UTC (Wed)
by dottedmag (subscriber, #18590)
[Link]
Posted Dec 13, 2017 4:43 UTC (Wed)
by smurf (subscriber, #17840)
[Link] (4 responses)
Yes, the carriers should not block "strange" protocols, but do they really? IME setting up a random GRE tunnel [i.e. not TCP or UDP] just works.
Posted Dec 13, 2017 13:42 UTC (Wed)
by Wol (subscriber, #4433)
[Link] (3 responses)
If the private network doesn't want to receive UDP, that's its decision. If the private network doesn't want outbound DNS queries, that's its decision. If the private network falls over in a heap thanks to stupid decisions, that's its problem.
The problem is when (for example, and this bites me regularly) my private network wants to talk SMTP to your private network, and the public network says "oh no, you can't talk SMTP to anyone but me". (I regularly find myself troubleshooting the aged parent-in-law's laptop, and it would be so much easier to do it in my house except we have different ISPs, so my mail doesn't work there, and his mail doesn't work here.)
Cheers,
Posted Dec 14, 2017 19:59 UTC (Thu)
by bronson (subscriber, #4806)
[Link] (1 responses)
It's easy enough to set up a VPN!
Posted Dec 15, 2017 9:43 UTC (Fri)
by Wol (subscriber, #4433)
[Link]
Okay, my mail server should be configured for end-to-end encryption, BUT THAT'S MY DECISION NOT YOURS. And if all the ISPs did was to route traffic, they would neither know nor care.
Saying "it's easy enough to set up a VPN", what, with somebody in Oz I hardly know, to send maybe a couple of emails a month? Whatever for?
If the ISPs merely route packets, then I have control of the borders of my network. If I want to encrypt everything then that's my choice. If I DON'T want to encrypt everything that's my choice. If every protocol DEFAULTS to encrypted, then I can over-ride it if I want. The point is, I CHOOSE.
The problem at present, is that I cannot assume that *legal* packets will make their way across the internet from my private network to someone else's private network, without the "postal" service snooping and throwing away stuff it happens to take a dislike to.
Cheers,
Posted Dec 16, 2017 10:23 UTC (Sat)
by marcH (subscriber, #57642)
[Link]
Please use a real protocol as an example; I mean anything but the SpaM Transfer Protocol.
Nottingham: Internet protocols are changing
Nottingham: Internet protocols are changing
Nottingham: Internet protocols are changing
Wol
Nottingham: Internet protocols are changing
encryption is a multidimensional spectrum of utilitarian trade-offs
Yes, ISPs shouldn't tamper with your insecure traffic, but you also shouldn't have insecure traffic because malicious people do exist. Yes, postal services shouldn't read your postcards, but you should use envelopes.
Going without envelopes is fine in many situations- opted-in coupon mailings from a restaurant. If envelopes truly had zero cost, sure you'd throw one of those magic ones on even then. But there are costs. Likewise there are costs for encryption. And though there are some popular ubiquitous variants, it is an important part of the ecosystem that there are variants. Some variants are more and less suited to various use-cases and threat models. A common situation would be some kinds of games and entertainment where the utility of shaving latency outweighs the threat models that encryption protects against. And threat models and applications (and thus their specific usage of encryption) evolve over time. It is not good to advise using encryption blindly. People that do probably also haven't given proper consideration to the true contingency trees and cost/benefit full analysis. They probably have bought into an over simplification that "it's encrypted, nothing bad will ever happen". It's way more complex than that.
encryption is a multidimensional spectrum of utilitarian trade-offs
encryption is a multidimensional spectrum of utilitarian trade-offs
Wol
encryption is a multidimensional spectrum of utilitarian trade-offs
encryption is a multidimensional spectrum of utilitarian trade-offs
Wol
encryption is a multidimensional spectrum of utilitarian trade-offs
encryption is a multidimensional spectrum of utilitarian trade-offs
Nottingham: Internet protocols are changing
Nottingham: Internet protocols are changing
The owner of a private internetwork has the duty to inspect all data that passes through her perimeter firewall and to drop all packets and conns that carry malware whether it enters or leaves her network.
Nottingham: Internet protocols are changing
Nottingham: Internet protocols are changing
Nottingham: Internet protocols are changing
Wol
Nottingham: Internet protocols are changing
Nottingham: Internet protocols are changing
Wol
Nottingham: Internet protocols are changing