[squiggleblaz]

At the moment you can make a tv that resolves dns using 8.8.8.8 and looks at fancy.ads to display an add in the tv guide/web browser/youtube app/whatever. But I can make my router direct any dns request back to itself and filter fancy.ads so that it never resolves to anything useful.

DNS over HTTPS means that you can make a tv that resolves dns using https://8.8.8.8 and looks at fancy.ads. But I can't mitm it because I don't have a suitable trusted certificate to respond to that request. So either the request to fancy.ads gets dropped and the request to online.movies.example.com gets dropped so I can't use my smart tv for its intended purpose. Or both get through.

Obviously things are different if the service uses standard OS level configuration so I can tell it to resolve dns using https://my.adblocked.dns or /etc/hosts. But nothing obliges any particular system to do that.

If my logic is faulty, please, do inform.

[shawnz]

If the TV manufacturer wanted to implement this mechanism, they wouldn't need DoH to do it. They could just put the ads right on online.movies.example.com and use TLS there. Any kind of ad-blocking mechanism based on DNS is trivially bypassable.

Suggesting that we should weaken encryption/privacy because some people plan to use it in ways that we don't like is just not a viable option. It's exactly the argument that governments are trying to use to mandate backdoors in our chat services. With encryption, it's all or nothing.

[uponcoffee]

The solution is to do as most goverments do [0]: sniff the SNI header during TLS handshakes and drop the connection if the domain matches your blocklist(s)//regex filters.

[0] https://signal.org/blog/looking-back-on-the-front/

[NegativeLatency]

If you could get your own cert onto said device you could MITM yourself and preserve adblocking.

[squiggleblaz]

I can't reply to my children, so I'm replying to myself instead.

Uponcoffee suggests inspecting the SNI header to drop the TLS handshake. So the DNS resolves fine, but when they try to connect to https://fancy.ads, that request is tampered with and fails. As far as I know, that depends on a bug in TLS which will be fixed in some future version, so that inspecting such a request becomes impossible.

NegativeLatency suggests installing an alternative certificate. This would presumably work if I have root access to my smart device. Maybe I can get access to root on my smart tv, I'm not sure, I don't use smart tvs.

But random people can't get access to root on their phone. It will break their banking apps. I can install an adblocker on my phone and accept the consequences of my actions. I'm not sure what the tradeoff between adblocking and banking apps is, even for me. I would probably want to write my own browser based app to let me log into my bank from an separated web browser - if I'm trying to log into my bank when I'm standing in the queue I don't want to piss fart around with stupid browser tabs.

I certainly can't tell my coworker "yeah I'll just install this ad blocker on your phone, it'll block some analytics too so your privacy will be a little more respected" if the only way to do it is to break their banking apps.

I mean, okay, the ads aren't unblockable. But we are at the point where I have to make a trade off between letting you run whatever code you want on my phone, and letting you not run any code at all on my phone. Capitalism depends on negotiation to work. If it's just "I'm a big company, use my service or don't", capitalism stops working.

[uponcoffee]

Fair, ESNI will eventually fix that but it's still a ways off from a finalized standard, and further still from being adopted en masse.

Then there's the option to reverse lookup the dns record associated with a given ip.

So ad blocking/censorship will still be viable for a while yet.