IETF Logo Mail Archive

Re: [Add] [EXTERNAL] Re: Browser Administrative Authority

Stephen Farrell <stephen.farrell@cs.tcd.ie> Sat, 25 May 2019 14:40 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BD2412002E for <add@ietfa.amsl.com>; Sat, 25 May 2019 07:40:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qgjiQ9wvHbFD for <add@ietfa.amsl.com>; Sat, 25 May 2019 07:40:26 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7EAD7120006 for <add@ietf.org>; Sat, 25 May 2019 07:40:25 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id A94DFBE47; Sat, 25 May 2019 15:40:23 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LGp7LHx8x2qM; Sat, 25 May 2019 15:40:21 +0100 (IST)
Received: from [10.244.2.138] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 1C5E2BE2E; Sat, 25 May 2019 15:40:21 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1558795221; bh=Hpnqdeps4n9GB9P7+ghcWA4QBdj2kxD+AWPI4wOLEdI=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=TPeRE3YArM3sQOPXor5cx92dbrN1NZfpyH7+eziLCX1vUNN67eGRsTZztGoYxgusv 97F53EiuGmn90b87effBW7cAmr1+qy0LMnJiVxO3Pni7gZIgtLAgvyu6GbczKg1KAF Uz8yQWwxz2s+3nbVAIt527QAzmaWrQ9xw5LPrOF4=
To: "Deen, Glenn (NBCUniversal)" <Glenn.Deen@nbcuni.com>
Cc: "add@ietf.org" <add@ietf.org>
References: <182C9119-59F9-43FA-B116-4D45649B74B5@nbcuni.com> <94f33685-0356-67a2-0364-849079ba98ed@cs.tcd.ie> <101EC845-8AF9-42BD-8AE8-3D8912EA60F0@nbcuni.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=5BB5A6EA5765D2C5863CAE275AB2FAF17B172BEA; url=
Autocrypt: addr=stephen.farrell@cs.tcd.ie; prefer-encrypt=mutual; keydata= mQINBFo9UDIBEADUH4ZPcUnX5WWRWO4kEkHea5Y5eEvZjSwe/YA+G0nrTuOU9nemCP5PMvmh 5Cg8gBTyWyN4Z2+O25p9Tja5zUb+vPMWYvOtokRrp46yhFZOmiS5b6kTq0IqYzsEv5HI58S+ QtaFq978CRa4xH9Gi9u4yzUmT03QNIGDXE37honcAM4MOEtEgvw4fVhVWJuyy3w//0F2tzKr EMjmL5VGuD/Q9+G/7abuXiYNNd9ZFjv4625AUWwy+pAh4EKzS1FE7BOZp9daMu9MUQmDqtZU bUv0Q+DnQAB/4tNncejJPz0p2z3MWCp5iSwHiQvytYgatMp34a50l6CWqa13n6vY8VcPlIqO Vz+7L+WiVfxLbeVqBwV+4uL9to9zLF9IyUvl94lCxpscR2kgRgpM6A5LylRDkR6E0oudFnJg b097ZaNyuY1ETghVB5Uir1GCYChs8NUNumTHXiOkuzk+Gs4DAHx/a78YxBolKHi+esLH8r2k 4LyM2lp5FmBKjG7cGcpBGmWavACYEa7rwAadg4uBx9SHMV5i33vDXQUZcmW0vslQ2Is02NMK 7uB7E7HlVE1IM1zNkVTYYGkKreU8DVQu8qNOtPVE/CdaCJ/pbXoYeHz2B1Nvbl9tlyWxn5Xi HzFPJleXc0ksb9SkJokAfwTSZzTxeQPER8la5lsEEPbU/cDTcwARAQABtDJTdGVwaGVuIEZh cnJlbGwgKDIwMTcpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPokCQAQTAQgAKgIbAwUJ CZQmAAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAUCWj6jdwIZAQAKCRBasvrxexcr6o7QD/9m x9DPJetmW794RXmNTrbTJ44zc/tJbcLdRBh0KBn9OW/EaAqjDmgNJeCMyJTKr1ywaps8HGUN hLEVkc14NUpgi4/Zkrbi3DmTp25OHj6wXBS5qVMyVynTMEIjOfeFFyxG+48od+Xn7qg6LT7G