It likely overrides DNS resolution to CDN/POPs in countries which don't require age checking, or routes the traffic through TCP proxies so your traffic appears to come from a different country without these laws.
This will increase the latency of all traffic to that site though.
Sure they can. When your browser resolves a host, they replace the actual IP with the IP of a proxy that is configured to forward traffic according to the Host HTTP header.
- You ask Foo DNS Provider for the IP address of pornhub.com
- Foo DNS Provider responds with the real IP address
- You connect to that address, send a TLS ClientHello containing a Server Name Indication extension of "pornhub.com"
What could happen:
- You ask Foo DNS Provider for the IP address of pornhub.com
- Foo DNS Provider responds with one of their own IP addresses
- You connect to that address, send a TLS ClientHello containing a Server Name Indication extension of "pornhub.com"
- Foo DNS Provider now knows that you intend to connect there, so it connects there for you and relays your ClientHello to it
- Foo DNS Provider then just acts as a dumb relay, passing everything back and forth with no modifications
- The certificate verifies fine because the traffic was not modified and it was presented by the party who controls the corresponding private key
- The website thinks you are connecting from Foo DNS Provider, not your real address
The only thing that would break this is ECH (Encrypted ClientHello), currently supported only by CloudFlare and Google Chrome (and its derivatives) as far as I know. This security feature is provisioned with ... DNS records! So Foo DNS Provider can simply indicate that the records required for ECH do not exist, and your web browser wouldn't encrypt the ClientHello. It's already tampering with the responses to address lookups anyway, so DNSSEC wouldn't be an issue -- you simply would not expect to be able to validate anything.
Instead, NextDNS is very likely abusing the EDNS Client Subnet feature to provide website operators with a spoofed client location. Much more simple and less nefarious.
> A certificate has to be signed by a trusted CA (one your browser already trusts).
Yes.
> A DNS provider could mint a self-signed cert for pornhub.com, but your browser would reject it immediately.
I never said anything about the DNS provider minting any certificates, and explicitly said that the certificate would be provided by PornHub's servers and merely relayed -- verbatim -- through the DNS provider. As well as the rest of the TLS negotiation.
> Instead, NextDNS is very likely abusing the EDNS Client Subnet feature to provide website operators with a spoofed client location.
That's what they are doing now, yes. What I propose is how they can continue to make it work once the website operators catch on and start looking at the ASN information of the source IP address of the HTTP connection.
I am well aware of how CAs and the Web PKI model and TLS work.
Ah, ok... a transparent proxy just to hide the origin IP. Thanks for clarifying. A lot of people are assuming full proxying, but I understand you were describing a hypothetical.
Right. What I proposed is scarcely different from doing HTTPS over a SOCKS5 proxy. It's just that the proxy would infer your destination from the ClientHello rather than being instructed by the client in advance (Edit: and it would have to assume port 443 -- a safe assumption in the context of a service whose feature is bypassing website content blocking).
I tried out NextDNS and this feature doesn't seem to work anyway. Enabling "Bypass Age Verification" has no effect. I tested it out on PornHub and XVideos.
I also can't find anything different in the returned A/AAAA records compared to my standard resolver.
This is exactly why the whole "vaccine causes autism" got started. We need to improve science literacy before we could say things like that to the general public.
When a layperson hears this, they'll think that there's a small but possible chance that vaccines do cause autism; when what the scientist means to say is that "it's highly unlikely that vaccines cause autism."
I think it’s okay to mean what you say. Part of improving literacy is also respecting the intelligence of your audience and not talking down to them. Treating everyone like buffoons makes people act like them - treating them as beings capable of thought and reason tends to show the better side.
I find this argument hard to agree with. We are seeing unprecedented levels of buffoonery in many governments of the world and people enthusiastically agreeing with (objectively) idiots. Before anyone that does not know how to understand a statement as we are talking about, they will understand it the wrong way, tell everyone they know, create social media content and form organizations that oppose vaccines. I would say that this is more likely to happen many times over than them actually learning how to understand a statement like OPs properly. So as sad as it is, I think you are wrong.
I can understand that this approach seems like the easy quick solution, but the problem is much deeper than that. It's more about a weaponization of language by those who know what they're doing. Getting into a language fight isn't worthless, but doesn't actually resolve the issue, just escalates it.
What's more important IMHO, is raising the general understanding of how this science works and not falling into the trap of feeling like we have to debate this buffoonery on the same level. We're so worried about being called "elites" or whatever that we fight on their terms instead of just straight up calling it out as stupid and manipulative and giving it no more time than that.
I'd say being realistic about the intelligence of your audience. "Nobody ever went broke underestimating the intelligence of the American people".
I got sent some looping tik tok anti vax thing with a pretty woman saying sincerely vax bad, with no sources and links. The people influenced by that are not going to look up the papers in Nature.
It's not the reason why this conspiracy got started. It got started by a fraudulent pseudoscientific paper with financial ties to it. We shouldn't be reducing human intelligence and ability to process information to the "wet streets cause rain" level. I know it's easier said than done though. When a scientist claims that "highly unlikely that vaccines cause autism", it still leaves the same room for doubt as when they say "it is very likely that vaccines do not cause autism".
The real issue isn't scientific caution. It's that the misinformation campaigns exploit any uncertainty, no matter how small. The solution isn't dumbing down science communication, but being clear about what the evidence actually shows.
This is really interesting. How can you detect when it's the same person passing a captcha? I don't think IP addresses are of any use here as Anti-Captcha proxies everything to their customer's IP address.
