Re: [Add] [EXTERNAL] Re: Browser Administrative Authority

[Paul Wouters <paul@nohats.ca>]

On Sat, 25 May 2019, Melinda Shore wrote:

> But, I think the broader problem is that ISPs are not running
> recursives that use encrypted transport

While from a generic hygiene point of view I agree, but a security point
I don't. People are more in need of protection against DNS manipulation
from their last mile ISP (malicious and "helpful") than from anyone
else. If my local ISP uses encrypted DNS, I still don't trust them. And
the second issue is that ISPs sell DNS query data and other private
information of their customers to third parties and/or their own
affiliates.

As a user I cannot determine that if I once google for "canadian contact
lenses", who and why and where that info went. All I know is that 60%
of ads are suddently about contact lenses across my house, devices and
applications. And the only way out is to encrypt everything end to end,
with no midle man or ISP seeing anything.

> other folks are stepping up/in.  I suppose that in a better
> world an endpoint would be able to check whether or not they
> can protect DNS traffic to the default recursive and, if not,
> fall back to one of {Google, Cloudflare, whomever} but that's
> not where we are right now.

I don't think that solves an interesting problem. At home, systems can
be configured to use a third party DNS (and DoT/DoH helps those IPs to
not get hijacked by their ISP). But for mobile devices, things are much
harder to reconfigure and that's where we need protection the most.
Because there my DNS queries are also getting mapped against my location
data against my own personal privacy interest.

> I do think part of the problem here is that for whatever reason
> our community (the IETF) hasn't come to consensus on problems
> related to trust in the DNS.  If you don't have a trustworthy
> name resolution system you can't trust much else, either.  This
> relates to both being able to get a correct answer that hasn't
> been mucked with by a third party, and to privacy protection
> of queries and responses.

And we are making it worse and worse over time by keeping DNSSEC as an
optional part of DNS, instead of saying that the experiment has been
successful and we are now moving towards phasing out insecure DNS.

>  It seems unsurprising to me that
> browsers (and other application vendors) would respond to the
> default unprotected DNS situation by doing something about it
> themselves.

It wasn't my impression that the deployment of DoT/DoH by browsers was
done primarilly to help the user get a more secure DNS. If that was
the case, tls-dnssec-chains would have zoomed through the WG. Instead,
it seems browser vendors want a more robust and lower latency DNS. A
worthy goal but not a security goal. Also the latency saved will not
give the enduser a faster page, but will be spend extending the ad
auctions to generate more profit of the end users. Bonus points for
encrypting the DNS packets so the competition cannot see them for their
own advertisement and search platforms. Transport security is just a
side effect of all of this.

Paul