IETF Logo Mail Archive

Re: [Doh] New Privacy Considerations Section Proposal

Sara Dickinson <sara@sinodun.com> Thu, 21 June 2018 11:34 UTC

Return-Path: <sara@sinodun.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C92E131228 for <doh@ietfa.amsl.com>; Thu, 21 Jun 2018 04:34:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Level:
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2cyBmF-XHfBQ for <doh@ietfa.amsl.com>; Thu, 21 Jun 2018 04:34:36 -0700 (PDT)
Received: from balrog.mythic-beasts.com (balrog.mythic-beasts.com [IPv6:2a00:1098:0:82:1000:0:2:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F14E6130E7E for <doh@ietf.org>; Thu, 21 Jun 2018 04:34:35 -0700 (PDT)
Received: from [2001:b98:204:102:fffa::409] (port=54166) by balrog.mythic-beasts.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <sara@sinodun.com>) id 1fVxrC-0003Dp-1L; Thu, 21 Jun 2018 12:34:34 +0100
From: Sara Dickinson <sara@sinodun.com>
Message-Id: <78C7C2B7-BEE5-44CA-913E-9168E399DFC1@sinodun.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_0C565E3F-60C8-441E-8F60-5AF96E8D828C"
Mime-Version: 1.0 (Mac OS X Mail 11.4 \(3445.8.2\))
Date: Thu, 21 Jun 2018 12:34:20 +0100
In-Reply-To: <CAOdDvNrfQuN4ePV2qeh9jChmaOhjp9VQWD4xeiNBUgSSJAre5Q@mail.gmail.com>
Cc: nusenu <nusenu-lists@riseup.net>, DoH WG <doh@ietf.org>, Ted Hardie <ted.ietf@gmail.com>
To: Patrick McManus <pmcmanus@mozilla.com>
References: <CAOdDvNpY4NpvSKW_D__jztDD_wkaRsJna9L+Br+hdnDnQ8w5SQ@mail.gmail.com> <a8f12fe6-57d8-70ed-dc68-126c972b75f4@riseup.net> <CAOdDvNrfQuN4ePV2qeh9jChmaOhjp9VQWD4xeiNBUgSSJAre5Q@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.8.2)
X-BlackCat-Spam-Score: 4
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/_ju-J52e5cf7UNpgwhCbq5pln5Y>
Subject: Re: [Doh] New Privacy Considerations Section Proposal
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jun 2018 11:34:39 -0000


> On 21 Jun 2018, at 01:58, Patrick McManus <pmcmanus@mozilla.com> wrote:
> 
> Hi Nusenu,
> 
> On Wed, Jun 20, 2018 at 8:06 PM, nusenu <nusenu-lists@riseup.net <mailto:nusenu-lists@riseup.net>> wrote:
> 
> It does not introduce new concerns when compared with HTTPS 
> but it does introduce new privacy converns when compared with 
> DNS over UDP, TCP or TLS (RFC7858),
> 
> I started to go down this path, but it pretty quickly became clear that comprehensive treatment of this kind of comparison is a different document - though I think describing things in layers does a decent job of pointing out where these various properties come into play. DoH needs to describe the properties of DoH.. the proposed text certainly doesn't try and hide from the fingerprintability of the http system doh is using.

But I also support (as other have voiced) at least a statement that it does introduce new concerns compared with 
DNS over UDP, TCP or TLS (RFC7858) which is missing from the new text.  Also a clear justification of why the design decisions were made (if I’ve heard the current arguments correctly).

I propose:

OLD:
“DoH inherits the privacy properties of the HTTPS stack and is not known to introduce new concerns beyond that of HTTPS."

NEW:
“As a deliberate design choice DoH inherits the privacy properties of
the HTTPS stack and is not known to introduce new concerns beyond that of HTTPS.
As a consequence, however, it does introduce new privacy concerns when compared
with DNS over UDP, TCP or TLS (RFC7858). The rationale for this decision is that 
retaining the ability to leverage the full functionality of the HTTP ecosystem is more
important than placing any constraints on this new protocol based on privacy considerations."

> The IP layer paragraph includes mitigations, the paragraphs about 
> the other layers are missing mitigations.
> 
> 
> those mitigations are there to provide context/scope to the addressing problem - not advice on how to mitigate it :) For most of the other features the mitigation is "don't use it" which of course has a cost.

But that cost would be low for a system resolver for example that could easily gain many benefits of DoH without needing to include hardly any of the HTTP bells and whistles. The current assumptions are very browser centric. 

I support adding the text as suggested by others e.g.
"In making this evaluation DoH clients should use the minimal set of data (e.g. headers, cookies) that can achieve the desired feature set whilst minimizing potentially identifying information being passed. For DOH clients which do not intermingle DOH requests with other HTTP messages suppression of these headers and other potentially identifying headers is an appropriate data minimization strategy.”

Sara.

v2.23.0 | Report a Bug | By Email