I don't know exactly what they do now, bloom filters was a thing then, also lots of heuristic approaches based on the bots we detected. the OP agent example actually would fail the very first test I deployed which looked for basic characteristics of the mouse movement
Here's a fun experiment for someone:
1) Give N people K fake credit cards to enter into a form, and have them solve a captcha
2) Take recorded keyboard and mouse data similar to the captcha
3) Train a neural network model to identify
I've been out of this for 6 years but I bet transformers rock this problem now.
Apparently serving HTML + other static content is more expensive than ever, probably because people go the most expensive routes for hosting their content. Then they complain about bots making their websites cost $100/month to host, when they could have thrown up Nginx/Caddy on a $10/month VPS and basically get the same thing, except they would need to learn server maintenance too, so obviously outside the question.
1. non-humans can create much more content than humans. There's a limit to how fast a human can write, a bot is basically unlimited. Without captchas, we'd all drown in a see of Viagra spam, and the misinformation problem would get much worse.
2. Sometimes the website is actually powered by an expensive API, think flight searches for example. Airlines are really unhappy when you have too many searches / bookings that don't result in a purchase, as they don't want to leak their pricing structures to people who will exploit them adversarially. This sounds a bit unethical to some, but regulating this away would actually cause flight prices to go up across the board.
3. One way searches. E.g. a government registry that lets you get the address, phone number and category of a company based on its registration number, but one that doesn't let you get the phone numbers of all bakeries in NYC for marketing purposes. If you make the registry accessible for bots, somebody will inevitably turn it into an SQL table that allows arbitrary queries.
i run a small wiki/image host and for me it's mainly:
4. they'll knock your server offline for everyone else trying to scrape thousands of albums at once while copying your users' uploads for their shitty discord bot and will be begging for donations the entire time too
from "anti captcha" it looks like they are doing as many as 1000/sec solves, 60k min, 3.6 million an hour
it would be very interesting to see exactly how this is bieng done?....individuals....teams....semi automation, custom tech?, what?
are they solving for crims? or fed up people?
obviously the whole shit show is going to unravel at some point, and as the crims and people providing workarounds are highly motivated, with a public seathing in frustration, whatever comes next, will burn faster
They're solving for everyone who needs captchas solved.
It's a very old service, active since 00s. Somewhat affiliated with cybercrime - much like a lot of "residential proxies" and "sink registration SMS" services that serve similar purposes. What they're doing isn't illegal, but they know not to ask questions.
They used to run entirely on human labor - third world is cheap. Now, they have a lot of AI tech in the mix - designed to beat specific popular captchas and simple generic captchas.
The current dictatorship in Egypt deals with the Muslim Brotherhood in the same way pro-US capitalist dictatorships dealt with communist groups. The Muslim Brotherhood is still very popular in Egypt, and in the last legitimate election won close to 50% of the vote. I don't support them but their views are generally closer to Christian Democracy/socialism than you'd think.
Fact is that Egyptians are opposed to this, just like most other people in Arab or Muslim majority countries are. Their government is authoritarian and just does what suits it best, which in this case is to appease the US.
It's always remarkable how people like you think egyptians are incompetent and incapable of taking actions on their own without a special western nation controlling them.
Well, that doesn't change the fact that Egypt is currently under a US-aligned dictatorship. I'm not saying it's under US-control, just that the current dictator stands to benefit by being in the good graces of the US...despite his people's demands.
Also I don't believe that Egyptians are incompetent and incapable, you're putting words in mouth. It's just easier said than done to remove a dictator from power, especially when the power structure is so entrenched. It took Syria over a decade of civil war to get rid of theirs...
We don't live in a Hollywood film. The French Revolution didn't take a month to transition to a republic...
Does some part of the Egyptian government have an interest in doing certain things entirely because of America's influence? Sure. Is that the only reason for their behaviour? Of course not.
I just want people to keep in mind that Egypt (and everywhere else) is full of humans who are just as smart or dumb, brave or cowardly, immoral or righteous, as any other country, and those humans are perfectly capable of deciding to do both good and evil things without blaming it on "america".
rany has given a good answer, but I also want to add that currently the Egyptians only control the Rafah crossing on paper.
In reality, Israel controls the crossing because they have occupied/seized the strip of land in Gaza that is adjacent to the crossing (Philadelphi Corridor). Here's a similar complaint from Egyptian media: https://english.ahram.org.eg/NewsContent/1/1234/550260/Egypt...
> The journalist told RSF that the threat came from Hamas members who were unhappy with his social media posts. A few days earlier, the reporter — who wishes to remain anonymous — had published a post criticising Hamas, which was facing strong backlash from local protestors exhausted from being subjected to the massacres committed by Israeli forces.
> Due to these threats the journalist deleted his posts, fearing for his safety. At least two other journalists have faced threats and physical attacks for covering the protests against Hamas, which lasted several days. “Detention centres and administrative offices in Gaza have been destroyed,” one journalist told RSF. “So now Hamas’ intimidation tactics consist of direct confrontations with journalists, and the journalists have nowhere to go.”
We are talking about international journalists not being allowed into Gaza. Your comment is about a local journalist being intimidated by Hamas members.
International journalists are generally allowed to report freely. If there was any intimidation they would be airing it nonstop.
In my opinion, regulating AI companies/models is the WRONG way to go. Instead, we should regulate HOW companies/major stakeholders use AI.
reply