Re: [hrpc] "Paul Vixie and Peter Lowe on Why DoH is Politically Motivated"
Jacob Appelbaum <jacob@appelbaum.net> Mon, 15 November 2021 16:00 UTC
Return-Path: <jacob@appelbaum.net>
X-Original-To: hrpc@ietfa.amsl.com
Delivered-To: hrpc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80C673A0E28 for <hrpc@ietfa.amsl.com>; Mon, 15 Nov 2021 08:00:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.102
X-Spam-Level:
X-Spam-Status: No, score=0.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URI_DOTEDU=1.999] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=appelbaum-net.20210112.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TRls73gFOUaf for <hrpc@ietfa.amsl.com>; Mon, 15 Nov 2021 08:00:47 -0800 (PST)
Received: from mail-qt1-x833.google.com (mail-qt1-x833.google.com [IPv6:2607:f8b0:4864:20::833]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6BDCD3A0E24 for <hrpc@irtf.org>; Mon, 15 Nov 2021 08:00:47 -0800 (PST)
Received: by mail-qt1-x833.google.com with SMTP id n15so16069382qta.0 for <hrpc@irtf.org>; Mon, 15 Nov 2021 08:00:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=appelbaum-net.20210112.gappssmtp.com; s=20210112; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=4QvIOFp5rmigbLVGpt/cG3g95D0JRgh9WCUbN0yhgaA=; b=GfLAGcGIPVQIeOScF25VFLP6SwlECC2883P21iBqp+ML1Tky6NfNX1Kdvi4KcnHCHY mjfKJ5crKYbLWQSRmt8/cJBJQA6KwDMsYM6ZQtIS3410IK7hjGcCExn/Upx3oDd9+k1M EGdB2fhyGK8QlZtv9bVCitkrGf3ZjUlK3+y6i1/KB054bpRzSyngEfAVp5y3CiUQ3bvr aYFWxzeNgtHECQVA/ldNlazXSmOCd1A3eHzBkw/PJA2g4BCXVBqu5vixV4mXqMyNAIG2 QllwV+4whnrmqzoKWM+oOthTq3WaUwoFVdraEfJqSBlvQHrrpNsoa0WJJmLAo10XDi9j UHiA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=4QvIOFp5rmigbLVGpt/cG3g95D0JRgh9WCUbN0yhgaA=; b=EsCiByTLWsHz+DMhnxNNj5gU2z0ZvAoBbjNCp3IGc46xgrkjTtWLjmzx3zpb00oPsm PFf09AWRER2UQdX7WAXGaMzwcBSJsQT1HkuOq4neGQzkstzYVuLd2yweZyS43/f44P5M +tP9+kzEbfiEzVEMO3AytsnceDvv9vSiByfBRIvPd+xyWjfa4ajiGRPFkZyVGblRAmCz VNJ8tz/j1h77lCGx6YYqJqTBLTvxB+UpbVW09XXlDNcr8Acn4YcvedmduziNMGUB0nrM NViEKaAJarKIH5dtZIZuyCjP9BbxoaaCM1u8iVy2pP9qckBE2sLEh6bv3tbOJBRoMw7m NBWw==
X-Gm-Message-State: AOAM532ZUxw3ncj9mFi7+ZZu9AabOlmXX1vqsxNKWdiFc7XQcYSkiEzB JDuMCf1/qeWbH8o0LG+xx4UHHlnkR4KIXv3O57EEYKpch7QSLg==
X-Google-Smtp-Source: ABdhPJyjbjVjx0bpwSgduvPWCwAQf+GHqbZ35AkaaGaTyBE6cJt1RUAYQLd9iZS39q6hz9QsjIVxmPg9XslItXef29s=
X-Received: by 2002:ac8:5809:: with SMTP id g9mr40935941qtg.273.1636992045203; Mon, 15 Nov 2021 08:00:45 -0800 (PST)
MIME-Version: 1.0
Received: by 2002:ac8:7f44:0:0:0:0:0 with HTTP; Mon, 15 Nov 2021 08:00:44 -0800 (PST)
X-Originating-IP: [91.64.84.165]
In-Reply-To: <9AB66003-9285-4418-9BC4-9A415F033F26@pch.net>
References: <YZJPwEUqvCvCUVRz@sources.org> <9AB66003-9285-4418-9BC4-9A415F033F26@pch.net>
From: Jacob Appelbaum <jacob@appelbaum.net>
Date: Mon, 15 Nov 2021 17:00:44 +0100
Message-ID: <CAFggDF34M0EhPO8a4WyG7mxFpADfuDOJS+9aTMkF5wk3WfumeQ@mail.gmail.com>
To: Bill Woodcock <woody@pch.net>
Cc: Stephane Bortzmeyer <bortzmeyer@nic.fr>, hrpc@irtf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/hrpc/UVnYz5-YRy7OPXLPsKZXu059urs>
Subject: Re: [hrpc] "Paul Vixie and Peter Lowe on Why DoH is Politically Motivated"
X-BeenThere: hrpc@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: hrpc discussion list <hrpc.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/hrpc>, <mailto:hrpc-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hrpc/>
List-Post: <mailto:hrpc@irtf.org>
List-Help: <mailto:hrpc-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/hrpc>, <mailto:hrpc-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Nov 2021 16:00:57 -0000
Hello Bill, On 11/15/21, Bill Woodcock <woody@pch.net> wrote: > > >> On Nov 15, 2021, at 1:17 PM, Stephane Bortzmeyer <bortzmeyer@nic.fr> >> wrote: >> >> It's funny (no, actually, it's sad) that some people, in 2021, still >> use "political" as an insult and criticizes a protocol as being >> "political" (specially in the fields of security and privacy where >> things are even more political than the average network protocol). > > Well, I agree that the word “political” is not a useful one in this > context. Indeed. What seems especially not useful here is that the default situation isn't critically examined as a political choice; only the reactionary designs to that default choice are called political? Huh, okay. This is to say nothing of the fact that it is uncontroversial to claim to be performing DNS intelligence at all. Huh, strange... > But in reading what they said, I don’t find much else to disagree with… Does this mean you don't disagree with people doing "intelligence" on the DNS as is claimed in the discussion? I have always found this a perplexing aspect of the DNS - it is vulnerable to network surveillance and even censorship by (only slightly obfuscated) design. > DoH > is a black mark on the reputation of the IETF, and its adoption as a > standard was a sad day for privacy. I