[TamDenholm]

> If the UK government really wants to follow through with their plans, they need to set up a Great Firewall - just like China - to block their citizens from accessing encrypted services like Tutanota.

We (the UK) already have a great firewall. Try to access thepiratebay.org or other pirate sites, or other sites that the UK gov deems inappropriate (CP obviously), etc. Its just a case of encroaching that same system just a little further, step by step.

People only tend to fight back when large sweeping one-off changes come in. If you consistently and repeatedly wear the other side down, you eventually get your way. How many times did the house of commons vote on brexit? How many times did the US congress vote on Kevin McCarthy becoming speaker? Yeah, as long as you just keep on and on about it, you get your way.

[lapser]

> Try to access thepiratebay.org or other pirate sites, or other sites that the UK gov deems inappropriate (CP obviously), etc.

I don't know about the "other sites", but tpb isn't part of any "Great Firewall". It's just ISPs have been required to update their DNS servers to _not_ resolve the DNS record. Even then, there are still quite a few ISPs that have not implemented it. It's why changing your DNS servers to something like Google or Cloudflare means you can easily access tpb.

So blocked websites in the UK are nowhere near on the same level as the Great Firewall.

My guess is those other sites are a bit more sophisticated, or if not, ISPs are willing to comply easier.

[Renaud]

How he block is implemented is not of any concern to the public at large. Whether it's a simple DNS block or stateful packet inspection, the vast majority of people won't be able to access.

Once any blocking requirement is in place, it's only a matter of moving the slider to more technical means of enforcement to plug the holes in the system.

So you're right, the UK is nowhere near China in terms of filtering, neither does it need to be to still become a digital island.

[iLoveOncall]

That's not true, at least for VirginMedia. I use Cloudflare DNS servers and I can't access ThePirateBay without a proxy or a VPN, it's more than just a blockage at the DNS level.

[boudin]

When I was on virgin, I noticed that ip addresses used by some TPB or similar websites weren't routed to the internet, which is obviously quite bad. I'm not sure if it's still what they do. Better ISPs only do DNS blocking though. Some don't block anything actually.

[ClumsyPilot]

oof, this is serious, thanks for letting me know

[denton-scratch]

In that case it's your ISP (Virgin Media). My niche ISP gives me unfiltered internet. Also, I run my own recursive resolver.

[tenebrisalietum]

Try an SSL DOH resolver, which can't be subject to simple transparent intercepts (at least not without you knowing about it).

[kalium-xyz]

I donno about the UKs system but with South Korea they just check the host in the request header and block by that.

[jakewins]

How can they do that, the HTTP headers are encrypted by TLS?

[Nextgrid]

Until encrypted SNI/encrypted client hello is a thing, the hostname is still sent in the clear.

Also, it can still be DNS blocked - just because you use Cloudflare's DNS doesn't mean they can't rewrite the responses as they still transit unencrypted. You'd have to use DNS-over-HTTPS or DNS-over-TLS to work around that.

[1vuio0pswjnm7]

If it's TLS1.2, certificates containing CNs and/or SANs are sent in the clear too.

[foepys]

Luckily, ESNI is being supported by an increasing number of implementations.

[robertlagrant]

Maybe it's actually SNI.

[ShowalkKama]

not op, no idea how they do it but they COULD look at the SNI in the client hello

[PlutoIsAPlanet]

They can block the IPs or watch for SNI requests.

It's far from as complex as the Great Firewall of China.

[voxic11]

I don't think the main complaint about the Great Firewall of China is its complexity.

[lvturner]

For now...

[Cthulhu_]

Wasn't there a law passed that you need to provide ID before your ISP will serve porn sites? Or was that just a proposal? Either way, the powers that be are thirsting for a Great Firewall, an end to net neutrality, and backdoors to encryption.

[londons_explore]

That is already the case on most ISP's. I don't think it's legally required, but most ISP's do it with a wink wink nod bid agreement with the government.

