Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-06.txt
Peter Thomassen <peter@desec.io> Mon, 16 October 2023 10:37 UTC
Return-Path: <peter@desec.io>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 053E7C15198D; Mon, 16 Oct 2023 03:37:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=a4a.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w0WPJnDG2GWA; Mon, 16 Oct 2023 03:37:36 -0700 (PDT)
Received: from mail.a4a.de (mail.a4a.de [IPv6:2a01:4f8:10a:1d5c:8000::8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5D15C151992; Mon, 16 Oct 2023 03:37:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=a4a.de; s=20170825; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:From: References:Cc:To:Subject:MIME-Version:Date:Message-ID:Sender:Reply-To: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=GN2svxvc0k9/uwKxjVgioBIG1AUsyDlAfh4sqjSkadg=; b=CGPeN9Xz1KxzLAkGiWMW7+LkhP Bim2qbaxpz9ImcjJE2g79/I9nFcbskRE/yeURH6DIB4a8nT0ymc7FOhujKRmffx1RViuX2uuazVyu vuknBuvbJ+vtyx5Z+7bLXK4D1K47QEWSGT0lgDQa/gXEPSptPUmu5TUWXELJczYnR2kAHpw1+eT5S rTZK6zJV/mOLN60DqqzAjqJwJfoOcoup0rdj759QIN9vQlzlxYWrPyfom9ptAp4biFKwuDUBniXRu IR87oWBGthc6Xwnl8Mlkukrn4JJoAWQvqi6WBxQ2xvuM2QVm02ks3zj6N/18fur/y5WrB1gNH7hdV k3CI3gmA==;
Received: from [2a02:8109:9283:8800:4a4a:bc8e:bd26:28a1] by mail.a4a.de with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from <peter@desec.io>) id 1qsKya-0048oD-Me; Mon, 16 Oct 2023 12:37:33 +0200
Message-ID: <45acd3d1-fa3f-435f-90f9-51966a439995@desec.io>
Date: Mon, 16 Oct 2023 12:37:30 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: tirumal reddy <kondtir@gmail.com>, Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>
Cc: Vodafone Gianpaolo Angelo Scalone <Gianpaolo-Angelo.Scalone=40vodafone.com@dmarc.ietf.org>, DNSOP WG <dnsop@ietf.org>
References: <DB9PR05MB847355CA18F73D1B8F892C15A3CDA@DB9PR05MB8473.eurprd05.prod.outlook.com> <DB9PR05MB84738B9AA9551E7E116AE491A3CDA@DB9PR05MB8473.eurprd05.prod.outlook.com> <CAHw9_i+bJ3-rJD97Rr21RoX_O58hdEz2DUHxgiheYdsxw4rhsw@mail.gmail.com> <B02CC0F1-C264-444B-8B3C-F60B2E4CA293@apple.com> <CAFpG3gcPwjXq7XVjtU1OVvD3Yb4cOnkbgtSDg-FG65iHi5qCAQ@mail.gmail.com>
From: Peter Thomassen <peter@desec.io>
In-Reply-To: <CAFpG3gcPwjXq7XVjtU1OVvD3Yb4cOnkbgtSDg-FG65iHi5qCAQ@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/xEmOumWa2a8gcPE-bGRqxk1apXI>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-06.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Oct 2023 10:37:41 -0000
On 10/13/23 10:05, tirumal reddy wrote: > The above attack and possible mitigation is discussed in the security considerations section of the draft, please see the snip below: > </snip> > > A client might choose to display the information in the "c", "j", and > "o" fields if and only if the encrypted resolver has sufficient > reputation, according to some local policy (e.g., user configuration, > administrative configuration, or a built-in list of respectable > resolvers). This limits the ability of a malicious encrypted > resolver to cause harm. For example, an end user can use the details > in the "c" field to contact an attacker to solve the problem of being > unable to reach a domain. The attacker can mislead the end user to > install malware or spyware to compromise the device security posture > or mislead the end user to reveal personal data. If the client > decides not to display all of the information in the EXTRA-TEXT > field, it can be logged for diagnostics purpose and the client can > only display the resolver hostname that blocked the domain, error > description for the EDE code and the suberror description for the "s" > field to the end-user. > > </snip> I share this concern (and Eric's, where the error page is an impersonation of the target page!), and am not convinced that the potential benefit is larger than the harm. An alternate route could be to make the error page "well-known", based on the encrypted resolver's hostname (e.g. https://dns.adguard.com/?malw.scalone.eu.), and have the browser display a big warning ("This content does not come from the page you requested.). This could be combined with disabling redirects and/or form submissions on the resolver's domain origin, so that the resolver server itself has to be able to serve the page, without redirecting anywhere to make the domain name look differently and without collecting login credentials à la phishing. For a branded error page with nice UX, that should be completely sufficient. (Are there any known use cases not accommodated by this?) I'm not sure this would alleviate all concerns (and perhaps it's not much better), but *at least* it would prevent trivial attacks where the error page would redirect me from twitter.com to twítter.com, even though I typed the former, but the latter has a proper TLS certificate, so I couldn't otherwise notice a problem. Thanks, Peter -- https://desec.io/
- [DNSOP] I-D Action: draft-ietf-dnsop-structured-d… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Gianpaolo Angelo Scalone, Vodafone
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Tommy Pauly
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Warren Kumari
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Gianpaolo Angelo Scalone, Vodafone
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… tirumal reddy
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Tommy Pauly
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Eric Orth
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Ralf Weber
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… tirumal reddy
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Warren Kumari
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Peter Thomassen
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Peter Thomassen
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Ralf Weber
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Gianpaolo Angelo Scalone, Vodafone
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Warren Kumari
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Tommy Pauly
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… tirumal reddy
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Ben Schwartz
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… Dan Wing
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-structur… tirumal reddy