[TLS] Re: Firefox and DoH, was Re: Mohamed Boucadair's Discuss on draft-ietf-tls-svcb-ech-07: (with DISCUSS and COMMENT)
Eric Rescorla <ekr@rtfm.com> Thu, 01 May 2025 13:45 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 8F4BD23A01E1 for <tls@mail2.ietf.org>; Thu, 1 May 2025 06:45:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pf0zPa5jrd7H for <tls@mail2.ietf.org>; Thu, 1 May 2025 06:45:13 -0700 (PDT)
Received: from mail-yb1-xb35.google.com (mail-yb1-xb35.google.com [IPv6:2607:f8b0:4864:20::b35]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 6409723A00C7 for <tls@ietf.org>; Thu, 1 May 2025 06:44:05 -0700 (PDT)
Received: by mail-yb1-xb35.google.com with SMTP id 3f1490d57ef6-e6e2971f79fso722315276.0 for <tls@ietf.org>; Thu, 01 May 2025 06:44:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1746107045; x=1746711845; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=a3MzWvRlkWUaeK7bDG46OuJ0Z9xp1kRbGYYTvn1o+tA=; b=q5e+glEQIb5wKQJlvmnp/5QCYI6R9tTbOp+yRVQuRapxFV6lV2riw9FV1F0L2ZLiEI glfH/RuYTB+5XRBgQ+PFJURo5sVTEpzxwf8xPTJHTvaIC9F+yG1/xA6SvpvXSawGY/70 ng9brlFt6Hh7sH9xgQiZREzVkwzpuz8+UNYDcQd1S4dl6x+bX61dKcr18kdNZRQ/SFlE ppRVTlgvqjplAr4R4LHnufTfbooqv6JC0RUGqJkGPwmINeCw8UzzPtNrCKTBQYyB8KHQ 2oELFGSLoQiXimv5VWypV13ibjWTXvBdW2xp5c+FXpEbjHHnzym6aVs8BkUqXd31KWLt kesw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1746107045; x=1746711845; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=a3MzWvRlkWUaeK7bDG46OuJ0Z9xp1kRbGYYTvn1o+tA=; b=IFo+KrTqDlV/+WKynx9JLgAytOoB3e5T6ozbzRQQbpaV0ni6WeDja9PkA0VRNShTp1 pKcbq5JytPk+2nlF6sSsDf71rXqK8GTtqCsoygF4G/ta/etjzYEpIu3gig4VBUc+eRU5 U+n4G+89beFdQ96gMgodiuGwJhI1gZyaAKDtyq1yXVLpiw61UU9s5rm9wl9YKdaFP6T9 m1TzAgQNSep4yIxfmni1vvu5p/YyhwLE/Kkq4jvXQ9p31yq5Cd7QVHgEIyqZdQcSrxHO 3lFySp50Ca5RMD1NIGoIJRMayz/3d2R90ZLckBEaPVGRXvsIjmdptOiYr2aeoJnAaOz+ bg/g==
X-Forwarded-Encrypted: i=1; AJvYcCURm1LNyrhQm++ahgzCudc7Pv3nTsAApyEvVXElJMiPR//vDatN465GUhuh2CFCe5TLHxo=@ietf.org
X-Gm-Message-State: AOJu0YxROfjYBkWI2YFM/sgLoie0UYFUv9wIgD/l6IDqCl4aKIMvqbC/ C6cMe327FOj3UG2391cp8/EzjfSbpsBxsaVgEapeOp9UPZsl5rBHO8F1vLd7+MZsWNpNi9FJozV /UHFBCrt8A06YL1hDE+9Y51zHstKH+kIhfRFBRfBI+gTUctYN
X-Gm-Gg: ASbGncvQVQPiC2zL0Lo5gkyFUaZ1P/PV8uMkI6uW7Kb3XK4zLJYHBFkxU/vXTTzYJQf wSX1zOt6H+/vKB+xDZIHwcdbGXUfHZZe6X8pVw+N/6FUK/7mAoXzBBXWTYr2+0/VkbKc4t2G5Fi i+sDOXVR9WHkUqOPUGAIqsebN9
X-Google-Smtp-Source: AGHT+IGvRAmPt9sspiLa4Fc9zzash3KGWV+wbfRziInlh95FzR3nxBFfXjmERk7zbi4BO3gZuWGfmnOCzrgBe3zQ0Vk=
X-Received: by 2002:a25:3a02:0:b0:e75:608f:4f23 with SMTP id 3f1490d57ef6-e75608f501amr840304276.42.1746107044837; Thu, 01 May 2025 06:44:04 -0700 (PDT)
