IETF Logo Mail Archive

Re: [Doh] New Privacy Considerations Section Proposal

Ted Hardie <ted.ietf@gmail.com> Wed, 20 June 2018 22:14 UTC

Return-Path: <ted.ietf@gmail.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3D7A130E73 for <doh@ietfa.amsl.com>; Wed, 20 Jun 2018 15:14:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4bIwpnOIsjLF for <doh@ietfa.amsl.com>; Wed, 20 Jun 2018 15:14:52 -0700 (PDT)
Received: from mail-ot0-x235.google.com (mail-ot0-x235.google.com [IPv6:2607:f8b0:4003:c0f::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B410A130E22 for <doh@ietf.org>; Wed, 20 Jun 2018 15:14:52 -0700 (PDT)
Received: by mail-ot0-x235.google.com with SMTP id a5-v6so1270667otf.12 for <doh@ietf.org>; Wed, 20 Jun 2018 15:14:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=YI7IdsLwsmR0/tPptMNoE7gmlixJnObLaVmGiR3uW+U=; b=cU/qGutEcEepyaur4dM8dFB73UXcqDTMUKBcrlcHWMJLx8wFK7dblvjWcNpQoi4kVC yZUh7jN5W2dordfvq7L12nEioA/XrpXH8cDjqkuZyBzt93/MWWqSa0Z74GRuDSHesu/6 MT11fs3eK2w6FoAsLxDS1DBB0xwAuT5bw/yKZB8QH+Ns0/PqHKqpF+t7dIzKLlYzXnMs G0rKz31hJ4SHDExkLzej3hbM/swclDVKRIkzlXoJq+49shGlAR9ryJQsTQxNTMQ/n++F muN6nHoKLRfBufcd/Luni6gY1xCMg9tFnygzoT8ROeP31EhXHpK56xCueP9yZ2SfaJCt 9I9Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=YI7IdsLwsmR0/tPptMNoE7gmlixJnObLaVmGiR3uW+U=; b=S6uoVqZb68I5yMt4U2aye/wzPjeq6uwXbJXQpxV0tmAiWfCd4QsUnCJol2tiwMdfOd Se87JDZnXjxZ64Rt6NjspqAXmqTCAE9W9bXWhfmAVDFobldvDFOG14MYWYb1e5DHiTam 7RtC/rDm6vXoDXzPKdyt/6U3/9f7pV1xCNgh+BKbbQWLNDK/5FSRFChuN27McvZKrcUq boOe4ljGg6FGaZJN4etbhvD2gg5WUZqAA3Qq76xYgNw19SGZ2Fj3o3e9g5iK8VveVnQE /gM2teSDMkbkxrCDUiI4GPPoiXyeVriiwnbHkcrZEsupSZsrxa+jMePDstG+fnQe7wQj k9/A==
X-Gm-Message-State: APt69E0SYhAe+5ZT4drIJyWd/gj1b4ggJgwnFIIAZgKz3PKwGfnChe6W cZnr4aDMj12OzIM7FGrNboY1w9uK37c5Sd3mvF4elw==
X-Google-Smtp-Source: ADUXVKLPK7d+zx8hkyLkSuDPV/1kPdhyShW39z4nL+YBswTe/vddyNDfvfT1T0RKWYNGjn1xy+ee5lZBdNr9sjo4kC0=
X-Received: by 2002:a9d:5b49:: with SMTP id e9-v6mr15111274otj.193.1529532891646; Wed, 20 Jun 2018 15:14:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a4a:66c3:0:0:0:0:0 with HTTP; Wed, 20 Jun 2018 15:14:21 -0700 (PDT)
In-Reply-To: <CAOdDvNpY4NpvSKW_D__jztDD_wkaRsJna9L+Br+hdnDnQ8w5SQ@mail.gmail.com>
References: <CAOdDvNpY4NpvSKW_D__jztDD_wkaRsJna9L+Br+hdnDnQ8w5SQ@mail.gmail.com>
From: Ted Hardie <ted.ietf@gmail.com>
Date: Wed, 20 Jun 2018 15:14:21 -0700
Message-ID: <CA+9kkMDt03Uv6UvtZw=mvo=+6dprGqUDMkC7Ef6bd=kb6vX_Fg@mail.gmail.com>
To: Patrick McManus <pmcmanus@mozilla.com>
Cc: DoH WG <doh@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000add002056f1a209c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/iNahHzSYa-FMzCEN36aCIglWQmM>
Subject: Re: [Doh] New Privacy Considerations Section Proposal
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jun 2018 22:14:55 -0000

Repeating the comment I made at Github:

Is there a reason not to make a recommendation for the case of a DOH-only
service?  The current text says:

Implementations of DoH clients and servers need to consider the benefit
and privacy impact of all these features, and their deployment context,
when deciding whether or not to enable them.

