IETF Logo Mail Archive

Re: [Doh] some privacy ponderings wrt HTTPs and plain DNS

Ben Schwartz <bemasc@google.com> Mon, 18 June 2018 17:58 UTC

Return-Path: <bemasc@google.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABB2E130EE2 for <doh@ietfa.amsl.com>; Mon, 18 Jun 2018 10:58:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.51
X-Spam-Level:
X-Spam-Status: No, score=-17.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bAo4dYPOELfD for <doh@ietfa.amsl.com>; Mon, 18 Jun 2018 10:58:17 -0700 (PDT)
Received: from mail-it0-x241.google.com (mail-it0-x241.google.com [IPv6:2607:f8b0:4001:c0b::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7DD6130EC6 for <doh@ietf.org>; Mon, 18 Jun 2018 10:58:16 -0700 (PDT)
Received: by mail-it0-x241.google.com with SMTP id l6-v6so13274021iti.2 for <doh@ietf.org>; Mon, 18 Jun 2018 10:58:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ProCGSKJASrRUXFVahn9EeUe6lfSRTct1XhPENeV/dM=; b=IMQ+hNG6oHB6QyzZ7SATIRfCLjPZ3Efnu1fDKSckoEBxTKS3aW5/F8Vd3aPQVk/ciS 4lGqLrf9TZg3jE3XrJHezxQwB26SK17EJMJhWi7Ka6An8bGlguCJgvmbbbsMS2572RxH 054+9BLcjOVIJY5J1Pivivv5b7oY7ElWqUTP6YEYtpvy17ynGvOyxjGfl0YSrqjM28/R tZRh+oPLeYYL0BNNp8BJtL88su+x0Cw4YWgqkfuEPUxCIjkenlOSkMjSHiY6mUMpXxUk ZrRQ91J3s1kydKoylh86kl/M5Cek6blLr8o/nStGnv6ZCopLfMyGQvHlWqIt9yT0V5DN rPtA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ProCGSKJASrRUXFVahn9EeUe6lfSRTct1XhPENeV/dM=; b=SxBNlnj8ftbzc8nhHakDdhtUTQSFWcAf3kX0T1ad0Wu/YRjIuArSHLecSH14LN2k4N VqpKzPGg3UrRQX4OuiLloKvMnS2XcnqH4TzFgK5xdMmZJUrtzZGn4p/AFY1iIq+d1nXV BFL0sJbFCiRUoCkolb+Hfv16hlDsar3KeIrbMbKZXXQY5J6KlotNl4s5yoCtcePZYAXu wm75OSK0fCqL4oyGKz5vOA8DzDbVlJUc7isKJyIgKa+kyHZNY57ETPgKUNWIOYMMN6hL QPtn5k/z5AMGRv+aJNAAlWM2iYAzOOYuE+iPNc2+bX5j3z2cjEUNUrnaPtbN57SAIgbo xX7g==
X-Gm-Message-State: APt69E0ABr+QvYNJmku06j/TOhGyHTPxp4LnVEpMKCMMRH2LdP0xsEOL IFxHOZO3P5EJbYRw37mn0fELmbYA2s7PhbtkuunNbA==
X-Google-Smtp-Source: ADUXVKKwxouaMeH1i1KFm5EvEjfahAUjbjPwLd/HvAkC4TmMNgztBILVSWTp77mKUtWCLZP56tVQHOp+HGfYNcVxDvQ=
X-Received: by 2002:a24:b510:: with SMTP id v16-v6mr10645158ite.87.1529344695887; Mon, 18 Jun 2018 10:58:15 -0700 (PDT)
MIME-Version: 1.0
References: <20180618112116.GB9195@server.ds9a.nl> <d137a136-d456-8de2-b682-512edd86b1f7@riseup.net> <E4082C8A-8D16-4F13-82ED-C9F68F66A2A1@sinodun.com> <CAOdDvNrnfxxQ__G_kKn4Fe4jcwcQUZfOb4aNAE6+bjvSrfLcmA@mail.gmail.com> <0D08F629-1719-440D-B4B4-A474CF90B865@sinodun.com>
In-Reply-To: <0D08F629-1719-440D-B4B4-A474CF90B865@sinodun.com>
From: Ben Schwartz <bemasc@google.com>
Date: Mon, 18 Jun 2018 13:58:03 -0400
Message-ID: <CAHbrMsD1uCVnOcdm5MKgf2uL2Q-wxGytbvRLyoPL5pdi6JRVkA@mail.gmail.com>
To: Sara Dickinson <sara@sinodun.com>
Cc: Patrick McManus <pmcmanus@mozilla.com>, nusenu-lists@riseup.net, DoH WG <doh@ietf.org>, bert.hubert@powerdns.com
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="0000000000005efe5c056eee4f63"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/LCONkGjekgCvgOi-uiMOSC19O1g>
Subject: Re: [Doh] some privacy ponderings wrt HTTPs and plain DNS
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Jun 2018 17:58:21 -0000

On Mon, Jun 18, 2018 at 12:36 PM Sara Dickinson <sara@sinodun.com> wrote:

>
>
> On 18 Jun 2018, at 15:25, Patrick McManus <pmcmanus@mozilla.com> wrote:
>
> In the interest of moving forward, given that we've completed wglc a
> couple of times, I'm going to incorporate this as a ietf last-call comment
> and include text as part of that cycle.. there is surely something useful
> that can be written
>
>
> Erm, did you mean IESG not IETF LC?
>
>
> in the big picture, this is something that I would like to see handled by
> BCP56-bis, but doesn't seem to be addressed at all there. That's probably a
> good comment for that draft.
>
> some more specific things to consider when writing text that come to my
> mind:
> * content negotiation is something doh clients will want to do as a normal
> part of http, and most of this information is related.. e.g. accept-language
> * many headers leak state but are tied to http features that clients might
> choose to participate in anyhow (e.g. cache revalidation headers)
> * versioning information helps prevent bugs from becoming defacto features
> forever.
> * authentication is a normal thing to do
> * there are lots of headers that we don't know about - and that's ok.
> Let's provide advice rather than be a whitelisting firewall.
> * entities other than DoH clients and DoH servers participate in a DoH
> exchange (proxies, lb, etc) so be aware that there is an asymmetry between
> send and recv in this spec. (i.e. you can say a DoH client cannot send Foo,
> but you cannot say that a DoH server receiving Foo is a protocol error
> because generic HTTP in between might add it.)
>
>
> Thanks for the list… it certainly provides context to understand that HTTP
> as a substrate brings a significant overhead (as well as all the benefits
> of such bells and whistles).
>
> So I think what I am hearing here is that the use of DoH effectively comes
> at the price of accepting that additional overhead and all its potential
> privacy/tracking issues because in practice it is rather impossible and/or
> impractical to have ‘bare’ DoH that transmits only as much information
> about the user as, for example, typical DNS-over-TLS?
>
> I see the trade-offs here, I just want to make sure I understood
> correctly….
>
>
> wrt Sara's specific comment about the differences between connection
> contexts - that's not a difference the core semantic layer of HTTP
> presents. from that pov HTTP is stateless. its often not something the
> client interface exposes very well, and is certainly not necessarily an end
> to end property. So any text in that neighborhood probably needs to be
> along the lines of fyi.
>
>
> So I think DoH will need to say something fairly generic along the lines
> of "think about the meta data tradeoffs and explicitly enable features you
> need”.
>
>
> So from a privacy point of view there is no clear way at the protocol
> level to separate DoH traffic from other HTTPS traffic? In other words any
> considerations of data minimisation would have to be framed in that context
> (i.e. DoH traffic can’t necessarily be isolated)?
>

Depending on the client architecture, isolation may or may not be
feasible.  Depending on the use case, isolation may or may not increase
privacy.  For example, multiplexing DOH traffic into a single HTTP session
with non-DOH HTTP traffic might provide a stronger defense against length
and timing analysis.

There is very little that we can recommend categorically across the wide
variety of potential uses for DOH, but I'm glad the authors are planning to
add some text on this topic to help implementers avoid accidental
disclosures.


>
> Sara.
>
>
>
>
> On Mon, Jun 18, 2018 at 9:47 AM, Sara Dickinson <sara@sinodun.com> wrote:
>
>>
>>
>> On 18 Jun 2018, at 13:49, nusenu <nusenu-lists@riseup.net> wrote:
>>
>> Signed PGP part
>>
>> As noted, I don't know if this has a place in the draft, but I'd recommend
>> DoH clients to:
>>
>> * Set their Agent to 'DoH client', no matter what browser/library
>> * Do not pass non-essential HTTP headers (like language)
>> * Do not allow the DoH server to set cookies
>> * Ponder TLS sessions resumption data settings
>> * Think about all other ways in which HTTP can be tracked (HSTS?)
>>
>> Thoughts?
>>
>>
>> Thanks for this, I find it rather important to avoid introducing new data
>> collection opportunities (at the resolver) that haven't been there on
>> plain DNS
>> and support your recommendations to minimize data exposure.
>>
>> Ideally all DoH clients look the same from the DoH server perspective.
>> This this will never be completely the case but we should try to minimize
>> the DoH client fingerprintability.
>>
>> I hope the minimization of the DoH client fingerprint becomes a mandatory
>> part
>> in the document.
>>
>>
>> +1 on this. DNSOP and DPRIVE have both acknowledged that client
>> identifiers in DNS messages directly compromise user privacy and have
>> attempted to minimise or mitigate their use (for example see RFC7626,
>> RFC7871 or draft-tale-dnsop-edns0-clientid). The DoH WG should be doing
>> the same (or at least no less).
>>
>>
>> This is also in-line with the spirit of RFC6973
>> Privacy Considerations for Internet Protocols
>>
>> specifically section 6.1 and 7.1
>> https://tools.ietf.org/html/rfc6973#section-6.1
>> <https://tools.ietf.org/html/rfc6973#section-6..1>
>> https://tools.ietf.org/html/rfc6973#section-7.1
>>
>> "What identifiers could be omitted or be made less
>> identifying while still fulfilling the protocol's goals?"
>> is always a good question to ask.
>>
>>
>> And given that the charter says
>> “The working group will analyze the security and privacy issues that
>> could arise from accessing DNS over HTTPS. “
>>
>> it suddenly strikes me that this draft doesn’t contain a Privacy
>> Considerations section. I would suggest that one is added to address this
>> issue and offer to help with text on that.
>>
>> On a technical note do we have 2 use cases to deal with?
>> - one where dedicated connections are used for DoH (i.e. where only DoH
>> requests are made)
>> - one where DoH requests are intermingled on the same connection with
>> existing traffic (which will most likely include headers already
>> identifying the client)
>>
>> Sara.
>>
>>
>> _______________________________________________
>> Doh mailing list
>> Doh@ietf.org
>> https://www.ietf.org/mailman/listinfo/doh
>>
>>
> _______________________________________________
> Doh mailing list
> Doh@ietf.org
> https://www.ietf.org/mailman/listinfo/doh
>
>
> _______________________________________________
> Doh mailing list
> Doh@ietf.org
> https://www.ietf.org/mailman/listinfo/doh
>

v2.23.0 | Report a Bug | By Email