Re: [mailop] Is DNS-over-HTTPS bad? Sure.
https://en.wikipedia.org/wiki/Internet_censorship_and_surveillance_by_country (https://en.wikipedia.org/wiki/Internet_censorship_and_surveillance_by_country) https://www.comparitech.com/blog/vpn-privacy/internet-censorship-map/ (https://www.comparitech.com/blog/vpn-privacy/internet-censorship-map/) As this is the most up-to-date stats I found on the first page, if you check this you can see that "most of the world" requires such solutions. Unfortunately the world is not the same for those who do not live in EU or USA. There are censorships in many forms and tools like these help people to access information as well as doing their hobbies etc. So "centralizing" might be "freedom" for some, that's the world we live in. Please think global when talking about such stuff. Mozilla and Cloudflare do not just target the minority of the world. As a sys admin / company worker I couldn't care less about content filtering btw. If I wanted to do this, I could just block them both on DNS and IP address level just fine. M. Omer GOLGELI July 7, 2020 9:29 AM, "Noel Butler via mailop" mailto:mailop@mailop.org?to=%22Noel%20Butler%20via%20mailop%22%20)> wrote: On 07/07/2020 15:11, Andrew C Aitchison via mailop wrote: On Tue, 7 Jul 2020, Noel Butler via mailop wrote: On 07/07/2020 01:01, Johann Klasek via mailop wrote: I have been told that DoH is set into place to solve the privacy problem. On a small DNS workgroup meeting I saw a presentation on how they statistically identify users by their DNS traffic, and could create a profile with interests and affectations these users have. I think DNS is not that anonymous one would expect. Don't you think there is more chance of a perfect picture of you being built from, ohh i dunno, long standing things like, netflow :) On the whole yes. With shared hosting and content delivery networks ISPs have access to less of the relevant netflowdata - which means Cloudflare wins again ? perhaps, but they are trying to force a change on 99.999% of the world where the problem does not exist. Even here in Australia with meta data retention laws, web browsing and DNS are specifically excluded, like much of the rest of the western world, admins dont care, Australia, like Europe also have strong privacy laws. Mozilla and cloudfare centralising the internet might be fine if your from China or North Korea, but its unacceptable in the rest of the world. The world of shared hosting wont matter too much, because they will know which site on that IP your hitting, if they want to. At present there are work around yes, but if they take them away, there are still ways and means to deny DoH, and I guess it will mean way less support staff will be needed, reducing CSR operating costs, which should also result in less system admins simple IVR option " If you're calling about web site thats unreachable press 5" ivr-options-5 set announcement go-call-cloudfare-or-mozilla set end-call hr more profits hey thanks mozilla :) -- Kind Regards, Noel Butler This Email, including attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate any part of this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure.
On 08/07/2020 18:57, Laura Atkins via mailop wrote: > I expect that most of the telcos are unlikely to have any instrumentation for > tracking users beyond what is needed to ensure the service works. The > companies that are offering DoH as a service and have gone so far as to talk > about what they're doing with the data likely have a lot more instrumentation > and the ability to track users than the telcos do. Exactly! In fact, if "free uncounted traffic usage" to select sites/networks (mirrors, MS, netflix) was not thing, netflow wouldn't be either. -- Kind Regards, Noel Butler This Email, including attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate any part of this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message.___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure.
On 07/07/2020 22:18, Stuart Henderson via mailop wrote: > Looking at netflow data, it's at least aggregated with other devices > behind the same NAT IP, and a lot of it is just "tcp 443 to cloudflare" > or whatever which tells a lot less than DNS query data. But if you are the ISP, NAT doesnt matter - unless your one of the unlucky souls forced to run CGNAT that is -- Kind Regards, Noel Butler This Email, including attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate any part of this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message.___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure.
