IETF Logo Mail Archive

Re: [Doh] some privacy ponderings wrt HTTPs and plain DNS

Patrick McManus <pmcmanus@mozilla.com> Mon, 18 June 2018 18:04 UTC

Return-Path: <pmcmanus@mozilla.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4BDF130EFF for <doh@ietfa.amsl.com>; Mon, 18 Jun 2018 11:04:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.234
X-Spam-Level:
X-Spam-Status: No, score=-1.234 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zB8Y8SIpclMq for <doh@ietfa.amsl.com>; Mon, 18 Jun 2018 11:04:04 -0700 (PDT)
Received: from linode64.ducksong.com (linode6only.ducksong.com [IPv6:2600:3c02::f03c:91ff:fe6e:e8da]) by ietfa.amsl.com (Postfix) with ESMTP id 5AC91130EE2 for <doh@ietf.org>; Mon, 18 Jun 2018 11:04:04 -0700 (PDT)
Received: from mail-oi0-f51.google.com (mail-oi0-f51.google.com [209.85.218.51]) by linode64.ducksong.com (Postfix) with ESMTPSA id 540E53A041 for <doh@ietf.org>; Mon, 18 Jun 2018 14:04:02 -0400 (EDT)
Received: by mail-oi0-f51.google.com with SMTP id d5-v6so15672238oib.5 for <doh@ietf.org>; Mon, 18 Jun 2018 11:04:02 -0700 (PDT)
X-Gm-Message-State: APt69E3G6bu6TBwP/Qn7JiVm1DPVUKG+aUfar7bYq56apcHtrTBLVb8Z SmY8Z8hd6QqyAVnpXRuTW0H8fCANPc8BkFhud4A=
X-Google-Smtp-Source: ADUXVKIqwdFFJyLshRQDJCxDgFsLerEnr75J/WuTz/E9GWgL8WCK73P+rxlQIJgQRFGJj7ulZ7LezMtZtYq3fef6c7Y=
X-Received: by 2002:aca:d7d6:: with SMTP id o205-v6mr7095451oig.347.1529345041973; Mon, 18 Jun 2018 11:04:01 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a4a:8a32:0:0:0:0:0 with HTTP; Mon, 18 Jun 2018 11:04:01 -0700 (PDT)
In-Reply-To: <0D08F629-1719-440D-B4B4-A474CF90B865@sinodun.com>
References: <20180618112116.GB9195@server.ds9a.nl> <d137a136-d456-8de2-b682-512edd86b1f7@riseup.net> <E4082C8A-8D16-4F13-82ED-C9F68F66A2A1@sinodun.com> <CAOdDvNrnfxxQ__G_kKn4Fe4jcwcQUZfOb4aNAE6+bjvSrfLcmA@mail.gmail.com> <0D08F629-1719-440D-B4B4-A474CF90B865@sinodun.com>
From: Patrick McManus <pmcmanus@mozilla.com>
Date: Mon, 18 Jun 2018 14:04:01 -0400
X-Gmail-Original-Message-ID: <CAOdDvNrKhV83ZmCX=KWHx49PtFVO2eTzY+GOxjEzEVd6Auj4Nw@mail.gmail.com>
Message-ID: <CAOdDvNrKhV83ZmCX=KWHx49PtFVO2eTzY+GOxjEzEVd6Auj4Nw@mail.gmail.com>
To: Sara Dickinson <sara@sinodun.com>
Cc: Patrick McManus <pmcmanus@mozilla.com>, nusenu <nusenu-lists@riseup.net>, DoH WG <doh@ietf.org>, bert hubert <bert.hubert@powerdns.com>
Content-Type: multipart/alternative; boundary="000000000000f746aa056eee6345"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/tQUOmVBAw9RTgEI2jdqkn_H8yTI>
Subject: Re: [Doh] some privacy ponderings wrt HTTPs and plain DNS
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Jun 2018 18:04:08 -0000

On Mon, Jun 18, 2018 at 12:36 PM, Sara Dickinson <sara@sinodun.com> wrote:

>
>
> On 18 Jun 2018, at 15:25, Patrick McManus <pmcmanus@mozilla.com> wrote:
>
> In the interest of moving forward, given that we've completed wglc a
> couple of times, I'm going to incorporate this as a ietf last-call comment
> and include text as part of that cycle.. there is surely something useful
> that can be written
>
>
> Erm, did you mean IESG not IETF LC?
>
>
I think we're talking about the same thing. After the WG shepherd submits
the doc to the iesg, they will issue a ietf-wide last call. We can make the
additions we're talking about here as part of those inevitable updates.


>
> in the big picture, this is something that I would like to see handled by
> BCP56-bis, but doesn't seem to be addressed at all there. That's probably a
> good comment for that draft.
>
> some more specific things to consider when writing text that come to my
> mind:
> * content negotiation is something doh clients will want to do as a normal
> part of http, and most of this information is related.. e.g. accept-language
> * many headers leak state but are tied to http features that clients might
> choose to participate in anyhow (e.g. cache revalidation headers)
> * versioning information helps prevent bugs from becoming defacto features
> forever.
> * authentication is a normal thing to do
> * there are lots of headers that we don't know about - and that's ok.
> Let's provide advice rather than be a whitelisting firewall.
> * entities other than DoH clients and DoH servers participate in a DoH
> exchange (proxies, lb, etc) so be aware that there is an asymmetry between
> send and recv in this spec. (i.e. you can say a DoH client cannot send Foo,
> but you cannot say that a DoH server receiving Foo is a protocol error
> because generic HTTP in between might add it.)
>
>
> Thanks for the list… it certainly provides context to understand that HTTP
> as a substrate brings a significant overhead (as well as all the benefits
> of such bells and whistles).
>
> So I think what I am hearing here is that the use of DoH effectively comes
> at the price of accepting that additional overhead and all its potential
> privacy/tracking issues because in practice it is rather impossible and/or
> impractical to have ‘bare’ DoH that transmits only as much information
> about the user as, for example, typical DNS-over-TLS?
>


more impractical than impossible - at the extreme, you would be building a
mere tunnel rather than really building an HTTP application. But its
totally appropriate to highlight that there are various tradeoffs that can
be made by implementations. e.g. firefox will not accept server cookies
right now on DoH transactions nor will it allow authentication. But, in a
different circumstance, a DoH client might want to use cookie-drive auth
totally reasonably (imagine a subscription based DoH service) - so its not
something the protocol should prohibit but we can mention.


>
> I see the trade-offs here, I just want to make sure I understood
> correctly….
>
>
> wrt Sara's specific comment about the differences between connection
> contexts - that's not a difference the core semantic layer of HTTP
> presents. from that pov HTTP is stateless. its often not something the
> client interface exposes very well, and is certainly not necessarily an end
> to end property. So any text in that neighborhood probably needs to be
> along the lines of fyi.
>
>
> So I think DoH will need to say something fairly generic along the lines
> of "think about the meta data tradeoffs and explicitly enable features you
> need”.
>
>
> So from a privacy point of view there is no clear way at the protocol
> level to separate DoH traffic from other HTTPS traffic? In other words any
> considerations of data minimisation would have to be framed in that context
> (i.e. DoH traffic can’t necessarily be isolated)?
>
>
I think you're right - especially when you consider the "HTTP chain" is
more than just the originating client. Also note that mixing has very good
sides for privacy as well - indeed while there are pros and cons I think
mixing is a net good. (it deters traffic analysis, it minimizes handshakes
and sni, etc.. while separation tends to be more easily defeated by IP
analysis or behavioral correlation by the terminating server)

v2.23.0 | Report a Bug | By Email