Comment by direwolf20

3 days ago

Router parental filters are accountability sinks. They don't actually work, and they can't because we spent the last 20 years redesigning network protocols to prevent middle boxes from tampering with connections.

5 comments

direwolf20

KoolKat23 2 days ago

In what sense? DNS blockers work generally do they not? Adguard also censors google search results.

I don't see why your kid should be browsing reddit.

I mean even only allow whitelisted sites. As I say this can be standardized further.

These measures I truly believe do not need to be 100% foolproof so long as the hurdle is high enough that children give up it's fine. And these measures could potentially notify a parent of a suspected breach or attempt to game it, without intruding too much into the child's privacy.

ndriscoll 2 days ago
DNS blockers only work if the device/application is not adversarial or if you also have a smart enough firewall to block DoH, which is designed to blend in with web traffic. Once ECH is widespread, you'd likely need to MitM the device (so you need to install your CA, which is intentionally made very difficult and you might not even be able to do across all apps anymore on mobile devices? At least without enterprise MDM. And as was observed elsewhere[0], apps like spotify can contain a web browser), or perhaps use DNS requests as a trigger to briefly open a default deny outbound firewall.
Things have definitely been converging toward making it impossible for non-corporations to manage the devices they own, the network they run, etc.
[0] https://news.ycombinator.com/item?id=47128069
- KoolKat23 2 days ago
  
  This is very interesting thanks.
  I agree that ECH is perhaps a stumbling block although as you say MitM, this is indeed possible to pursue considering the whole set up child account on device thing going on with many of these devices.
  On the rest of of your points fair enough, but again I ask is it actually proportionate? Are we talking about children or black hats?
  
  2 replies →