IETF Logo Mail Archive

[hrpc] DNS Privacy Vs. Re: Working group last call for draft-irtf-hrpc-guidelines

Mallory Knodel <mknodel@cdt.org> Fri, 02 July 2021 11:59 UTC

Return-Path: <mknodel@cdt.org>
X-Original-To: hrpc@ietfa.amsl.com
Delivered-To: hrpc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 183C93A1BEC for <hrpc@ietfa.amsl.com>; Fri, 2 Jul 2021 04:59:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cdt.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FIOziIjgHA9G for <hrpc@ietfa.amsl.com>; Fri, 2 Jul 2021 04:59:01 -0700 (PDT)
Received: from mail-qv1-xf44.google.com (mail-qv1-xf44.google.com [IPv6:2607:f8b0:4864:20::f44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 77D8B3A1B46 for <hrpc@irtf.org>; Fri, 2 Jul 2021 04:59:01 -0700 (PDT)
Received: by mail-qv1-xf44.google.com with SMTP id x6so4519820qvx.4 for <hrpc@irtf.org>; Fri, 02 Jul 2021 04:59:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cdt.org; s=google; h=message-id:date:mime-version:user-agent:content-language:to:cc :references:from:subject:in-reply-to:content-transfer-encoding; bh=J1dd1W0Hu7faBMGS+J2HlDHZsX67yuDD6DTJ3VMSaPQ=; b=CYfnJ9rBMIQ7CbcRm8JfAKiTYU+llxk6T687TjOwa5BFHAvHpFSovwxkFP76Eo0whm hcEGqz1ZKSi2G40Bp5K1gFqyqbqVDNlt5WHZl7NzPVnqOwrctESaYlq8JV98L9wwrIMw nTTNf4oAeSGAtH/cUMnji3O2vk2HyQ8PN/NbI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:date:mime-version:user-agent :content-language:to:cc:references:from:subject:in-reply-to :content-transfer-encoding; bh=J1dd1W0Hu7faBMGS+J2HlDHZsX67yuDD6DTJ3VMSaPQ=; b=hRG/81hZ7Cr11KRhGEtPvfFaQ5iT/L//nkz3+cASQZiKdE6qTi6oz3zyvPNbuIjz+6 x4h6x5cRt2AJKIrXzSNa45wpz1qJOakbmFw7qQYTK4xn0+Kk893Dp7On4M4AGLDoooPD qyaXrNjF7pHSUWArLvzp8YuOB2WNHHOjWiFUDqrTu4TTGaE6iW77vMBhYnHvFSFieOX3 c6pLEZSWkRqiTiGxS2g2RGfcZ7JaIPHdPGVnrk0Bzor0F+c7o+JIT6zFv5gOQ0xsqB4D 4NZ4iCoRJ+D8wqOk8y0zSO+tsQSkOsHlfCyWdhTxw8KkZ0K4vCFFG+zsZ77rIOo+YFmH SDRw==
X-Gm-Message-State: AOAM530g2Wjf1Yfen9x1H6/BexxG7S57wP7DoIC/mYvstWPVfj55iV1k /3mSkyXPCDosQBDjEXiwqIB4LA==
X-Google-Smtp-Source: ABdhPJyN2xE/vY2wvEwUCePL0sqK1FlE9whou/R4+ClIz/DvxYbkaiRsgQ16kEdYuahq8HaFCF9jjA==
X-Received: by 2002:a0c:f048:: with SMTP id b8mr4769173qvl.56.1625227140056; Fri, 02 Jul 2021 04:59:00 -0700 (PDT)
Received: from [192.168.0.130] (c-73-163-188-207.hsd1.dc.comcast.net. [73.163.188.207]) by smtp.gmail.com with UTF8SMTPSA id f2sm1129266qth.11.2021.07.02.04.58.59 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 02 Jul 2021 04:58:59 -0700 (PDT)
Message-ID: <bc31d710-c7d9-101e-e0bb-db429f1a5f94@cdt.org>
Date: Fri, 02 Jul 2021 07:58:58 -0400
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Thunderbird/90.0
Content-Language: en-US
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
Cc: Gurshabad Grover <gurshabad@cis-india.org>, Mallory Knodel <mallory@cdt.org>, "hrpc@irtf.org" <hrpc@irtf.org>, Eliot Lear <lear@lear.ch>
References: <447c4444-800b-dfb9-de3e-bbbe3bb4ac64@lear.ch> <6b540117-38a6-fbfa-3749-048d14b34f38@cis-india.org> <CAGVFjMK5K_VQWiQCre7r21c+ofasyUshP5wFYSxmjtX5147Q6Q@mail.gmail.com> <20210701165934.GA24015@nic.fr>
From: Mallory Knodel <mknodel@cdt.org>
In-Reply-To: <20210701165934.GA24015@nic.fr>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/hrpc/elT-ugMJFWl0CeL_XDl3H6_hkKg>
Subject: [hrpc] DNS Privacy Vs. Re: Working group last call for draft-irtf-hrpc-guidelines
X-BeenThere: hrpc@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: hrpc discussion list <hrpc.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/hrpc>, <mailto:hrpc-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hrpc/>
List-Post: <mailto:hrpc@irtf.org>
List-Help: <mailto:hrpc-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/hrpc>, <mailto:hrpc-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Jul 2021 11:59:06 -0000