MIME-Version: 1.0
References: <174602502787.209839.15198947055297433739@dt-datatracker-9c7687889-5mqnr> <CABcZeBOUYt40teFTcrqY5+1CfuGs_YGtg-683+eoqZmuEygwsQ@mail.gmail.com> <CAGL5yWZxZFJst29Gm9zQwJLXBdEjxVqS+yQZRig4Gfc18mwx-A@mail.gmail.com>
In-Reply-To: <CAGL5yWZxZFJst29Gm9zQwJLXBdEjxVqS+yQZRig4Gfc18mwx-A@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 01 May 2025 06:43:28 -0700
X-Gm-Features: ATxdqUFnVeJAnFPajSjG9JXaegJ22b_E7lehqLIFSpU__sHWQBxtcz9k3LF7T2U
Message-ID: <CABcZeBNK7kdPKrwmF7QpVsVSdWprQXdsTgoRVy+OEMYnUXzY2A@mail.gmail.com>
To: Paul Wouters <paul.wouters@aiven.io>
Content-Type: multipart/alternative; boundary="00000000000025dc1d0634133a07"
Message-ID-Hash: BC2I5BS3XSHTAEKRT2N53V3N6KDZO7X4
X-Message-ID-Hash: BC2I5BS3XSHTAEKRT2N53V3N6KDZO7X4
X-MailFrom: ekr@rtfm.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Mohamed Boucadair <mohamed.boucadair@orange.com>, The IESG <iesg@ietf.org>, draft-ietf-tls-svcb-ech@ietf.org, TLS Chairs <tls-chairs@ietf.org>, "<tls@ietf.org>" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Firefox and DoH, was Re: Mohamed Boucadair's Discuss on draft-ietf-tls-svcb-ech-07: (with DISCUSS and COMMENT)
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/DfvV65qD-6tTDbUmCW-7cbhmEns>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
On Thu, May 1, 2025 at 4:55 AM Paul Wouters <paul.wouters@aiven.io> wrote: > On Wed, Apr 30, 2025 at 12:32 PM Eric Rescorla <ekr@rtfm.com> wrote: > > >> However, I believe that the >> existing client-side implementations implement their own resolvers; at >> least chrome and Firefox do so (Firefox, just for DoH, which is the >> only time it enables ECH). >> > > Weird. My home network which is fully encrypted and trusted, and I don't > need local DoH. And now Firefox decides to not use > ECH to connections outside my home network? That seems pretty broken. > My apologies for sending stale information. Apparently the situation has improved and it is possible to get the data with the system resolver in at least some cases, and Firefox now will enable ECH whether DoH is on or not. -Ekr
- [TLS] Re: Firefox and DoH, was Re: Mohamed Boucad… Eric Rescorla
- [TLS] Mohamed Boucadair's Discuss on draft-ietf-t… Mohamed Boucadair via Datatracker
- [TLS] Re: Mohamed Boucadair's Discuss on draft-ie… Eric Rescorla
- [TLS] Re: Mohamed Boucadair's Discuss on draft-ie… Ben Schwartz
- [TLS] Firefox and DoH, was Re: Mohamed Boucadair'… Paul Wouters
- [TLS] Re: Mohamed Boucadair's Discuss on draft-ie… Stephen Farrell