IETF Logo Mail Archive

Re: [Add] avoiding unnecessary metadata in applications doing DNS / DoH

Ben Schwartz <bemasc@google.com> Thu, 11 April 2019 23:39 UTC

Return-Path: <bemasc@google.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3BC9120405 for <add@ietfa.amsl.com>; Thu, 11 Apr 2019 16:39:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.5
X-Spam-Level:
X-Spam-Status: No, score=-17.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id owGxqzyqPD9X for <add@ietfa.amsl.com>; Thu, 11 Apr 2019 16:39:49 -0700 (PDT)
Received: from mail-ua1-x92e.google.com (mail-ua1-x92e.google.com [IPv6:2607:f8b0:4864:20::92e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA1C91203F6 for <add@ietf.org>; Thu, 11 Apr 2019 16:39:46 -0700 (PDT)
Received: by mail-ua1-x92e.google.com with SMTP id k32so2643502uae.3 for <add@ietf.org>; Thu, 11 Apr 2019 16:39:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=e3ji9uEMGPoGl1TUJ+ba1E1qL6Oiv8FHqiUWuTd4j+c=; b=R6YzcJHKesufuD2j30dvzYfE9dc3fZqSFjF838xfMnlfqUIeVlx+CDbYa6NxKYBPDB Nn00YwWQAjXMXWpzhBDCV2YHOGWq/L5Jg+JAEiRE4Amb4xXMEGVcvSqsuSrNcnm1MG7k IbfIuXo7mcchqp4E98yay356YdTK0sprvmRJ7quJFgDieKvT5/YXucEzNtlD7Zg3FZqu I+I7QY0ff4wq5kQoCwIMMJQR/K5KxApdwqOAurPnCVdSQkHfvG/6LBhj89cfi1f+2fNN 8sRt8epkninwYaGte86eyJ7D0wlJYq4O+jx4ecwjrk9BfDo6qYDHN+x+gJUysztgO0U2 Q4SA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=e3ji9uEMGPoGl1TUJ+ba1E1qL6Oiv8FHqiUWuTd4j+c=; b=Nrvh8ycU9X/PP9cNSy264E8mGfFOJI8I11dvdfA//HQ82qVV2EYh7Iot6lUdq5yo7X aYlRiVLES2Kfy+XrvOyChmFtMh+4RO8HBN+Nsge+/YjqNzdLs2Rb1srouI1gj0YW5xM2 N8SfJrxiVUGXaXwmDqnN3SnUj0Y8tK1PHfBei6/8exeeH3nznE+Ql/+IU7WJoxP1dwl+ BSm9lXRD4JqZmanpeCLEVNbLt8QFyFP3GpovJc5dMRof0gtUNaM5jScqQAG0MveMgRMj ol+F4ZfhIf23RkOsp8wfjtT5fqcYPpTj2I79aei3/u/3goqvUk/0if8rgyS9T0daA6XT mAdA==
X-Gm-Message-State: APjAAAXhDy8OEMecJ9X3pLDAsCNBWFKv3tV6qUkJL8TF+1Bc+M0wNWiO 6SzX5oTSYBNE+fEK+s9XfpQQfKAe+arKPPquz5rM5Q==
X-Google-Smtp-Source: APXvYqze0P0PPr+wHy4uqHvNv+7xI/iPBOWj7+m6/QxunGrWDWpJ9Re9nRphX6gy0/nYfpckCoQGoLOEcuC6PNs1Q5E=
X-Received: by 2002:a9f:2c09:: with SMTP id r9mr26777342uaj.56.1555025985351; Thu, 11 Apr 2019 16:39:45 -0700 (PDT)
MIME-Version: 1.0
References: <fa5035a2-4a7c-ba7b-3835-e6c530c9970b@riseup.net>
In-Reply-To: <fa5035a2-4a7c-ba7b-3835-e6c530c9970b@riseup.net>
From: Ben Schwartz <bemasc@google.com>
Date: Thu, 11 Apr 2019 19:39:34 -0400
Message-ID: <CAHbrMsCqTFW5JPOUG40wyscwp-kQ06zBj9ef3p-wAQMAiKUmOQ@mail.gmail.com>
To: nusenu <nusenu-lists@riseup.net>
Cc: dns-privacy@ietf.org
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="00000000000083d2ce058649b3c5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/6fYyW3K2yOGUOub9F832b2FBVnI>
X-Mailman-Approved-At: Thu, 11 Apr 2019 19:42:46 -0700
Subject: Re: [Add] avoiding unnecessary metadata in applications doing DNS / DoH
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Apr 2019 23:39:51 -0000

Moving thread from ADD to DPRIVE.

I would suggest reaching out to the authors of
https://tools.ietf.org/html/draft-dickinson-doh-dohpe-00 if you're
interested in advancing that line of work.

One major challenge related to User-Agent is forming a workable threat
model.  It seems likely that an interested server could easily identify
distinct user agents, even without this header field.  For example, the TLS
fingerprint alone is sufficient to uniquely identify most TLS
implementations[1], and different HTTP/2 implementations produce different
framing patterns.  Active probing (e.g. returning slightly invalid
responses and observing how the client reacts) would likely allow the
server to identify the client software completely.

It's harder to motivate this kind of protection if it only works against
"friendly" servers, especially because the User-Agent is extremely useful
for server operations, capacity planning, etc.

The DOHPE draft also contains several other suggestions (e.g. removing
locale and language preference information) that may be easier to justify.

[1] https://tlsfingerprint.io/

On Thu, Apr 11, 2019 at 3:12 PM nusenu <nusenu-lists@riseup.net> wrote:

>
> DNS never had something like a user-agent field and that is fine,
> but since browsers send one by default during their (non-DoH) operations
> it is likely that they and other DoH clients will send the user-agent
> along with their DoH queries.
>
> This exposes unnecessary metadata to the resolver, something that
> didn't exist on the resolver before DoH.
>
> Since RFC8484 does not require user-agent headers
> applications implementing DoH should not include
> such metadata by default.
> Some DoH implementations do it currently but it is early
> enough to improve that.
>
>
> DoH Privacy Enhancement: Do not set the user-agent header for DoH requests
> https://bugzilla.mozilla.org/show_bug.cgi?id=1543201
>
>
>
> --
> https://twitter.com/nusenu_
> https://mastodon.social/@nusenu
>
> --
> Add mailing list
> Add@ietf.org
> https://www.ietf.org/mailman/listinfo/add
>

v2.23.0 | Report a Bug | By Email