rHeNf+z/r0v9+8eZ1Ip63kshQDGhhpmRMKu4Ws9ZvTW2ACXkkTFaSGYJj3yIP4R6IgwBYGMz DXFX6nS4LA1s3pcPNxOgrvCyb60AiJZTLcOk/rRrpZtXB1XQc23ZZmrlTkl2HaThL6w3YKdi Ti1NbuMeOxZqtXcUshII45sANm4HuWNTiRh93Bn5bN6ddjgsaXEZBKUBuUaPBl7gQiQJcAlS 3MmGgVS4ZoX8+VaPGpXdQVFyBMRFlOKOC5XJESt7wY0RE2C8PFm+5eywSO/P1fkl9whkMgml 3OEuIQiP2ehRt/HVLMHkoM9CPQ7t6UwdrXrvX+vBZykav8x9U9M6KTgfsXytxUl6Vx5lPMLi 2/Jrsz6Mzh/IVZa3xjhq1OLFSI/tT2ji4FkJDQbO+yYUDhcuqfakDmtWLMxecZsY6O58A/95 8Qni6Xeq+Nh7zJ7wNcQOMoDGj+24di2TX1cKLzdDMWFaWzlNP5dB5VMwS9Wqj1Z6TzKjGjru q8soqohwb2CK9B3wzFg0Bs1iBI+2RuFnxLkCDQRaPVAyARAA+g3R0HzGr/Dl34Y07XqGqzq5 SU0nXIu9u8Ynsxj7gR5qb3HgUWYEWrHW2jHOByXnvkffucf5yzwrsvw8Q8iI8CFHiTYHPpey 4yPVn6R0w/FOMcY70eTIu/k6EEFDlDbs09DtKcrsT9bmN0XoRxITlXwWTufYqUnmS+YkAuk+ TLCtUin7OdaS2uU6Ata3PLQSeM2ZsUQMmYmHPwB9rmf+q2I005AJ9Q1SPQ2KNg/8xOGxo13S VuaSqYRQdpV93RuCOzg4vuXtR+gP0KQrus/P2ZCEPvU9cXF/2MIhXgOz207lv3iE2zGyNXld /n8spvWk+0bH5Zqd9Wcba/rGcBhmX9NKKDARZqjkv/zVEP1X97w1HsNYeUFNcg2lk9zQKb4v l1jx/Uz8ukzH2QNhU4R39dbF/4AwWuSVkGW6bTxHJqGs6YimbfdQqxTzmqFwz3JP0OtXX5q/ 6D4pHwcmJwEiDNzsBLl6skPSQ0Xyq3pua/qAP8MVm+YxCxJQITqZ8qjDLzoe7s9X6FLLC/DA L9kxl5saVSfDbuI3usH/emdtn0NA9/M7nfgih92zD92sl1yQXHT6BDa8xW1j+RU4P+E0wyd7 zgB2UeYgrp2IIcfG+xX2uFG5MJQ/nYfBoiALb0+dQHNHDtFnNGY3Oe8z1M9c5aDG3/s29QbJ +w7hEKKo9YMAEQEAAYkCJQQYAQgADwUCWj1QMgIbDAUJCZQmAAAKCRBasvrxexcr6qwvD/9b Rek3kfN8Q+jGrKl8qwY8HC5s4mhdDJZI/JP2FImf5J2+d5/e8UJ4fcsT79E0/FqX3Z9wZr6h sofPqLh1/YzDsYkZDHTYSGrlWGP/I5kXwUmFnBZHzM3WGrL3S7ZmCYMdudhykxXXjq7M6Do1 oxM8JofrXGtwBTLv5wfvvygJouVCVe87Ge7mCeY5vey1eUi4zSSF1zPpR6gg64w2g4TXM5qt SwkZVOv1g475LsGlYWRuJV8TA67yp1zJI7HkNqCo8KyHX0DPOh9c+Sd9ZX4aqKfqH9HIpnCL AYEgj7vofeix7gM3kQQmwynqq32bQGQBrKJEYp2vfeO30VsVx4dzuuiC5lyjUccVmw5D72J0 FlGrfEm0kw6D1qwyBg0SAMqamKN6XDdjhNAtXIaoA2UMZK/vZGGUKbqTgDdk0fnzOyb2zvXK CiPFKqIPAqKaDHg0JHdGI3KpQdRNLLzgx083EqEc6IAwWA6jSz+6lZDV6XDgF0lYqAYIkg3+ 6OUXUv6plMlwSHquiOc/MQXHfgUP5//Ra5JuiuyCj954FD+MBKIj8eWROfnzyEnBplVHGSDI ZLzL3pvV14dcsoajdeIH45i8DxnVm64BvEFHtLNlnliMrLOrk4shfmWyUqNlzilXN2BTFVFH 4MrnagFdcFnWYp1JPh96ZKjiqBwMv/H0kw==
Message-ID: <78b165af-f459-7d5d-151d-04af74394ecf@cs.tcd.ie>
Date: Sat, 25 May 2019 15:40:19 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <101EC845-8AF9-42BD-8AE8-3D8912EA60F0@nbcuni.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="MWcy5uZhmSdfJQKLcTzN2KsKBCZeUDa12"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/BeO3JlqzCDh54zOyDeVnZxUhSIc>
Subject: Re: [Add] [EXTERNAL] Re: Browser Administrative Authority
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 May 2019 14:40:29 -0000

Hiya,

Coupla comments and a question at the end...

