IETF Logo Mail Archive

Re: [Add] [EXTERNAL] Re: Malware adopting DoH

Ted Lemon <mellon@fugue.com> Fri, 13 September 2019 20:03 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58693120118 for <add@ietfa.amsl.com>; Fri, 13 Sep 2019 13:03:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EkspG7Y3UE7D for <add@ietfa.amsl.com>; Fri, 13 Sep 2019 13:03:52 -0700 (PDT)
Received: from mail-io1-xd29.google.com (mail-io1-xd29.google.com [IPv6:2607:f8b0:4864:20::d29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F07C3120132 for <add@ietf.org>; Fri, 13 Sep 2019 13:03:51 -0700 (PDT)
Received: by mail-io1-xd29.google.com with SMTP id r26so65120673ioh.8 for <add@ietf.org>; Fri, 13 Sep 2019 13:03:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=jseNmC2DXnRdzEbeTi89HKtQTeEsfHHfclN67xB07IA=; b=ih7J75QDNYgAFwyo1y15Vu9a/I4ydyoyFDbJtyWkho/VIxmqYyucoWKxBxWwry2rDD iB0+agBVX67tLxNVtZguJs7se3QJ5GCfjSEWa05Ww5aYrEEQgYhkj9oSkAs49XXx1JvM H5sn9fcNnnmUctyQua7OlTM8QkUaLnuX8K19RSN+CnNX9Rewm3YpkrgGWxq87TL6YJAO dfXPDabTDno5ar9pr8dY8m4UfEwMKUYvdEQi/kDD1uXvfyQKhbvGlFU5a/UU5jjg5YZ2 wpYWkkOPC3caR53Ol2LebjktvKxBBt1MYQHSlGQVymwcjduF4ZpU/HQnhD2TsbxqVRNC +S1w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=jseNmC2DXnRdzEbeTi89HKtQTeEsfHHfclN67xB07IA=; b=lluQAh3BNn6Fb5HYl456a210DzHi1iDr+M027oW1+8Zd7OMDxU+jr6OqfYPFXpDfXD 3Xd9yuMwyiQhxc/NTr9MoV8F3oQHvwjxZnE4Z6XvbnZwqiYPNtEcxqDC1mj4bCeQKlwV O+ZI4bUzTjeUOGnHOyZYwllrvc8kn+nQkIQ9YOpNYi1sphfOcgvV8u3fCS0v8uQNVbYv i8UzYRndIHqtY0YXz4T+ZrD17T0VgHXrza3Fo+WWohILWXLDVxg55Vp6wgs3gJOMkWvy xmgsJ/RMWMU1u4pPz5myg045wOaBDoe92CTMBnFaUvGIZapzq9W7wsRxJY3ZFzAg0OC4 fswA==
X-Gm-Message-State: APjAAAUKe2O8L3olBYgM3isX4pbRUQm/VRXffXQjReqDgCdF0o76o9FU PJAkFzxfHqk6Th3WZGvB/Vchvg==
X-Google-Smtp-Source: APXvYqyiNWqVM4IdaXsCq0i65yFXrJQD4hlmqa99OtNKL/WQslNSTwsLzxr+6YC8a3tntFVtDsCP2g==
X-Received: by 2002:a6b:9109:: with SMTP id t9mr1927826iod.16.1568405030410; Fri, 13 Sep 2019 13:03:50 -0700 (PDT)
Received: from [172.20.2.181] (hiltonsuites53.h.subnet.rcn.com. [207.229.133.180]) by smtp.gmail.com with ESMTPSA id k17sm9905719ioj.10.2019.09.13.13.03.49 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 13 Sep 2019 13:03:49 -0700 (PDT)
From: Ted Lemon <mellon@fugue.com>
Message-Id: <E6F97859-ED39-4952-B953-98618D01469B@fugue.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_3F7F92EA-C0A1-4DAB-BA5F-AB59F8019F5D"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3594.4.5\))
Date: Fri, 13 Sep 2019 15:03:48 -0500
In-Reply-To: <LO2P265MB1327B019F7A2F6004F275C31C2B30@LO2P265MB1327.GBRP265.PROD.OUTLOOK.COM>
Cc: "Dixon, Hugh" <Hugh.Dixon=40sky.uk@dmarc.ietf.org>, ADD Mailing list <add@ietf.org>
To: Andrew Campling <andrew.campling@419.consulting>
References: <66DC417B-23BC-4AF7-916B-5BAE7E5D9635@sky.uk> <ED3464BD-37A7-4B6F-8327-508B0CB76A3E@fugue.com> <LO2P265MB1327B019F7A2F6004F275C31C2B30@LO2P265MB1327.GBRP265.PROD.OUTLOOK.COM>
X-Mailer: Apple Mail (2.3594.4.5)
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/qOT8pmLyW_46ZGqJ6fqPUwYsW68>
X-Mailman-Approved-At: Sat, 14 Sep 2019 08:44:01 -0700
Subject: Re: [Add] [EXTERNAL] Re: Malware adopting DoH
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Sep 2019 20:03:53 -0000

On Sep 13, 2019, at 2:51 PM, Andrew Campling <andrew.campling@419.consulting> wrote:
> If the centralisation potential of DoH takes effect as some anticipate, this would leave Google (and Cloudflare and other resolvers to a lesser extent) with significant control of the cybersecurity “market”, both in terms of protection capability and also cyber intelligence gathering, crowding out specialist provision.  Much as I respect people in Google, from an antitrust perspective, as well as when considering innovation etc, I would urge people to be careful what they wish for!   

Again, we are talking specifically about malware using DoH.  It will probably use whatever DoH servers can be counted on.  This is entirely out of Google’s control.  The original point was that there is a problem with DoH and malware because Google.  My response was merely to point out that if such a problem exists, there is a mitigation strategy that could be very effective.

This is entirely orthogonal to any other operational issues that may come up as a result of the availability of DoH.   The fact that malware is using DoH is not a clear indication that the sky is falling, and may turn out quite differently than the author(s) of that malware intended.

v2.23.0 | Report a Bug | By Email