It helps that ISP's want to do a credit check on their subscribers because then they get paid by credit checking agencies (credit checking agencies love checks for utilities because it gives a strong address to name to payment bounced-or-not linkage, so will either do the check for free, or sometimes even pay the utility for it).

So now the ISP can do a credit check on the subscriber to know their true identity, and know they are over 18, before allowing them to access the checkbox to enable porn sites.

[the_af]

> Wasn't there a law passed that you need to provide ID before your ISP will serve porn sites?

What happens if you don't provide your ID, is there a blacklist that only gets disabled if you authenticate?

Do they also enquire about the type of porn, what you intend to do with it, how often, and whether it's wholesome, traditional, honest to goodness British porn or some unbearable thing with pesky foreigners?

[pmyteh]

There was a law passed (Digital Economy Act 2017, pt.3[0]) but it's basically been shelved anyway as impractical.

In the UK many laws don't take effect immediately, but only on 'commencement' (normally by government order). If you look at the Archives copy of the act in the link, you'll see that there are several sections marked 'prospective' (not yet commenced). Although it looks like section 14 (the operative one which puts a duty to prevent access to under 18s) has been commenced, if you look at the footnote it only has been 'for specified purposes' and if you click through to look at the commencement order it's only actually in force for the purposes of subsection (b) (the Secretary of State may make regulations to define 'commercial basis' for pornography).

Although this is terribly confusing for people trying to work out what the laws are, it isn't unusual. It'll probably sit in this limbo state on the statute book for a good length of time and then be cleaned up by repeal next time the government passes a law in a similar area.

Or it might just sit there. The Easter Act 1928[1] setting a semi-fixed date for Easter is still extant but not in force. There may be older laws yet.

[0]: https://www.legislation.gov.uk/ukpga/2017/30/part/3

[1]: https://en.wikipedia.org/wiki/Easter_Act_1928

[Mindwipe]

> Wasn't there a law passed that you need to provide ID before your ISP will serve porn sites? Or was that just a proposal? Either way, the powers that be are thirsting for a Great Firewall, an end to net neutrality, and backdoors to encryption.

Yes, but it was never enacted because it is being combined into the Online Safety Bill, the same legislation that Signal are discussing here.

And not just porn sites - effectively every site on the internet will have to age verify under the legislation as stands, or make their content suitable for young children.

[mnd999]

It’s not even a Uk wide block, it only applies to a set of named ISPs.

[switch007]

For context, it’s BT, Sky, TalkTalk and Virgin which is 85% of all home broadband customers.

So fairly UK-wide

[_joel]

Zen definitely had to do that too.

[mnd999]

Strange, I don’t remember them being on the list. Andrews and Arnold definitely do not block the pirate bay.

[switch007]

Andrews and Arnold are the best niche ISP in the UK if money isn’t an issue. They’re technical, incredibly on the ball and take quite a good stance on privacy and rights.

[raverbashing]

A weak DNS block is not a "great firewall"

Not sure about SNI sniffing as other commenter mentioned and IP block block (erm) I guess it depends on ISP and it's not so clear cut (everybody does it, especially if there's too much abuse from a certain block)

[CommanderData]

Incorrect not just a DNS block. IP based aswell.

[happymellon]

Only Virgin appear to IP block.

Zen doesn't block it at all.

[orblivion]

Just to throw a wrench into this conversation - I applaud Tutanota on this (I was curious where Signal sees the line between Iran and the UK). However:

> (CP obviously)

Are there options on the table for dealing with this in a freedom-respecting way? Even if freedom were your only priority, the worse the problem gets, the more political capital the politicians have to shut it down. If it gets worse and worse, it strikes me as inevitable that encryption will be curbed, even in the United States.

