Re: [Doh] ..I don't get it (the hate)

Matthew Pounsett <> Tue, 26 March 2019 12:37 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AE64F12001E for <>; Tue, 26 Mar 2019 05:37:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id vpA5suhGcIIp for <>; Tue, 26 Mar 2019 05:37:12 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::136]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 93A1C12000F for <>; Tue, 26 Mar 2019 05:37:12 -0700 (PDT)
Received: by with SMTP id h9so19651932itl.1 for <>; Tue, 26 Mar 2019 05:37:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=U9xOR9hk3yfe73UxwHDf6MC/J0Usou1Qa7lmvPtcHQA=; b=ZhajJI9lCf5r5IQYrBu/A1a2xjKKcq/tN7CSTGNS5EPVlEzC2UAdizFwny4N5m6+D0 03TlZbnk+waoD4Suz1y3q/tzYGWXxG4HaLswW7SDJSNEjNQKEi/7f93T18oHkhReto7E rRbv8+qx50MVE6lY5zvtmEILwlzaNjg17htfxGcifOlRQsT2TUhvMoX3arduxpXEJ5Mr zMZtzJ7hlAJBTmKJ/7l5HiOx86OXqvNUyvb9sL+JP0y9b9zpDKz/haIlE3DtT3Zr+kh+ fqsJPXxyxXQvXhchu0EfHZu70v403NtC0RdsB6F0NaMATD4S5S52EwkHQF+CK7VT/vKd KGbw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=U9xOR9hk3yfe73UxwHDf6MC/J0Usou1Qa7lmvPtcHQA=; b=dXq9uNYPiDP62gwXsinHG80p7IZ7YpdsfHKkVvkIMWhuXytq52RIdxx2ZEPEPO6tsg ESJsW/WEEkAVE2UHRZbcSOh+6wbBNH4BZ6I+Q/UYwzorolh5Y5AcOfh37oKkljeeq/xP Bf87fF+FsljGcqbM/yI+efuJeJ17oFB+HefBR7mtdQhPJtdMCBmx4T8hKXOmko4BIxh2 LaXzB8mvSIiVeybl/7HhoWIn3W4VCPrUkkww6FrzbEKLEiHvZucp5JprSswpY/EW4+22 eh07PF/ZhUsqH5QHNuXsxTLT+5cmJnMl4tmLlS6a0Jf/UB7OCpNE1WXHfyTIMvhDslMj hVEA==
X-Gm-Message-State: APjAAAUQfeBmTkC7t9TfCLE+K7V6UO89AM+A9qr30kdyeoq0Xmfjy27p 9UDQ+b1iB9Lq9UOgXBMUdbsf682e/3qWa8jC/anWW8m8CdOpyQ==
X-Google-Smtp-Source: APXvYqzOIVguRHP79vi5iKptcuuxPtQCatdOCILKOgsfRs6SASiUKA1DlNQZF7QwbnVrC45TWjNHpL2GY/KTV34RkJk=
X-Received: by 2002:a02:13ca:: with SMTP id 193mr21757442jaz.117.1553603831714; Tue, 26 Mar 2019 05:37:11 -0700 (PDT)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: Matthew Pounsett <>
Date: Tue, 26 Mar 2019 13:36:57 +0100
Message-ID: <>
To: Joe Abley <>
Cc: George Michaelson <>, DoH WG <>
Content-Type: multipart/alternative; boundary="00000000000082ee280584fe94aa"
Archived-At: <>
Subject: Re: [Doh] ..I don't get it (the hate)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 26 Mar 2019 12:37:15 -0000

On Tue, 26 Mar 2019 at 12:31, Joe Abley <> wrote:

> On Mar 26, 2019, at 12:15, George Michaelson <> wrote:
> > This is (surely) between me, the browser vendor, and the website? Why
> > does the ISP have any say in this?
> The ISP (or equivalent actor) has the opportunity to have a say today.
> Some deployment models would take this opportunity away.
> I don't believe the concern is for sophisticated users who can make
> informed choices. I can use a tor browser right now that also defeats
> the ISP's opportunity to participate in the resolution process. That's
> not controversial.
> The contentious aspect is, I think, the potential for a majority of
> end-users who are not sophisticated and hence are unable to make
> informed decisions to have this behaviour changed for them.

And in a similar vein, unsophisticated end users who might change this
configuration deliberately, and then still expect their ISP to help them
out when they've got a problem.

I think the biggest enterprise concern is more around the balance between
users' privacy in one context (e.g. protecting dissidents) and user privacy
and security in other contexts (e.g. data exfiltration by malware).  I'm
concerned, and I believe others are as well, that while we're making gains
in the former, the loss in the latter may outweigh those gains by quite a
lot.  The malware on a user's system that is now able to reach its C&C
because its DNS queries cannot be blocked doesn't just put the user of that
computer at risk, but all the other users on that network as well.  And
there, again, it's a question of scale.  While it's possible for malware to
set up similar resolution systems today, if they do it stands out in ways
that can be detected and mitigated.  If they're hiding in the forest of all
the standard web browser traffic, that becomes a much more complex (and
therefore expensive) problem.

> It's not the existence of the mechanism, it's the potential scale of
> the deployment.
> Joe
> _______________________________________________
> Doh mailing list