I wonder how well this blanket hijack on the generic port will turn out. We're the consumers still have the option to encrypt via doh, dot, dnscrypt, vpn, tor, proxy etc but problem is legacy hardware out there used by business. I bet theres still plenty of legacy server, modem, router, payment gateway chucked in a basement somewhere, can't use modern encryption protocol but rely on plaintext port 53 for simple curl api call etc. They aren't being decommissioned yet since its still works, monetary constraints, workforce constraints to maintain etc.. Those will be fcked hard if they suddenly fail at 11am on a busy day.

And as usual typical bolehland gov, implement dulu dialog kemudian.

This post has been edited by axxer: Sep 7 2024, 03:35 PM

Finally backed down. We can't fix stupidity, but at least we can talk some sense into the stupids. Or even if the sense never penetrate their thick skull, its still due to the sheere amount of backlash they backed down. Well done people.

Didn't even realize theres an ip hijack going on since its not obvious without going low level traceroute and whatnot. What got most people furious is the sni ssl mitm hijack and serving bogus cert. Tm did exactly that to both google and cloudflare doh endpoint. And its obvious to end users, browsers displayed a big red warning saying the cert is bogus.

Suddenly people realize if they can do that to the dns endpoint, what stopping them from doing the same to gmail, outlook, riotgames, facebook, tiktok or whatever. Obviously the browsers, email client, games client etc won't accept bogus cert is this day and age, the lingering questions is "what if?". What if they further did X to Y, whats the borderline dangerous according to them if they can't see the danger of mitm ssl. Whole thing just wen't down just like that from single tm action lol

Some isp in other countries already successfully hijacked dns cleartext port 53 for years and no one bat an eye. They do that with enough notice though, a year, a few months to get business prepared. Not here, announced a month before, implement in a rush and see all hell break lose with intermittent downtime, sluggishness and whatnot.

Its the first win. How do they expect to blackhole the so called offending site in the first place? Dns is the easiest and cheapest solution, the first query to the internet.

Granted they could still achieve blackhole without dns involvement, by mitm and redirect the actual connection itself not the initial dns query, but it'll be really expensive really quick. So far only the chinese gfw managed to do that whole countrywide but their network is already a separate countrywide lan in the first place. Tm tried with ssl mitm earlier and it failed miserably, browsers just showed red warning when the supplied cert isn't tally with the endpoint domain. Most site used https nowadays.

Granted they could still ask/force individual device in this whole country to install a mitm root cert so their bogus cert would be accepted, but i doubt google, apple, microsoft, mozilla would agree to. Kazakhstan tried the forcing mitm root cert on its citizen hardware route, but mozilla and google reacted by insta blacklist the cert, cutting the idea short lived.

Cf mitm cert are widely trusted by default via the root cert chain of trust. And they sign with domain owner explicit consent. Tm problem is to make their cert that signed whatever domain they want without explicit consent by domain owner, to be trusted by default globally. Browsers would just display red warning.

Selfsign cert without chain of trust, without domain owner consent is already a thing for years. In fact i can already sign a cert for google.com, instruct my browser to trust the bogus cert, instruct my browser to explicitly use my local authoritative dns only, add a bogus zonefile for google.com on my authoritative dns myself, add dns record pointing google.com to an ip hosted to a server locally, visit google.com on the said browser and no red warning, green lock key and all in address bar. But its just that, only trusted by just my 1 browser. Tm problem is to do all that, selfsign, convince browser to trust the said cert etc, for the whole freakin country.

It's unfeasable, see the kazakhstan example earlier. While their citizen maybe already yolo install the mitm root cert, along comes browser manufacturer insta blacklist it.

Starlink are still bound to local laws. They don't magically get a free pass for supposedly wireless direct to satellite internet. Hell they probably already got their own dc here to comply with pdpa and whatnot. If the directive really goes through eventually starlink need to comply too or just straight pull the plug exit malaysian market. We didn't hear about them in this whole shenanigan probably because they choose to wait and see.

Only 2 dns provider will use doh when adding to the Private DNS setting on android, Google dns and cloudflare dns. Google hardcoded to only allow those 2 to use doh. If you want to force dot, use other than the 2. Quad9, opendns, adguard dns etc. Or use third party app that can be specific on using either doh or dot depends on your requirement.

Third party app arent that bad when you find something that can do more than just dns. The rethinkdns android app is 1 of them. Dns client+wireguard client+firewall. I freakin love it. Assuming vpn provider can generate wireguard config, can just add the config to rethink and enjoy vpn+encrypted dns via doh, doh, dnscrypt, oblivios doh and rethinkdns native server. Plus it can connect to 2+ wireguard server at the same time and can split connections. Basically can setup netflix, disney+ etc to use us server and enjoy us content while browser and other apps uses other server. No more need to manually change vpn server based on what app you're going to use, its split tunnel on the fly. Its superb.

What a stupid argument. Tech giant biased against palestine > we ssl mitm our country network. Whataboutism at its best. The "Think about the kids!" argument are also as old as any tyranism regime everywhere, and the sheeps that lack critical thinking just ate it as it is, " Yes we cared about our kids!". What a shitshow this country has gone into.

I'm still waiting for the killswitch proposal that should be tabled to the parliament in october. Its still vague what it actually is, either individual site killswitch or whole countrywide network blackout. Weird if its individual site killswitch since thats what they're been doing all these years, straight block with telco default dns. So should be countrywide blackout? Thats another shitshow waiting to happen if it passed and being implemented. I think only azalina alone has spoken about that one, no fahmi nor mcmc comment yet. And as cliche as usual, azalina has brought forward the "think about our kids!" argument.