Re: DOH (was: geolocation services disabled and Gnome maps)
Hi.
On Mon, Apr 13, 2020 at 06:42:10PM -0400, Lee wrote:
> On 4/13/20, Reco wrote:
> > On Sun, Apr 12, 2020 at 07:46:38PM -0400, Lee wrote:
> >> > The questionable idea behind DOH is that the browser makers do not
> >> > trust
> >> > your local resolver.
> >>
> >> Mozilla claims it's a privacy issue:
> >> https://support.mozilla.org/en-US/kb/firefox-dns-over-https
> >
> > It's a privacy issue along with the other things.
> > With the default settings the Firefox user is handing all DNS resolution
> > to Cloudflare. Not an equivalent to complete browsing history, but close
> > enough.
>
> Right. The ISP can't see what names the user is looking up but
> Cloudflare sees every single one. On the other hand, take a look at
> https://wiki.mozilla.org/Security/DOH-resolver-policy
An interesting declaration. For instance:
1. The resolver may retain user data (including identifiable data...)
but should do so only for the purpose of operating the service and
must not retain that data for longer than 24 hours.
...
2. Transparency Report. There must be a transparency report published at
least yearly that documents the policy for how the party operating the
resolver will handle law enforcement requests for user data and that
documents the types and number of requests received and answered, except
to the extent such disclosure is prohibited by law.
Thus:
a) Cloudflare is allowed to store whatever they want for 24 hours.
b) They aren't forbidden to give that data to the law enforcement, which
is not binded by that Mozilla’s Trusted Recursive Resolver program.
c) Law enforcement entity hires some independent contractor to help them
store this data.
d) Next thing you know, everyone's DNS history is world-accessible via
some unprotected ElasticSearch instance on AWS.
e) And the best thing here is - Mozilla legally allowed it to happen.
> >> If firefox wasn't a viable alternative to chrome, what are the chances
> >> that change would have been implemented?
> >
> > It is implemented already, it's just there are alternatives to
> > declarativeNetRequest that are working - so far.
>
> Ahh. I thought Google backed down on the change..
I happen to build chromium from the source from time to time. Recent
versions (>=80) require re2 regex library just for declarativeNetRequest
alone.
> >> > With the advent of HTTPS all this may be seen as moot points (if you're
> >> > redirected elsewhere the certificate validation should fail), but
> >> > nevertheless DOH is forced upon the collective throat of Firefox users
> >> > as we speak (and Chrome users are likely to follow them Soon™).
> >> > Currently a Firefox user is supposed to trust Cloudflare to do DNS
> >> > queries for them, and HTTPS is used for this purpose because Security™.
> >>
> >> For some values of "security", DOH _is_ more secure.
> >
> > As far as the "last mile" is concerned - maybe.
>
> How about as far as the "end user" is concerned? (which is what I
> thought we were talking about -- clueless end-users having doh forced
> on them)
It's akin to the tempered glass. I.e. it's less likely to break than a
normal glass, but it's still transparent. It's also akin to building a
castle on a sand.
I.e. if the user does not care about security it may improve overall
situation somewhat, but the cost of this improvement is privacy.
> >> How many people use a dnssec validating resolver?
> >
> > See above. Besides, DNSSEC is for integrity of zones, not privacy.
> > You need DNS-over-TLS if you need last one.
>
> "integrity of zones" is part of "security" - yes?
Yes. My point is that it's only a part of the security. A needed part,
but a part nevertheless.
> DoT or DoH - either one gets you privacy from your ISP
> DoT is easy to block, DoH is harder to block, so somewhat censorship resistant?
Both are easily blocked in their current form, in fact, DoH is easier in
this regard - it makes very distinct HTTPS (i.e. tcp:443) queries to a
ten (at most) well-known IPs.
> >> At least Cloudflare resolvers have dnssec enabled.
> >
> > *And* the ability to see users' DNS queries. Neat, right?
>
> Yup, and probably a net win for people that don't have a clue about
> dns .. or at least people in the US. Do people in the EU have to
> worry about their ISP selling their usage data?
No. You do not worry about something that widely happens, you deal with
it one way or another. And it's possible to sidestep GDPR just by
injecting "trusted partners'" ads in users' HTTP traffic, for instance.
Reco
Reply to: