IETF Logo Mail Archive

Re: [Doh] New Version Notification for draft-dickinson-doh-dohpe-00.txt

Martin Thomson <martin.thomson@gmail.com> Thu, 19 July 2018 15:23 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3EEC130E1B for <doh@ietfa.amsl.com>; Thu, 19 Jul 2018 08:23:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZnRAfT6oGe1Q for <doh@ietfa.amsl.com>; Thu, 19 Jul 2018 08:23:47 -0700 (PDT)
Received: from mail-oi0-x244.google.com (mail-oi0-x244.google.com [IPv6:2607:f8b0:4003:c06::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1ADE130D7A for <doh@ietf.org>; Thu, 19 Jul 2018 08:23:46 -0700 (PDT)
Received: by mail-oi0-x244.google.com with SMTP id w126-v6so15636018oie.7 for <doh@ietf.org>; Thu, 19 Jul 2018 08:23:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=WyS8SoPxQR+U9JsZwHVlURb2GoM9iOsOmuzvRvYwx4g=; b=VVCND1v9UhyLOD3Mb12YyDYXubYc6ly12hX4UUdg3W8oiQRsoaWezc1kTvctqylrPi Eabs+gUlW/esSsiyxnFPkgbPJZZtFEyzKxWe6BKgyjcNAETi8M3Mu1Wq5IoiWg1mLy+4 +lFIFmJ6QtB7emWLOmlyRJnoA3rsXSs5b1jQpu1Okaumian4fYAI95d/GB3uGh2VyeHE CWYx4bT3+R8KzgZ6ONZ/+dWPzoZYhfMDtIt4yCGIpWMFZ1OnOMKUvWR5QYKMoOwZ83Fi OC7eBAWwGGW+Y9GMWMjGwR5uGsKKPjAdf4NKPact39eI3sZPY0rse2HxRzx/aytGG1EU Qmvg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=WyS8SoPxQR+U9JsZwHVlURb2GoM9iOsOmuzvRvYwx4g=; b=F47RaCFqlRJmZ32okm/6CjDx6Qj+Vr8SaNtK+7/VjfFiIHAoN9VZFutUEj7WskS3Ys ZdVYTyzwClKo/cSzFRdoGDYtKGDeQGwJVEl4VLZxxHbW3f0R845sYtauA9jw2f8bV+d5 C9jT/N1rQT9mqpvJwFkuRDATcBlbrE4VwBuUKefeuujvMkwZEbjhpReQCes1+OsB1eNb 8C2BmtXBJIZlsBPWFas5jPr/j7+gnG47GZ+IT1Cc7g9pCcl/RrFdbcVGz0VGooDXjnNr 99mVc4tHLtEOLTklU1pbZHrl8L6DH2F5Y4Nfpd7K2acOTQKIolGFsFvbAG2ixvXe6eRn 6Ugg==
X-Gm-Message-State: AOUpUlFXCMQYWcPVO28ukxYckgaIHpG5nbMN6YckDRJuhzG7U6IFWPzK uTjv1jES5dcb6OLC/gAe/cKdfizX2Qx/m05peTBWHDB1GLU=
X-Google-Smtp-Source: AAOMgpfJlAEDC6Ia0NP/khmdlW1EbG+B0mnkWqlLkf6dI3pfPYP7JPfHeb/mxWiC/t+Gu5Q5SQRdkqFaS0dN6wHqLkk=
X-Received: by 2002:aca:5841:: with SMTP id m62-v6mr12035693oib.346.1532013825933; Thu, 19 Jul 2018 08:23:45 -0700 (PDT)
MIME-Version: 1.0
References: <153192232867.2882.433616342941784102.idtracker@ietfa.amsl.com> <F3B9C552-D38B-48E2-B592-E817ECFD6DF4@sinodun.com> <CAHbrMsDc1TV=HHmzPWqkd5-i6ObuMD6gGXD_NkL_m3cgvN37EA@mail.gmail.com>
In-Reply-To: <CAHbrMsDc1TV=HHmzPWqkd5-i6ObuMD6gGXD_NkL_m3cgvN37EA@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Thu, 19 Jul 2018 11:23:34 -0400
Message-ID: <CABkgnnVbbO8zRWxRYdbxmjZbdQgeJaMEhPsXwW7-=KuhbFc=rg@mail.gmail.com>
To: bemasc=40google.com@dmarc.ietf.org
Cc: sara@sinodun.com, DoH WG <doh@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/HlIzA8_GVU1znrDcoeDW7AlE9Ik>
Subject: Re: [Doh] New Version Notification for draft-dickinson-doh-dohpe-00.txt
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2018 15:23:51 -0000

A few thoughts.  The recommendations seem pretty sensible, but I
remain a little uncertain about the utility of the draft.

3.2 recommends exclusive use of a connection for DoH.  That could run
counter to the goals because it would make traffic analysis easier.
Using the same connection for heterogeneous requests makes each
contribute to obscuring the others without relying on padding.

