IETF Logo Mail Archive

Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-detection-00

Michael Sinatra <michael@brokendns.net> Tue, 16 July 2019 18:33 UTC

Return-Path: <michael@brokendns.net>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBEB8120885 for <add@ietfa.amsl.com>; Tue, 16 Jul 2019 11:33:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N_E1dM2sldl3 for <add@ietfa.amsl.com>; Tue, 16 Jul 2019 11:33:03 -0700 (PDT)
Received: from burnttofu.net (burnttofu.net [IPv6:2607:fc50:1:9d00::9977]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9874E120CD5 for <add@ietf.org>; Tue, 16 Jul 2019 11:33:03 -0700 (PDT)
Received: from elwha.brokendns.net (elwha.brokendns.net [206.125.172.202]) by burnttofu.net (8.15.2/8.15.2) with ESMTPS id x6GIWwWp045191 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT); Tue, 16 Jul 2019 14:32:59 -0400 (EDT) (envelope-from michael@brokendns.net)
Received: from Michaels-MacBook-Pro.local (50-197-156-42-static.hfc.comcastbusiness.net [50.197.156.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elwha.brokendns.net (5.65c/IDA-1.4.4/5.63) with ESMTPSA id DD0315D96B; Tue, 16 Jul 2019 11:32:57 -0700 (PDT)
To: Alec Muffett <alec.muffett@gmail.com>, add@ietf.org
References: <CAChr6SwEUz9MrdRA0bnv9f-oNi0oUHkfRKjd9-o6jwhuckLXdw@mail.gmail.com> <CAFWeb9LNdT=EYVKTsYDxcBCQKoQFNShKotYtWujt4U9GA-V1mg@mail.gmail.com> <CAFWeb9+eWKSKY9O2JLn9-0+Zq7hrD48F-y+Y4T-iRaaF0vtdOA@mail.gmail.com> <A45F4F74-D6C1-435A-A52F-C2DEA82E2999@sky.uk> <CAFWeb9JVBj+Yehup5q4v9X-7XDY+02frd-04AQGL2HoSLON2qA@mail.gmail.com> <CABcZeBMY9q9vKGse1svzbvXF_dSHA+9q06j4ugDVCZP9VT1koQ@mail.gmail.com> <CAChr6Sz5Rfz=UxOYuPguSvVK2HCX2ZoA1-FytW7+EOUxN8y46Q@mail.gmail.com> <CABcZeBNB7ASu2U3ZMBZ+OOxEhbSnhDXwFN3Lsex1uzVSDv3R=Q@mail.gmail.com> <CAChr6SwEwRRX7BA6ZCeBuC93hFxbfi3d7G_3G3VA7Lm09yuneg@mail.gmail.com> <BN8PR21MB120290722B8E3A7DE85443A1FACE0@BN8PR21MB1202.namprd21.prod.outlook.com> <CAFWeb9LCvJ9AX66NZawNVrFKVBPAGZYwdjn_eoFvM91OvhVoSQ@mail.gmail.com>
From: Michael Sinatra <michael@brokendns.net>
Message-ID: <734376c2-c7d9-42e2-d26b-d05ce2e1fcbb@brokendns.net>
Date: Tue, 16 Jul 2019 11:32:57 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.7.1
MIME-Version: 1.0
In-Reply-To: <CAFWeb9LCvJ9AX66NZawNVrFKVBPAGZYwdjn_eoFvM91OvhVoSQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Greylist: Default is to whitelist mail, not delayed by milter-greylist-4.6.2 (burnttofu.net [162.217.113.18]); Tue, 16 Jul 2019 14:33:00 -0400 (EDT)
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/S8HsvmTTYp7soAXGJavvQEREYUk>
Subject: Re: [Add] [EXTERNAL] Re: draft-grover-add-policy-detection-00
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jul 2019 18:33:06 -0000

On 7/16/19 11:04 AM, Alec Muffett wrote:

> Yet: Firefox is literally the foundation of TorBrowser, but somehow when 
> Firefox is resolving DNS addresses via DoH, it suddenly becomes a 
> problem where we are talking about the "necessity" of things which 
> otherwise we dismiss as pervasive monitoring: canary domain names, 
> privacy-busting beacons, and third party enforcement over someone else's 
> ability to connect to their intended destination.

In the case of most enterprise policy enforcement, it's not a third 
party that's imposing the restrictions, it's the enterprise itself.  The 
enterprise *may* decide to outsource this activity, and it may also be 
"guided" by a regulatory framework.  However, I wouldn't necessarily 
call that "third party enforcement."

As another example, in my home network, I impose DNS filtering 
restrictions, in conjunction with endpoint management, to restrict the 
set of destinations that *my software* can contact.  I have configured 
Firefox (for example) to explicitly not use DoH or its TRR list, so that 
*I* can better control what Firefox does on my network when I am using 
it.  As someone who operates my own resolver on my home network, with 
QNAME minimization enabled, I am a big supporter of ADoT.  DoH 
(depending on how it is deployed), however, has the potential to 
complicate my ability to control what my applications do.  This is 
especially the case if applications try to obfuscate or prevent me from 
disabling their own resolution methods to use mine.  Part of my goal in 
this discussion is therefore to ensure that the applications that *I* 
use play properly with *my* controls.

Finally, since you brought up pervasive monitoring, consider a scenario 
where I run my own resolver and ADoT is pervasively deployed.  Would 
Firefox sending all of me DNS queries to Cloudflare (a third party, no?) 
afford me more privacy than what I currently have?

michael

v2.23.0 | Report a Bug | By Email