You don't actually need a drivers license to buy a car. You need a drivers license to use one on public roads, and you'll probably need some form of government ID to register and insure the car, and the dealer might ask for some sort of ID to verify your identity, but you don't need a drivers license just to buy one.
Why wouldn't you need to verify identity to buy a car? Every car I've purchased the first thing they ask is to see your driver's license, even at used shops.
Where I'm located, there is no law that you need to verify your identity to purchase a car. I couldn't think of a reason why there should be. Another poster mentioned if buying with credit, and while true in some situations, that doesn't have to do with the actual purchase of the car but with using credit. That is why.
Well I didn't say there's a law that the dealer has to ask for ID, I only said that the dealer might ask for ID. Particularly if you're not paying with a stack of cash up front, they'll want to know who they're dealing with.
It's really not. There's different ways one can do this, but it's not hard down to lock down outbound traffic.
On a more general note, tangential to the article and specifically regarding blocking DoH and friends, it's pretty trivial to do this with a DNS backed firewall. I do this for my IoT vlan:
- default deny all outbound
- set dnsmasq to populate an ipset/nftset with DNS responses
- have a firewall rule that hole punches for traffic destined for any ip in the set
- now it's just DNS filtering like usual
This means any successful outbound connection must be prefixed with a successful DNS query that is resolved by the local Dnsmasq instance. Any query that hits an unblocked DNS endpoint does not populate the set used for whitelisting, and is dead in the water - making DoH, DoT, DoQUIC, and such unviable.
Obviously, hole punch exceptions as needed (E.g. For direct connects to static ip addresses).
Once you authorize any domain that resolves to Cloudflare POP IPs you’re going to end up with gigantic holes that essentially neuter this approach.
It may work in the limited context that is your IoT network but for any corp, user of the web, etc Cloudflare IPs will open almost immediately for all but the most selective (non-CF) DNS records.
Or you don’t allow any CF DNS records or IP ranges and cut yourself off from half the internet.
I’m sorry, but once an attacker can run arbitrary commands on your machines, it seems like your personal security battle has been lost. Cloudflare Tunnel isn’t doing anything that an attacker couldn’t do with a huge list of other tools, including a script that just loads some remote HTTP address for evil things to do next.
You're right that this is only a problem when you're already compromised. The real problem is that cloudflare makes it difficult for networks to detect when that happens.
If a device on your network suddenly runs "a script that just loads some remote HTTP address for evil things to do next" that connection attempt to some strange remote HTTP address is a great indicator that you've got a compromised system somewhere. When all traffic, good and evil, flows to/from cloudflare it's harder to spot the evil.
Cloudflare's business has always been that your ISP is just a dumb pipe not to connect you to the internet but the Cloudflarenet. All routing, security, etc decisions should happen inside Cloudflare and you should be helpless to do any local security on your network.
It is amazing to me that if AT&T came out and said they were buying up every other ISP in the world to form one big unified network HN would be losing their shit, but Cloudflare slowly boils the frog and everyone cheers and evangelizes for them.
In ideal world it would not matter, but business and politics are intermixed more or less pretty much everywhere. Unfortunatelly, countries like Russia or China
have much more politics influence. Hence, I try to avoid them.
I would agree that business and politics can be intermixed. I would follow up by saying it also depends on the type of business you are running and to whom you're catering to. If you're running a medium sized business and used say DDoS-guard, would anyone notice, care, or even know who that company is? I'd think it would be even less noticed than say CF, as CF stops connections to your site and display that whole verify process.
Its not only about Cloudflare. All those big companies are very centralized and try to control Internet more and more..
In my opinion battle is kinda over because 99.9% of people want ready to use product not contributing anything (consumers vs prosumers).
What the remaining 0.1% can do? Build your own overlay VPN networks and put services there. Treat Internet just like transport layer. Make mirrors of interesting stuff and put in there. It might grow...
The everlasting cycle of security fuckwittery (with some apologies to Randall Munroe's "sandboxing cycle").
1) There is a protocol for communication that encodes some useful heuristic for regular operations - IP addresses, for example, or ports.
2) Idiots decide that ONLY EVER COMPLETELY SAFE traffic should be allowed. As a result, all communications are gone.
3) That's not workable, so some channels have to be opened.
4) Someone develops a way to encode all the previous uses, including the necessary administrative ones, AND necessarily the malicious ones, over this protocol.
1) as 1) but with an extra layer that now does nothing.
A very* similar process exists for scripting languages. "Why are our employees so unproductive, manually doing easily automated things that security won't let them automate? -> Hey, wouldn't it be great if we could automate all the things with [X]? -> Oh noes, malware!".
reply