Alternately, is there a really compelling argument that CP is not a real problem? Mind you that whatever arguments are out there, I'm going to be looking out for motivated reasoning. It seems like so long as freedom-enhancing technology increases, bad actors doing worse things is inevitably going to be a problem. I'm concerned about this, because (in addition to CP being bad) if it's true, proponents of encryption would be shooting themselves in the foot by being in denial.

[someNameIG]

> Are there options on the table for dealing with this in a freedom-respecting way? Even if freedom were your only priority, the worse the problem gets, the more political capital the politicians have to shut it down. If it gets worse and worse, it strikes me as inevitable that encryption will be curbed, even in the United States.

What Apple was going to do with the on device hashes?

[29083011397778]

This actually makes me think. Apple was only implementing the scanning prior to upload to iCloud, because they don't want to be liable for hosting (in any way, shape, or form) CSAM.

So in my mind, the obvious way out for everyone else is supporting things like Matrix hosting to make it turn-key for normal people. Not a managed service, but their Dendrite server and proper P2P [0] becoming usable. Now I just need to find, test for myself and family, and contribute to, a reasonable photo backup alternative (unless "Get a Synology" / "I picked up a Synology for family" becomes a crowd favourite in some insane universe).

[0] https://arewep2pyet.com/

[orblivion]

In theory, I suppose, but even if it's not diminished freedom, it seems to be a step towards it.

[dom96]

> Try to access thepiratebay.org or other pirate sites

Both my home ISP (hyperoptic) and mobile network (Vodafone) allow me to access it.

[gadders]

The whole internet has a "great firewall". Kiwi Farms (whatever you think of them) was taken off the internet for a while due to (I think) backbone networks blocking/not resolving the DNS address. Any power that can be used for you can be used against you.

[ClumsyPilot]

While I agree with the sentiment, we need to distinguish between violent crimes and financial disputes.

Like police have the right to break into your house to stop a murder, but not if you have a payment dispute with someone

[gadders]

I agree, but for "violent crimes" I would think along the lines of the "hire a hitman" forums that were reputedly on the Silk Road dark web site before it was taken down.

[aembleton]

> Try to access thepiratebay.org

That works for me in the UK on Shell Energy broadband

[moremetadata]

I have no problems accessing the piratebay.org, or even tor, in fact I know the MOD get to monitor all internet access so they can even tell what you are looking at or buying on the darkweb!

However I do have great difficulty accessing rt.com I usually get ERR_NAME_NOT_RESOLVED in MS Edge, like right now!

Why are they so scared of Russia? Has the Oligarch money run dry?

Now if its any endorsement for Kasperky AV Internet suite, it picked something up on my machine a few years back, so I booted from the supplied recovery ISO burnt to cd, and it needs to download the latest AV definitions. It was unable to connect to Kasperky's servers, in order to do an offline scan and removal, ergo I was unable to wipe the malware from my machine.

In the past, when I have had my systems so locked down so I can account for every packet of data coming in and going out, my internet connection just goes down so I cant get online. I've even had bios passwords reset locking me out of machines.

On the point of being worn down, it would seem shouting the loudest, or controlling the media outlets works [1]

A suggestion for @ tutanota.com, I've made this to other online email providers, but no one seems interested.

Having a delayed send from servers located around the world.

If anyone is aware of traffic shaping, and traffic profiling, they will know its possible to determine what type of data it is despite it being encrypted.

For example, youtube will send from multiple servers to your device in bursts, its not one continuous stream of data from one server. Obviously this also enables Google/Youtube to work out your exact physical location based on the time the different bursts of data arrives at the device and get reassembled.

Its also possible for the 5eyes+X (5EX) operators to work out if you are typing or reading an email, and when you click send, there is a very small window in which to work out where that email is going.

So if the email comes back into the UK, they will know what email server its being routed to. In time, its possible to work out more stuff which I wont elaborate on, but they can then carry out impersonation attacks on the entity in both directions in order to solicit more information.

Lets face it, how many people get to speak to the same person in a call centre? And do call centre staff remember and recognise their routine customers?

