Re: [dns-privacy] [DNSOP] [Doh] New: draft-bertola-bcp-doh-clients

[Paul Vixie <paul@redbarn.org>]

On Monday, 11 March 2019 21:44:06 UTC Eric Rescorla wrote:
> On Mon, Mar 11, 2019 at 11:13 AM Paul Vixie <paul@redbarn.org> wrote:
> > >  > Enterprise networks are already able to block DoH services,
> > 
> > i wonder if everyone here knows that TLS 1.3 and encrypted headers is
> > going to push a SOCKS agenda onto enterprises that had not previously
> > needed one,
> 
> I'm pretty familiar with TLS 1.3, but I don't know what this means. TLS 1.3
> doesn't generally encrypt headers any more than TLS 1.2 did, except for
> the content type byte, which isn't that useful for inspection anyway.
> Are you perchance referring to encrypted SNI? Something else?

yes, i mean encrypted SNI, and i apologize for saying "encrypted headers".

> encrypted SNI, an extension to the TLS 1.3 protocol that improves privacy of
> Internet users by preventing on-path observers, including ISPs, coffee shop
> owners and firewalls, from intercepting the TLS Server Name Indication
> (SNI) extension and using it to determine which websites users are
> visiting.

(https://blog.cloudflare.com/encrypted-sni/)

what this means is, if someone is concerned that some of the web sites 
reachable through some CDN are dangerous, they can no longer operate a mostly-
transparent edge gateway, to permit or forbid transactions on a case by case 
basis. rather, they will have to use SOCKS or similar, and blackhole the CDN 
from being reached other than from the SOCKS/similar proxy.

this significantly increases policy enforcement costs, probably placing them 
outside the budget of most small/medium companies, and all home networks.

and that's the intent. so:

> Enterprise networks are already able to block DoH services,

that's old-think.

vixie