Re: [DNSOP] updated to draft-wing-dnsop-structured-dns-error-page-01

[Petr Špaček <pspacek@isc.org>]

Hello everyone,

let me try to to restart the discussion about "Structured Data for 
Filtered DNS" draft. See below.

On 14. 10. 21 19:36, Dan Wing wrote:
 > We recently published -01 of Structured Data for Filtered DNS based 
on WG feedback from IETF 111.  We also incorporated both motivational 
and normative text from draft-reddy-dnsop-error-page.  New version at: 
https://datatracker.ietf.org/doc/html/draft-wing-dnsop-structured-dns-error-page-01

On 10. 11. 21 17:17, Petr Špaček wrote:
> Let's start from the hardest questions:
> 
> 1. Input from browser vendors
> -----------------------------
> I believe we really really _really_ need input from end-client vendors, 
> most importantly Google Chrome and Safari. Is there any indication that 
> they might be interested? If not, why?
> 
> In my experience browser people have much better idea about UX design 
> and HTTP ecosystem security than we DNS people do, and they might have 
> different requirements on the data we plan to send back to clients, or 
> reasons why the idea cannot be implemented in browsers as is.

I'm CCing known Google and Mozilla people on this e-mail. Please kindly 
ask Safari people if you know any to contribute here as well.


So, to really start again, I think we need to make step back and ask 
what browsers are willing to work with.

Currently the user experience with any sort of blocking follows.

This is what user sees if:
- blocking is done via forged NXDOMAIN
- the the site has a DNS outage
- there is a typo in the domain name

Chromium:
> This site can’t be blockedsite.example’s server IP address could not be found.
> Try:
> Checking the connection
> Checking the proxy, firewall, and DNS configuration
> ERR_NAME_NOT_RESOLVED

Firefox:
> Hmm. We’re having trouble finding that site.
> 
> We can’t connect to the server at blockedsite.example.
> 
> If that address is correct, here are three other things you can try:
> 
>     Try again later.
>     Check your network connection.
>     If you are connected but behind a firewall, check that Firefox has permission to access the Web.

Safari:
> Safari Can't Find the Server
> Safari can't open the page "blockedsite.example" because Safari can't find the server "blockedsite.example".


This is what happens if blocking is done with forged A RR answer 
pointing to a web server serving "this is blocked" web page:

Chromium:
> Your connection is not private
> Attackers might be trying to steal your information from blockedsite.example (for example, passwords, messages, or credit cards). Learn more
> NET::ERR_CERT_COMMON_NAME_INVALID

Firefox:
> Warning: Potential Security Risk Ahead
> 
> Firefox detected a potential security threat and did not continue to blockedsite.example. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.
> 
> What can you do about it?
> 
> The issue is most likely with the website, and there is nothing you can do to resolve it. You can notify the website’s administrator about the problem.

Safari:
> This Connection Is Not Private
> This website may be impersonating "blockedsite.example" to steal you personal or financial information. You should go back to the previous page.


Finally, The Question for web browser vendors is:
Do you have an interest in improving this user experience?

If the answer is yes, what extra information from the resolver you need?

Thank you for your time.

-- 
Petr Špaček