So could your email system have a delayed send built into it, perhaps something like X users from the UK, click send to send an email and these emails could be sent from some of your servers which would ideally be located around the globe?

eg. I log into your service by connecting to the German server, I click send after composing an email and the email is routed in a batch with other users to say the US server before it gets delivered, well after I've logged off and delivered in a randomly delayed timeframe, because most people dont need emails to hit other peoples inboxes straight away, they are busy doing other things. In fact being able to send now could be an opt in, like those times when on the phone to someone and you need to send them an email at the same time, because the 5EX workers will know you are already communicating with someone, and what can they gain from knowing about an email being sent at the same time?

With VPN's the easiest way to work out where VPN traffic is going, is slow down your targets VPN connection and the 5EX operators look for other encrypted VPN traffic that also slows down elsewhere. This is how the 5EX workers can work out what websites you are visiting.

Likewise a VPN that can also include Chaff [2] when the connection goes idle, will also get to hide the type of data passing over the VPN, again affording the user of VPN's some privacy, where currently there are no VPN's affording this. I know some do VPN tunnelling ie a vpn running inside a vpn for double encryption, but that still gives out the type of data and where its going to when you have an infrastructure overview of the internet in the 5EX countries.

And if the VPN service connects to a proxy server that can keep the 2nd and subsequent relays/legs still downloading, the VPN company gets to find out who the 5EX workers might be targeting. At the very least, it would reduce their existing level of intelligence, and expose what secret court orders might be in place with infrastructure company's like At&T's Room 641a[3]

All's fair in love and war!

I'll also point out the obvious, people tend to visit websites that are in their language, this then narrows down the websites and data centres to look at.

However if someone is multi lingual which would have been obtained by the state during the school and college years through lessons learnt and/or by association of being born or raised by parents who are not native speakers of the country they reside in, or are multi lingual, the scope for the websites that could be visited can increase, introducing more legal doubt.

Anyway an insight into 5EX internet surveillance, what GCHQ would call looking for the needle in the haystack, and example can be found here [4].

Its probably best to think of the internet like monitor vehicle movements, you can see trucks moving around, but you don't know what's in them initially, but over time, you can work it out, which is why the EU & UK have agreed the Windsor framework, namely Squid Game Green light Red light [5] customs between NI & GB.

[1] https://www.dailymail.co.uk/sciencetech/article-2333165/The-...

[2] https://en.wikipedia.org/wiki/Chaff_(countermeasure)

[3] https://en.wikipedia.org/wiki/Room_641A

[4] https://cryptome.org/2013-info/09/nsa-br-mx-2/nsa-br-mx-2.ht...

[5] https://youtu.be/sH4Y450PSVM?t=29

[danaris]

> However I do have great difficulty accessing rt.com I usually get ERR_NAME_NOT_RESOLVED in MS Edge, like right now!

> Why are they so scared of Russia?

This is a mystery for the ages! What reason could there possibly be, in 2023, for blocking a major Russian propaganda/state news outlet?

I mean, I could understand it if there was a war going on, with Russia desperately spreading propaganda specifically to try to get NATO states to see Russia's aggression as being totally understandable and actually our fault, so that we stop sending money and materiel to the people they are frantically trying to murder in order to get them to stop resisting their takeover of their entire country...

/s

[6LLvveMx2koXfwn]

Works on JANET [1]

1.https://en.wikipedia.org/wiki/JANET

[aembleton]

rt.com works for me on Shell Energy broadband using Firefox.

[shever73]

Doesn't resolve in Ireland on Eir.

[mytailorisrich]

Every country should have their own "Great Firewall" in order to control what's accessible (countries have their own laws) and to protect themselves against attacks, including by cutting themselves off from the internet.

In any case, as you mention many countries can already block specific websites and services from being accessed from within their borders.

[pjc50]

Similarly, every user should have a good extra-territorial VPN so they can ignore all of that.

