IETF Logo Mail Archive

Re: [Doh] some privacy ponderings wrt HTTPs and plain DNS

Sara Dickinson <sara@sinodun.com> Mon, 18 June 2018 13:47 UTC

Return-Path: <sara@sinodun.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BB03130DE5 for <doh@ietfa.amsl.com>; Mon, 18 Jun 2018 06:47:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZVLntsJ98qsB for <doh@ietfa.amsl.com>; Mon, 18 Jun 2018 06:47:35 -0700 (PDT)
Received: from balrog.mythic-beasts.com (balrog.mythic-beasts.com [IPv6:2a00:1098:0:82:1000:0:2:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78A75124C04 for <doh@ietf.org>; Mon, 18 Jun 2018 06:47:35 -0700 (PDT)
Received: from [62.232.251.194] (port=22353 helo=[192.168.12.23]) by balrog.mythic-beasts.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <sara@sinodun.com>) id 1fUuVF-0005jq-Ud; Mon, 18 Jun 2018 14:47:34 +0100
From: Sara Dickinson <sara@sinodun.com>
Message-Id: <E4082C8A-8D16-4F13-82ED-C9F68F66A2A1@sinodun.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_9D354BD8-8A7F-4E58-86BD-EF13C54D51FE"
Mime-Version: 1.0 (Mac OS X Mail 11.4 \(3445.8.2\))
Date: Mon, 18 Jun 2018 14:47:25 +0100
In-Reply-To: <d137a136-d456-8de2-b682-512edd86b1f7@riseup.net>
Cc: DoH WG <doh@ietf.org>, bert hubert <bert.hubert@powerdns.com>
To: nusenu <nusenu-lists@riseup.net>
References: <20180618112116.GB9195@server.ds9a.nl> <d137a136-d456-8de2-b682-512edd86b1f7@riseup.net>
X-Mailer: Apple Mail (2.3445.8.2)
X-BlackCat-Spam-Score: 14
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/0Rg-W6FDRrz9k5Ykxv5q2SLbo6Y>
Subject: Re: [Doh] some privacy ponderings wrt HTTPs and plain DNS
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Jun 2018 13:47:40 -0000


> On 18 Jun 2018, at 13:49, nusenu <nusenu-lists@riseup.net> wrote:
> 
> Signed PGP part
>> As noted, I don't know if this has a place in the draft, but I'd recommend
>> DoH clients to:
>> 
>> * Set their Agent to 'DoH client', no matter what browser/library
>> * Do not pass non-essential HTTP headers (like language)
>> * Do not allow the DoH server to set cookies
>> * Ponder TLS sessions resumption data settings
>> * Think about all other ways in which HTTP can be tracked (HSTS?)
>> 
>> Thoughts?
> 
> Thanks for this, I find it rather important to avoid introducing new data 
> collection opportunities (at the resolver) that haven't been there on plain DNS 
> and support your recommendations to minimize data exposure.
> 
> Ideally all DoH clients look the same from the DoH server perspective.
> This this will never be completely the case but we should try to minimize
> the DoH client fingerprintability.
> 
> I hope the minimization of the DoH client fingerprint becomes a mandatory part
> in the document.

+1 on this. DNSOP and DPRIVE have both acknowledged that client identifiers in DNS messages directly compromise user privacy and have attempted to minimise or mitigate their use (for example see RFC7626, RFC7871 or draft-tale-dnsop-edns0-clientid). The DoH WG should be doing the same (or at least no less).

> 
> This is also in-line with the spirit of RFC6973
> Privacy Considerations for Internet Protocols
> 
> specifically section 6.1 and 7.1
> https://tools.ietf.org/html/rfc6973#section-6.1
> https://tools.ietf.org/html/rfc6973#section-7.1
> 
> "What identifiers could be omitted or be made less
> identifying while still fulfilling the protocol's goals?"
> is always a good question to ask.

And given that the charter says 
“The working group will analyze the security and privacy issues that
could arise from accessing DNS over HTTPS. “

it suddenly strikes me that this draft doesn’t contain a Privacy Considerations section. I would suggest that one is added to address this issue and offer to help with text on that. 

On a technical note do we have 2 use cases to deal with?
- one where dedicated connections are used for DoH (i.e. where only DoH requests are made)
- one where DoH requests are intermingled on the same connection with existing traffic (which will most likely include headers already identifying the client)

Sara.

v2.23.0 | Report a Bug | By Email