It's not clear from this recommendation whether this also recommends
connection reuse.  More on that below.

3.1 recommends the use of a single service.  That results in the
operator of that service getting access to a lot of information about
the activity of users.  Using different servers might be a better
result for privacy, making it harder for providers to use correlations
between requests to extract information.

The recommendation to suppress User-Agent appears to assume that there
is a valuable de-anonymization signal in that header field.  I don't
believe that to be true.  If there are relatively few User-Agent
strings exposed and the amount of information in that string is
minimal, this should not be a significant problem, meaning that the
effective anonymity set is large.  The same consideration applies to
the choice of GET or POST.

The recommendation against the use of cookies seems obvious, and it
might be true that cookies are the most hated feature of HTTP, but I
don't think that it achieves the goal.  Linking requests is pretty
powerful.  And as long as the client is able to control linkability,
cookies can be useful.  For the record, I don't think that this is a
bad recommendation, but it could be better grounded in concrete
rationale.  That is, there are many ways in which a client might link
one request to another and the client should be aware of those
mechanisms.  That gives the client a better ability to control this.
In addition to cookies, you should consider the use and reuse of
persistent connections, Alternative Services (which might be cached),
TLS session tickets, TFO cookies, and any other information that might
be used to link requests.

Overall, the set of recommendations here is pretty lightweight.  I'm
not sure that this is really that useful a document to publish.  The
application of this to a very specific usage of DNS is OK, but maybe
this is something advice is something that would be valuable more
generally.  This information is very well understood in the HTTP
community, but I concede that it's a little distressing that we don't
have a single document that captures all of this.

I note that the HTTP working group is revising its core specs.  Maybe
this represents an opportunity to improve the security considerations
of those documents.
On Wed, Jul 18, 2018 at 4:23 PM Ben Schwartz
<bemasc=40google.com@dmarc.ietf.org> wrote:
>
> I think this draft could use review from readers familiar with HTTP.  I hope that people with knowledge of HTTP will help us to understand whether this draft's recommendations would result in a significant increase in user privacy.
>
> For the draft's authors, I have a question: does this draft's "privacy threat model" include a DOH server that uses active measures to differentiate clients?  Or is it scoped only to passive discrimination between different client implementations?
>
> As for other issues, I think the draft might need to consider header order.  I also couldn't find an easy list of mandatory headers in RFC 7540, so that list might be worth repeating.
>
> On Wed, Jul 18, 2018 at 10:03 AM Sara Dickinson <sara@sinodun.com> wrote:
>>
>> Hi All,
>>
>> We’ve just submitted a very short draft outlining a privacy profile for DoH called DoHPE.
>>
>> It is very basic at the moment but it would be great to get some feedback on the idea here and to see if the WG sees this as something that should go through this group or head somewhere else. Since the guidelines are purely HTTP related, this does feel like the right audience to review the document at least in the first instance.
>>
>> Sara.
>>
>>
>> Begin forwarded message:
>>
>> From: internet-drafts@ietf.org
>> Subject: New Version Notification for draft-dickinson-doh-dohpe-00.txt
>> Date: 18 July 2018 at 09:58:48 GMT-4
>> To: "Sara Dickinson" <sara@sinodun.com>, "Willem Toorop" <willem@nlnetlabs.nl>
>>
>>
>> A new version of I-D, draft-dickinson-doh-dohpe-00.txt
>> has been successfully submitted by Sara Dickinson and posted to the
>> IETF repository.
>>
>> Name: draft-dickinson-doh-dohpe
>> Revision: 00
>> Title: DoHPE: DoH with Privacy Enhancements
>> Document date: 2018-07-18
>> Group: Individual Submission
>> Pages: 8
>> URL:            https://www.ietf.org/internet-drafts/draft-dickinson-doh-dohpe-00.txt
>> Status:         https://datatracker.ietf.org/doc/draft-dickinson-doh-dohpe/
>> Htmlized:       https://tools..ietf.org/html/draft-dickinson-doh-dohpe-00
>> Htmlized:       https://datatracker.ietf.org/doc/html/draft-dickinson-doh-dohpe
>>
>>
>> Abstract:
>>   This document describes DoHPE (DoH with Privacy Enhancements) - a
>>   privacy and anonymity profile for DoH [I-D.ietf-doh-dns-over-https]
>>   clients.  The profile provides guidelines on the composition of DoH
>>   messages, designed to minimize disclosure of identifying information.
>>
>>
>>
>>
>> Please note that it may take a couple of minutes from the time of submission
>> until the htmlized version and diff are available at tools.ietf.org.
>>
>> The IETF Secretariat
>>
>>
>> _______________________________________________
>> Doh mailing list
>> Doh@ietf.org
>> https://www.ietf.org/mailman/listinfo/doh
>
> _______________________________________________
> Doh mailing list
> Doh@ietf.org
> https://www.ietf.org/mailman/listinfo/doh

v2.23.0 | Report a Bug | By Email