Would you consider a recommendation like "For DOH clients which do not
intermingle DOH requests with other HTTP suppression of these headers and
other potentially identifying headers is an appropriate data minimization
strategy."?

Ted

On Wed, Jun 20, 2018 at 3:05 PM, Patrick McManus <pmcmanus@mozilla.com>
wrote:

> Hi All,
>
> The authors have a proposed privacy considerations section available as a
> PR at: https://github.com/dohwg/draft-ietf-doh-dns-over-https/pull/200
> and a snapshot is also included at the end of this email. (though obviously
> the PR will be a living document).
>
> First, thanks for the all the comments and especially to Sara for some of
> the significant text that made its way into the draft text.
>
> The text does not, cannot really, describe the whole universe of
> http/tls/tcp/ip fingerprinting - but it does raise it as an issue and try
> to give enough illustrative examples to motivate consideration of these
> things in your implementation. And in the end, that's its recommendation -
> consider these things and don't use them blindly. The construction that
> "DoH inherits the HTTPS profile so understand that please" seems most apt
> and in scope.
>
> It would be really great if we had something published in the HTTP space
> that deal with this. We don't AFAICT, and that's feedback Mark and I have
> already started noodling over for HTTPbis. (If we had it, the DoH text
> would be shorter :))
>
> Comments and discussion are of course welcome - its just a pull request.
>
> -Patrick
>
> ---
>
> # Privacy Considerations {#PrivacyConsiderations}
>
> {{RFC7626}} discusses DNS Privacy Considerations in both "On the
> wire" (Section 2.4), and "On the server" (Section 2.5) contexts. This
> is also a useful framing for DoH's privacy considerations.
>
> ## On The Wire {#OnTheWire}
>
> DoH encrypts DNS traffic and requires authentication of the
> server. This mitigates both passive surveillance {{RFC7258}} and
> active attacks attempting to divert DNS traffic to rogue servers
> ({{RFC7626}} Section 2.5.1). DNS over TLS {{RFC7858}} provides
> similar protections, while direct UDP and TCP based transports are
> vulnerable to this class of information leak.
>
> Additionally, the use of the HTTPS default port 443 and the ability to
> mix DoH traffic with other HTTPS traffic on the same connection can
> deter on-path devices from interfering with DNS operations and make
> DNS traffic analysis more difficult.
>
> ## On The Server {#OnTheServer}
>
> A DoH application is built on IP, TCP, TLS, and HTTP. Each layer
> contains one or more common features that can be used to correlate
> different queries to the same identity. DoH inherits the privacy
> properties of the HTTPS stack and is not known to introduce new
> concerns beyond that of HTTPS.
>
> At the IP level, the client address provides obvious correlation
> information. This can be mitigated by use of a NAT, proxy, VPN, or
> simple address rotation over time. It may be aggravated by use of a
> DNS server that can correlate real-time addressing information with
> other personal identifiers, such as when a DNS server and DHCP server
> are operated by the same entity.
>
> TCP-based solutions may seek performance through the use of TCP Fast
> Open {{RFC7413}}. The cookies used in TCP Fast Open allow servers to
> correlate different TCP sessions together.
>
> TLS based implementations often achieve better handshake performance
> through the use of some form of session resumption mechanism such as
> session tickets {{RFC5077}}. Session resumption creates trivial
> mechanisms for a server to correlate different TLS connections
> together.
>
> HTTP's feature set can also be used for identification and tracking in
> a number of different ways. For example, authentication request header
> fields explicitly identify profiles in use, and HTTP Cookies are
> designed as an explicit state tracking mechanism between the client
> and serving site and often are used as an authentication mechanism.
>
> Additionally, the User-Agent and Accept-Language request header fields
> often convey specific information about the client version or locale.
> This facilitates content negotiation and operational work-arounds for
> implementation bugs. Request header fields that control caching
> can expose state information about a subset of the client's
> history. Mixing DoH requests with other HTTP requests on the same
> connection also provides an opportunity for richer data correlation.
>
> Implementations of DoH clients and servers need to consider the benefit
> and privacy impact of all these features, and their deployment context,
> when deciding whether or not to enable them.
>
>
>
>
>
>
> _______________________________________________
> Doh mailing list
> Doh@ietf.org
> https://www.ietf.org/mailman/listinfo/doh
>
>

v2.23.0 | Report a Bug | By Email