find this position perplexing - was it a sad day for privacy when the IETF (a.k.a. the king makers of the DNS standards) did not pursue query/response privacy on the wire as a first class goal? Or when it refused to adopt TLS or another secure protocol that provides query and response privacy as the DNS server-to-server protocol for all communications? I realize that such a radical change would interfere with some countrie's desire to be able to perform DNS surveillance and censorship. As the DNS is secured, the censorship infrastructure will improve, they claim. These improvements will be tied to the technological and economic capabilities of the adversary attacking users, of course. This observation of theirs seems true, but does that mean that we should thus leave the DNS vulnerable to interception, analysis, and often tampering? No, it doesn't follow. DNSSEC solves part of this problem but not all of it. The surveillance and censorship infrastructure will improve in almost every case regardless of the DNS privacy offerings. Isn't it completely obvious that until, and unless the DNS (eg: starting with the root servers) offers meaningful security, that someone or some company, will add it somewhere else? The notion of meaningful security includes authenticity, integrity, and *especially* confidentiality (aka privacy) of queries and responses. This notion of confidentiality that isn't even end-to-end (like DNSCurve, also mentioned by the two gentlemen). In either case, strict confidentiality is a property that even DNSSEC failed to deliver. If all (especially authoritative) DNS servers, including the root servers, offered encrypted, authenticated communications channels, few would need a centralized DoH or DoT service to achieve query confidentiality. A major driving force from my perspective behind DoH and DoT is that people don't trust their local network not to extract information from the DNS (as Paul Vixie observed in this discussion). Another major driving force is related to censorship desires of users and network administrators. I think the DNS makes a lot of compromises to accommodate censorship and surveillance requests and there certainly isn't as much transparency as might be desired by users of the DNS. It doesn't seem that people here are objecting to the censorship or surveillance practices of certain providers as much as other issues, for example, who does it now vs who did it previously. Users and network administrators often use DoH or DoT because of ease of use, well populated caches, censorship features (eg: blocking specific kinds of names on specific kinds of networks), and other features that appeal to network administrators as well as business administrators. It seems almost inevitable that someone would offer a secure way to connect to the DNS, and with it, they will bring in centralization, and other kinds of controls. One way to fight against the centralization is clearly to ensure that the centralized service doesn't offer something that is so appealing that it becomes worthwhile - for example a TLS endpoint. >From my perspective there also appears to be significant conflicts of interest abound. Consider that some companies and some people who run important DNS infrastructure also run surveillance operations (eg: passive DNS surveillance) against the network traffic reaching that service while also not offering a secure way to reach that very same server. It is the lack of a secure connection that enables passive (and active!) surveillance of DNS queries/responses near the DNS servers as well as at every point along the network path. We're not even discussing the ability to make an anonymous query which is yet another problematic issue that remains unaddressed by the DNS generally. This is especially frustrating since there has been next to no deployed work on how we might solve actual anonymous querying at scale. So even with encryption we're not really speaking of anonymity. Several types of DNS surveillance will still learn information about the querying party by source IP and this can be correlated with logs that are also often kept by operators of the DNS. My sense is that those doing DNS surveillance don't want to give up any power at all, and DoH/DoT essentially ends the conversation in a fairly rude way. The DoH/DoT provider is able to see the source of the query, and the query itself, as well as any responses. Meanwhile, upstream the DNS just sees a collection of huge proxies which deprives them of client IP addresses, client queries, and of course, the related responses. So the DNS surveillance at the root becomes less effective, and the surveillance abilities moves to the DoH/DoT provider/network. Huh, how might we fix that? Why in 2021 do we still lack a standard, secure way to reach every root server as well as any other DNS server? Surveillance and censorship, of