An idea to make the UK the safest place to live and work online

  1. Use technology to solve cybersecurity problems, don’t expect or make the general user do a bunch of stuff such as install a password manager (because they can’t/won’t)
  2. If you want to protect more people, you have to move the solutions ‘upstream’ — embed the security functions before the user on their device.
Generic cybersecurity / smartphone image

Consumer scams are all the rage

Cyber attacks on organisations who deliver Critical National Infrastructure is a problem. Cyber attacks for the purposes of intellectual theft are a problem. Those attacks scale, but no where near in comparison to SPAM and phishing messages to millions of individuals every day.

Scam delivery mechanisms

Scams are delivered through email, SMS or telephone calls. Many of them have calls to action (click a link, reply with information, call a number etc).

Telephone calls

Telephone calls are really (really) hard to filter out at the carrier level— even the phone number displayed on the screen is not the actual identifier of the system connecting to the public telephone network.

Email

Modern scam/SPAM filtering from Apple, Google and Microsoft (etc) generally do a pretty good job. (I have noticed some rudimentary things slipping through over the last few months though… but overall, good)

SMS

Huffington Post say in all 95 million spam text messages are processed per day in Europe and America — 45 million per day in Europe alone — of which 92% is related to fraud.

Common bit of the puzzle

The thing that binds this all together is that the user (or the technology, such as web browser or email client on their behalf) want to connect to www.Scam-R-Us.com.

DNS is my big idea

Require all consumer and business networking providers (thats ISPs who provide broadband/fibre and also data connections to smartphones) to implement high confidence malware filtering DNS response policy zones (RPZ) provided by the UK government.

Wait. What? How would that work?

The UK government knows what a bunch of bad websites are already — in fact, the UK’s National Cyber Security Centre (NCSC, a part of GCHQ) has a service for the UK public sector which already does this called Protective DNS ( PDNS).

You want all UK ISPs to send all DNS queries to the UK government?

No, I want the UK government to provide a high quality DNS RPZ feed to all ISPs, and require them to implement it.

That sounds hard to implement!

The UK government already has a high quality high confidence list of bad domains.

Isn’t a connection error a bad user experience?

Is it better or worse than visiting a scam site?

What about encryption connections?

HTTPS (encrypted websites) are — thankfully — on the rise. DNS RPZ has an even tricker time here, as its not possible to serve an intercepted notice page on HTTPS without a different set of problems.

What about privacy scope-creep problems?

NCSC PDNS only ever intercepts malware domains. There are already avenues as mentioned above for UK ISP/telco DNS filters.

What would this all do?

Whenever a device (smartphone, tablet, laptop etc) using a UK data connection would try to go to a known scam site, it simply wouldn’t load.

Another tool in the defence utility belt

Those SMS messages should be filtered before getting to the person and also the domain itself should be subject to takedown — but a DNS RPZ would be another tool in the arsenal, and could be more effective a whole lot sooner.

Would the UK government do it?

The cost of running the service wouldn’t actually be too bad (NCSC already run one!) the difficulty would be creating the regulatory or statutory requirements for the UK ISPs to implement it.

Here come the lawyers

I wrote ‘high confidence’ and ‘high quality’ because there will always be a risk that by using DNS RPZ (which would stop the whole domain, such as www.domain.com, not a portion of it, such as www.domain.com/wordpress/just_the_bad_part/index.html) that there is a false positive (something is blocked as malware/malicious, but it is legitimate)

Would it be worth it to implement?

Assuming the UK government continued to develop a high quality and responsive DNS RPZ, the scam domain could be ineffective in the UK in minutes/hours not days.

Start with mobile data

(Based on absolutely no real data at all) I suspect that connection errors on smartphones using a mobile data connection are more common and tolerable to citizen users, than on laptops/desktops.

What would it take to implement?

The technicals (as usual) are actually pretty simple particularly since NCSC PDNS already exists. UK ISPs and telcos generally don’t do anything unless they have to, so its finding a regulatory avenue that already exists or creating one.

What about not the UK?

Oh yes, well, of course! It would be difficult for the UK government to provide this to other ISPs but their own governments could. I’m fairly sure the UK would happily share their bad domain know-how with the US, Canada, New Zealand and Australia and vice-versa! 👀

What do I do in the meantime?

Use an encrypted filtering DNS service. I use NextDNS (affiliate link).

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Joel Samuel

Joel Samuel

The thin blue line between technology and everything else. joelgsamuel.com