Hi,

On 7/1/21 12:59 PM, Stephane Bortzmeyer wrote:
> On Mon, Jun 28, 2021 at 03:14:04PM -0400,
>   Mallory Knodel <mknodel@cdt.org> wrote
>   a message of 145 lines which said:
>
>> Here’s that text: https://github.com/mallory/DNS-Privacy.
> I'm not convinced. This paper has several weaknesses:
>
> * it speaks mostly about *one* deployement model of DoT/DoH, and
> criticize it, instead of promoting other models,

We definitely want to introduce more nuanced models in the next version.

What we can do is be explicit about what we are currently talking about, 
and not make a blanket statement. Criticism isn't exactly the point, 
it's more to acknowledge tensions and help non-technical people weigh 
the tradeoffs.

> * it is very close from the arguments of the Internet access providers
> (as presented in RFC 8404) "encryption is a problem for us",
The idea is to face the shortcomings head on (rather than to pretend 
they don't exist) and from a public interest perspective give an 
analysis that ultimately ends in: given all of this we still think that 
encryption and privacy are more important, overall.
> * with the very same arguments about research and monitoring, we could
> suppress all encryption. (The paper does not propose a criteria to
> separate things that have the right to be encrypted and the things
> that would have to stay in clear.
(same argument)
>   Calling DNS requests "metadata" is
> may be an attempt to have such a criteria. If so, it is a bad one.)
If you could just explain more what you mean here, I think you're 
raising an important point that we want to better consider in the text.
>> Making DNS lookup more private for the user affects internet
>> measurements, consolidates service provision
> No. There is zero relationship between "making DNS lookup more
> private" and "consolidates service provision". Big public DNS
> resolvers existed before DoT and DoH (I bet that the vast majority of
> requests to 8.8.8.8 and 1.1.1.1 are not over DoT/DoH). Saying that
> "Making DNS lookup more private for the user consolidates service
> provision" is like saying SMTP created Gmail.
We should say, "Recent efforts that have popularised private DNS 
lookup..." and there certainly is a relationship to consolidation, 
albeit not causation. We then use the fuller section to explain this 
more clearly, and resolve the tension as you point out.
>> Making DNS lookup more private for the user [...] risks internet
>> shutdown for some users
> This one really upset me. The responsability of Internet shutdowns is
> 100% on the side of the censors/governments/etc. Accusing the user who
> tried to improve his/her privacy is a bad idea. For every security
> measure, the other side will try to find a counter-measure and we
> don't accuse security measures of being responsible for the nasty
> effects of these counter-measures.

Censorship is upsetting. We're not accusing the user obviously. If 
anything it's really important to warn users of risks when they start 
using new tools because they are evading censorship or surveillance. 
Giving users a false sense of security is at the top of the 
what-not-to-do list.

The point is to speak to the audience of people who are building the 
circumvention tools and the people who support at-risk groups to adopt 
those tools. This audience needs to confront the fact that the censor is 
going to make a counter-move, and to be informed of any existing 
counter-measures and to expect, possibly even plan, more of them.

>> Needless to say, it is not in the public interest for internet
>> traffic to be consolidated on only a few network operators.
> And therefore the solution is to have many secure resolvers (in the
> same way that the solution to centralized social networks is to have
> many instances of a decentralized protocol), not to stop deploying
> DoT/DoH.
This is the exact point that we clearly make. While obvious to us, it's 
valuable to say it in a document written from a public interest 
perspective. It's called "taking a position".
>>   App developers on these platforms can now enable encrypted DNS for
>>   app-specific lookups even if the system resolver doesn’t use
>>   encrypted DNS or uses a different resolver.
> This has nothing to do with DoT or DoH. Applications were always able
> to have their own resolution.
Yes but if the user's mental model is that their lookups are private, 
they need to understand who is the intermediary from whom they are not 
private: the app. I've written about and taught digital security for 
at-risk users and it is fundamentally critical that the inherent trust 
relationships in tools be uncovered. What is written here is not 
attributing something new to DoT/DoH, it is describing what is possible.
>   Anyway, the solution is not to drop
> DoT/DoH (see my remark above about the fact that this paper seems to
> consider there is only one way to deploy DoT/DoH) but to have the OS
> resolver use DoT (Android now does it) or DoH (Windows 11 now does
> it).

The solution is to make DoT/DoH *ubiquitous*. I'm just baffled at how 
you could read a pretty mild analysis of implementation tradeoffs and 
assume the literal opposite intention of the paper.

Perhaps we're all just very used to unconditional and unexamined support 
of anything that says it's good for user privacy?

-Mallory

-- 
Mallory Knodel
CTO, Center for Democracy and Technology
gpg fingerprint :: E3EB 63E0 65A3 B240 BCD9 B071 0C32 A271 BD3C C780

v2.23.0 | Report a Bug | By Email