IETF Logo Mail Archive

Re: [Add] [EXTERNAL] Re: Browser Administrative Authority

"Deen, Glenn (NBCUniversal)" <Glenn.Deen@nbcuni.com> Sat, 25 May 2019 14:08 UTC

Return-Path: <Glenn.Deen@nbcuni.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6684012004E for <add@ietfa.amsl.com>; Sat, 25 May 2019 07:08:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dit8cF4zOd7L for <add@ietfa.amsl.com>; Sat, 25 May 2019 07:08:57 -0700 (PDT)
Received: from mx0a-00176a04.pphosted.com (mx0b-00176a04.pphosted.com [67.231.157.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D93BE120021 for <add@ietf.org>; Sat, 25 May 2019 07:08:56 -0700 (PDT)
Received: from pps.filterd (m0048207.ppops.net [127.0.0.1]) by m0048207.ppops.net-00176a04. (8.16.0.27/8.16.0.27) with SMTP id x4PDwHkt021546 for <add@ietf.org>; Sat, 25 May 2019 10:08:53 -0400
Received: from usaoamgip002.mail.tfayd.com ([173.213.212.136]) by m0048207.ppops.net-00176a04. with ESMTP id 2sq0ydm0qq-1 (version=TLSv1.2 cipher=RC4-SHA bits=128 verify=NOT) for <add@ietf.org>; Sat, 25 May 2019 10:08:53 -0400
Received: from unknown (HELO potemwp00032.mail.tfayd.com) ([10.40.78.204]) by usaoamgip002.mail.tfayd.com with ESMTP; 25 May 2019 10:06:18 -0400
Received: from potemwp00031.mail.tfayd.com (100.124.56.55) by potemwp00025.mail.tfayd.com (100.124.56.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.669.32; Sat, 25 May 2019 08:08:51 -0600
Received: from potemwp00029.mail.tfayd.com (100.124.56.53) by potemwp00031.mail.tfayd.com (100.124.56.55) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.669.32; Sat, 25 May 2019 08:08:50 -0600
Received: from potemwp00029.mail.tfayd.com ([100.124.56.53]) by potemwp00029.mail.tfayd.com ([100.124.56.53]) with mapi id 15.01.0669.032; Sat, 25 May 2019 08:08:50 -0600
From: "Deen, Glenn (NBCUniversal)" <Glenn.Deen@nbcuni.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
CC: "add@ietf.org" <add@ietf.org>
Thread-Topic: [EXTERNAL] Re: [Add] Browser Administrative Authority
Thread-Index: AQHVEj/KCszQjrP3dE6V1AF0CU4zcaZ8HgiA///EOcU=
Date: Sat, 25 May 2019 14:08:50 +0000
Message-ID: <101EC845-8AF9-42BD-8AE8-3D8912EA60F0@nbcuni.com>
References: <182C9119-59F9-43FA-B116-4D45649B74B5@nbcuni.com>, <94f33685-0356-67a2-0364-849079ba98ed@cs.tcd.ie>
In-Reply-To: <94f33685-0356-67a2-0364-849079ba98ed@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-exclaimer-md-config: 47edc00f-f2d6-45ef-be83-8a353bd47e45
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Forward
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-05-25_09:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1905250099
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/uUigglMmQYMCT05yrKGBjynGtww>
Subject: Re: [Add] [EXTERNAL] Re: Browser Administrative Authority
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 May 2019 14:09:00 -0000

Hi Stephen,

> On May 25, 2019, at 4:42 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
> 
> Some) VPNs don't match that history. There are probably other
> examples but those never caused such debate

I think one important difference with VPNs is that the device admin likely chose to install them since many of them require admin authority to install.  In most cases, the user or admin also had to choose to configure and turn them on.  So it would be working within the classic administrative hierarchy.

I suspect, that many would be very upset, If there was a situation where an application developer decided on their own to quietly install a user space VPN and then route all the app’s traffic through VPN endpoints also chosen by developer without first getting the users or administrators agreement and full awareness.   

Further, if the app and it’s VPN resulted in a variety of other things breaking that were important to the user, such as security and machine configuration, I suspect the application would soon be the subject of massive debate. 

Hence the debate this is causing.

To be clear, my analysis was not in any way expressing a concern for the DoH protocol.  It was to highlight that the proposed application level changes were violating a well established security and device management architecture and with that choice comes unintended side effects.   

We have examples of such conscious choices to bypass established hierarchies in other contexts - If a network protocol did something similar, we’d call it a layer violation.  Programmers have encapsulation violation.  

With each choice to violate architectural hierarchies, there is often a driving motivation to get something done; For those of us who have crossed the line and done such things, the lesson of needing to properly and fully deal with unintended side effects is something I for one have come to learn and respect.

I am also worried about the notion that we need just push it through, or that we can’t wait to do it right, because there is a urgent need to deploy this particular application level change in choice of DNS resolvers and protocol selection.    It worries me a for a couple reasons, not the least of which is it means that time won’t be taken for studying the possible side effects and dealing with them properly.

We’ve already identified the unintended side effect of breaking filters for child protection and things like malware sites.  

There are and will be others.

Going back to VPN example at the start of this note. There is likely unintended side effects with VPNs as they often depend on DNS configurations and resolver choices in order to work seamlessly.  Certainly secure corporate environments often rely of split DNS for their VPNs.  Having a browser level DNS that resolves address differently than the VPN expects may cause a lot of unexpected and hard to diagnose behavior for the users.

Identifying, understanding, and dealing with unintended side effects seems like an important consideration for something this impactful.

This is not simply a case of let’s be perfect before doing anything.  It is very much a case of wanting to avoid major disruption for users that we should have seen coming if we took the time needed. 



FWIW - My suggestion of an OS or device level means for managing and respecting the administrators choice to follow doesn’t necessarily depend on the OS manufacturer to accept changes.  Most OSs have the means to have application level settings that require device administrator privilege to be set and managed.  

Regards,
Glenn

v2.23.0 | Report a Bug | By Email