On 25/05/2019 15:08, Deen, Glenn (NBCUniversal) wrote:
> Hi Stephen,
> 
>> On May 25, 2019, at 4:42 AM, Stephen Farrell
>> <stephen.farrell@cs.tcd.ie> wrote:
>> 
>> Some) VPNs don't match that history. There are probably other 
>> examples but those never caused such debate
> 
> I think one important difference with VPNs is that the device admin
> likely chose to install them since many of them require admin
> authority to install.. 

Browser installs also do; or if shipped with the device then
the device vendor made that choice so I see zero difference
there.

> In most cases, the user or admin also had to
> choose to configure and turn them on.  So it would be working within
> the classic administrative hierarchy.
> 
> I suspect, that many would be very upset, If there was a situation
> where an application developer decided on their own to quietly
> install a user space VPN and then route all the app’s traffic through
> VPN endpoints also chosen by developer without first getting the
> users or administrators agreement and full awareness.
> 
> Further, if the app and it’s VPN resulted in a variety of other
> things breaking that were important to the user, such as security and
> machine configuration, I suspect the application would soon be the
> subject of massive debate.
> 
> Hence the debate this is causing.

Gotta say I don't agree that the above's that valid. Minor
VPN products misbehave all the time in way worse ways and
don't cause this level of debate. I think we ought be clear
that the volume or traffic and number of users involved is
why we're getting this level of debate, not architectural
(im)purity.

> To be clear, my analysis was not in any way expressing a concern for
> the DoH protocol.  It was to highlight that the proposed application
> level changes were violating a well established security and device
> management architecture and with that choice comes unintended side
> effects.

Sure.

> 
> We have examples of such conscious choices to bypass established
> hierarchies in other contexts - If a network protocol did something
> similar, we’d call it a layer violation.  Programmers have
> encapsulation violation.
> 
> With each choice to violate architectural hierarchies, 

Using terms like "violate" is likely to irritate those in
favour of applications making these choices, just like
network operators get irritated when folks describe the
network as being hostile. Neither term is wrong but it's
not particularly useful for us to irritate one another
either;-)

> there is often
> a driving motivation to get something done; For those of us who have
> crossed the line and done such things, the lesson of needing to
> properly and fully deal with unintended side effects is something I
> for one have come to learn and respect.
> 
> I am also worried about the notion that we need just push it through,

Push what through? DoH is done as an RFC. What other "it" do think
is needed? (That might result from this debate.)

Cheers,
S.

> or that we can’t wait to do it right, because there is a urgent need
> to deploy this particular application level change in choice of DNS
> resolvers and protocol selection.    It worries me a for a couple
> reasons, not the least of which is it means that time won’t be taken
> for studying the possible side effects and dealing with them
> properly.
> 
> We’ve already identified the unintended side effect of breaking
> filters for child protection and things like malware sites.
> 
> There are and will be others.
> 
> Going back to VPN example at the start of this note. There is likely
> unintended side effects with VPNs as they often depend on DNS
> configurations and resolver choices in order to work seamlessly.
> Certainly secure corporate environments often rely of split DNS for
> their VPNs.  Having a browser level DNS that resolves address
> differently than the VPN expects may cause a lot of unexpected and
> hard to diagnose behavior for the users.
> 
> Identifying, understanding, and dealing with unintended side effects
> seems like an important consideration for something this impactful.
> 
> This is not simply a case of let’s be perfect before doing anything.
> It is very much a case of wanting to avoid major disruption for users
> that we should have seen coming if we took the time needed.
> 
> 
> 
> FWIW - My suggestion of an OS or device level means for managing and
> respecting the administrators choice to follow doesn’t necessarily
> depend on the OS manufacturer to accept changes.  Most OSs have the
> means to have application level settings that require device
> administrator privilege to be set and managed.
> 
> Regards, Glenn
>

v2.23.0 | Report a Bug | By Email