course! More specifically, it looks like surveillance capitalism[0], and it appears that there are at least two major factions arguing over who shall see and thus own the data. The people who design/deploy/run/monitor the DNS, and the people who run large caching servers with TLS endpoints as well as other features. I think application developers generally want this to be a solved problem, so they're simply using the solutions that solve their problems. What alternatives exist for them other than saying no, no query privacy for you? Not many. Perhaps the interests of decentralization vs centralization will finally break this tug of war. Ideally the root servers will finally offer a secure way to reach them, obviating the need for TLS based privacy enhancements provided by DoH/DoT, especially those that are run as large centralized services. Yes, those ports will be censored by some parties (eg: entire countries), and this will be something that can be seen by everyone. It's uncomfortable to bring this dirty laundry out into the open, I realize. It goes without saying that if there was a way to have end-to-end encrypted queries/responses (eg: as DNSCurve did years ago) it would largely ensure that those centralized services would be unable to extract almost anything of value. That's a major part, but not the only part, of why they exist - they're not running those services for altruistic reasons. Adopting an end-to-end encrypted design has caching downsides, so I don't expect people to push for it anytime soon. Caching is clearly another large motivation behind centralized services as latency improvements provide an advantage over other distributed/decentralized systems like using the DNS directly at times. If we look at what Zuboff says with her surveillance capitalist critique [0] then we might be well served to consider DoH/DoT as a market response to performance, control, as well as the obvious privacy concerns. What will the response of the IETF or DNS operators be to this shift in the market? Maybe it might include giving up passive DNS surveillance as it is performed today? Might it include finally designing, and deploying meaningful query/response privacy in the DNS system at every point? I hope so but it seems doubtful to me. After all, the various conflicts of interests are still highly relevant to the possible solution space. The benefits of performing the surveillance by various operators seems to outweigh the value of even the infrastructure itself to those same operators. DoH/DoT appears to be changing that value proposition in a way that clearly makes the "old guard" (no ageism implied here) of the DNS uncomfortable. Though Zuboff's surveillance capitalism analysis lens, we might be correct to say that we are watching two (and sometimes more) extractive surveillance capitalists camps complain about fairness of who does the surveillance. It really is something to watch from a distance. Perhaps there is another choice... What if we... did away with DNS "intelligence" and actually secured the DNS with regard to confidentiality of user queries/responses as well as server-to-server confidentiality? What if we agreed to purposefully blind all these network sniffing and injecting adversaries? Answering "no thanks" is of course a valid option, and it's why there are people who use DoH/DoT, or similar systems like DNSCrypt, and even DNSCurve. This is to say nothing of secure decentralized solutions like Namecoin. My guess is that these alternative options will not beat out the DNS any time soon but eventually "secure" centralized systems will likely become a serious existential threat to the DNS. Frustratingly DNSSEC does not really help us here as it even invites untrusted third parties to be involved in relaying data. Kind regards, Jacob [0] https://news.harvard.edu/gazette/story/2019/03/harvard-professor-says-surveillance-capitalism-is-undermining-democracy/
- [hrpc] "Paul Vixie and Peter Lowe on Why DoH is P… Stephane Bortzmeyer
- Re: [hrpc] "Paul Vixie and Peter Lowe on Why DoH … Bill Woodcock
- Re: [hrpc] "Paul Vixie and Peter Lowe on Why DoH … Eric Rescorla
- Re: [hrpc] "Paul Vixie and Peter Lowe on Why DoH … Bill Woodcock
- Re: [hrpc] "Paul Vixie and Peter Lowe on Why DoH … Eric Rescorla
- Re: [hrpc] "Paul Vixie and Peter Lowe on Why DoH … Paul Wouters
- Re: [hrpc] "Paul Vixie and Peter Lowe on Why DoH … Jacob Appelbaum
- [hrpc] "Paul Vixie and Peter Lowe on Why DoH is P… farzaneh badii
- Re: [hrpc] "Paul Vixie and Peter Lowe on Why DoH … Vittorio Bertola
- Re: [hrpc] "Paul Vixie and Peter Lowe on Why DoH … Eric Rescorla
- Re: [hrpc] "Paul Vixie and Peter Lowe on Why DoH … Vittorio Bertola
- Re: [hrpc] "Paul Vixie and Peter Lowe on Why DoH … Eric Rescorla
- Re: [hrpc] "Paul Vixie and Peter Lowe on Why DoH … Ted Lemon
- Re: [hrpc] "Paul Vixie and Peter Lowe on Why DoH … Eliot Lear