[mytailorisrich]

I don't understand why the topic always elicits snarky comments.

"Great firewalls" are necessary as a matter of fact. They have nothing to do with government overreach and curtailment of freedoms. In a liberal, democratic country what is blocked is what has been identified as illegal/criminal enough to warrant it, so why would Joe public want to get technical tools to "ignore all of that" has to raise red flags because that would not be "to protects his rights"...

Crucially, as mentioned, there is also the aspect of national security and protection against cyber attacks.

It's good to have ideals but on those issues we should not be "too simple, sometimes naive" (Jiang Zemin)

Edit: Oh dear, oh dear...

[cowl]

Because Laws have never declared illegal/criminal things that should never have been declared as such? Or just because at the time it is considered Criminal, Noone should have the possibility to protect themselves from the government until (in the hope) that the unjust law gets rectified?

Is the History not enough to convince you that no mater the purpose (nefarious or not) Democratic/Liberal Governments can be wrong as much as Dictatorial ones in enacting laws?

If even access to information is forbidden, how are people supposed to get informed that maybe something is not right with these laws so they try to change them?

[nomdep]

Because it’s clear we start from radically different perspectives.

You believe some information must be illegal an politicians must protect us from seeing it.

I believe only actions should be criminalized and that no one should have the right to decide what we, as adults, can see and what not

[isaacremuant]

No they aren't. You posit they are because of alleged threats and I and others suggest that the biggest threat is policies like this and people like you trying to give governments huge censorship abilities to coerce conformity.

Your arguments are basic and the kind that lead us to the Iraq invasion and many other wars that are for profit but, at the time, always sold as a matter of national security or similar and dissent is punished in whichever way possible.

You can make dissent virtually nonexistent online if you censor enough.

[umanwizard]

> "Great firewalls" are necessary as a matter of fact.

Empirically not true, because most countries don’t have them, and are doing fine.

[computerfriend]

> They have nothing to do with [...] curtailment of freedoms.

They literally curtail freedom.

Quoting Jiang Zemin on Hong Kong is just perfect here.

[mytailorisrich]

What is your definition of freedom? Because if it's having the absolute right to do exactly whatever you want that's not how freedom works in a free society.

I'm obviously provoking with that quote but it is a very good point: The world is not black and white and claiming that it is is extremely naive and simplistic, and I am afraid that what I read here in response to my comment is exactly that.

[LawTalkingGuy]

People arguing for censorship can never show anything that needs to be censored but there are countless examples of things that shouldn't be censored being squashed under policy. There's literally not a single example through history of a truth that had to be squashed for justice and safety. There are no great stories of historical censorship not because they're secret, but because they don't do anything except protect the people in power.

A censorship policy is, by nature, impossible to check. If anything is being censored you have to assume that other things, including proper discussion of the censorship, are being censored. It's not some complex "not black and white" thing where you're partly right, it's a failed idea with absolutely zero support from historical precedent.

You can't censor away bad ideas because we can't even agree on the bad ideas - such as for instance your censorship push. Why shouldn't your push to censor people be censored itself? Why do you assume that your choices for societal control are the correct impulses, which need to be bolstered with thought control, rather than the harmful impulses which will destroy society though totalitarian means?

No, censorship is always wrong because it removes the ability of the people to make decisions on the facts. Any politician who pushes censorship has to be assumed to be trying to undermine democracy because censorship can't do anything other than weaken the electorate.

> The world is not black and white and claiming that it is is extremely naive and simplistic, and I am afraid that what I read here in response to my comment is exactly that.

That's fallacious because it assumes that censorship deserves a better rhetorical chance which it was denied when in fact it's simply a bad idea. If you suggested to punish people for their family's crimes you'd get similar pushback because it's a similarly corrosive policy.

You haven't properly argued for censorship at all, by showing thoughts which need to be censored and why, you've just argued that it's a super important tool without any examples or reasoning.