On Wed, Jul 8, 2020 at 6:31 AM Vittorio Bertola via mailop < mailop@mailop.org> wrote: > > Il 08/07/2020 10:57 Laura Atkins via mailop ha > scritto: > > > > > On 7 Jul 2020, at 23:35, Brandon Long via mailop > wrote: > > And I think this discussion is underestimating the number of users already > being tracked at the DNS level by their ISPs. > I know I may be odd here working for one of the big players, but I trust > the privacy policies and statements of some of the "large centralized" > providers you > mention over my telco. > > > I expect that most of the telcos are unlikely to have any instrumentation > for tracking users beyond what is needed to ensure the service works. The > companies that are offering DoH as a service and have gone so far as to > talk about what they’re doing with the data likely have a lot more > instrumentation and the ability to track users than the telcos do. > > Also, the legal framework of the DNS provider may be different from that > of the ISP. A telco in the European Union is heavily regulated and sits > under a very strict privacy protection regime; its customers have a > contract with it, a direct communication channel and several practical ways > to enforce their data protection rights. On the other hand, the DNS > provider often is in a different part of the globe, under much less > restrictive privacy laws, with no customer support and no contract with the > end user; this indeed gives them more opportunities for uncontrolled abuse. > > Moreover, while the ISP's service is paid for by your Internet access > fees, it is often hard to understand what's the business model for global > DNS service, or why a business is spending significant amounts of money to > provide DNS resolution on a global scale for free, if they will never > monetize the data in any way. Even if it were just goodwill, it does not > seem wise to base the functioning of a vital part of any Internet access > service globally on the goodwill of a handful of companies. > In the US, most of the major ISPs are telcos or cable companies, and they do not have a great reputation for privacy, but for finding every possible way to monetize their audience. In the EU, that may well be different. And just being heavily regulated (they are in the US as well) doesn't mean that this is not allowed. Switching everyone like Mozilla plans is definitely aggressive, and sure, their primary provider has a history. I didn't find the one that Laura mentioned with some searching, but I'm aware of other issues that they've had with forwarding abuse complaints to the provider, for example. That kind of goes to my point, though, it's not DOH that is the real problem here, it's the choice to bulk move their users to a new provider. Brandon ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure.
> Il 08/07/2020 10:57 Laura Atkins via mailop ha > scritto: > > > > > > > > On 7 Jul 2020, at 23:35, Brandon Long via mailop > mailto:mailop@mailop.org > wrote: > > > > And I think this discussion is underestimating the number of users > > already being tracked at the DNS level by their ISPs. > > I know I may be odd here working for one of the big players, but I > > trust the privacy policies and statements of some of the "large > > centralized" providers you > > mention over my telco. > > > > > > I expect that most of the telcos are unlikely to have any instrumentation > for tracking users beyond what is needed to ensure the service works. The > companies that are offering DoH as a service and have gone so far as to talk > about what they’re doing with the data likely have a lot more instrumentation > and the ability to track users than the telcos do. > Also, the legal framework of the DNS provider may be different from that of the ISP. A telco in the European Union is heavily regulated and sits under a very strict privacy protection regime; its customers have a contract with it, a direct communication channel and several practical ways to enforce their data protection rights. On the other hand, the DNS provider often is in a different part of the globe, under much less restrictive privacy laws, with no customer support and no contract with the end user; this indeed gives them more opportunities for uncontrolled abuse. Moreover, while the ISP's service is paid for by your Internet access fees, it is often hard to understand what's the business model for global DNS service, or why a business is spending significant amounts of money to provide DNS resolution on a global scale for free, if they will never monetize the data in any way. Even if it were just goodwill, it does not seem wise to base the functioning of a vital part of any Internet access service globally on the goodwill of a handful of companies. -- Vittorio Bertola | Head of Policy & Innovation, Open-Xchange vittorio.bert...@open-xchange.com mailto:vittorio.bert...@open-xchange.com Office @ Via Treviso 12, 10144 Torino, Italy ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure.
> On 7 Jul 2020, at 23:35, Brandon Long via mailop wrote: > > There seems to be a lot of mixing of the technical DOH vs the Mozilla > implementation (push everyone to > use certified providers). Ie, Chrome is defaulting to using DOH for the same > DNS provider you're already using (if they support it), which > doesn't seem like it makes much difference from the policy/privacy discussion > here. > > Of course, Chrome also probably supports the enterprise policies to set DOH > as well (though I haven't looked). > > And, especially for mobile clients, DOH means that DNS queries for Chrome > will go through the same corp proxies you're already > using, instead of leaking internal web requests to external dns providers. > Mozilla is likely the same there. > > And I think this discussion is underestimating the number of users already > being tracked at the DNS level by their ISPs. > I know I may be odd here working for one of the big players, but I trust the > privacy policies and statements of some of the "large centralized" providers > you > mention over my telco. I expect that most of the telcos are unlikely to have any instrumentation for tracking users beyond what is needed to ensure the service works. The companies that are offering DoH as a service and have gone so far as to talk about what they’re doing with the data likely have a lot more instrumentation and the ability to track users than the telcos do. At least one of the major players in the DoH space has already helped doxx women online. As a woman who has been stalked online repeatedly simply for existing and having opinions that some men disagree with, this is a serious issue that isn’t mentioned nearly enough when we’re talking about privacy. Said provider has a lot of other dodgy behavior to atone for as well. That’s just the obvious - they gave a woman’s personal away when she reported online abuse and she was chased out of her home. They’re still supporting a policy of doxxing people who complain about abuse online. This isn’t the only problem with said provider by any means, but believing that the providers who have instrumentation to track who you are by DNS are somehow much better than telcos is fantastical thinking I just don’t understand. Yeah, my telco can have the data long before I’ll give That Provider anything. laura -- Having an Email Crisis? We can help! 800 823-9674 Laura Atkins Word to the Wise la...@wordtothewise.com (650) 437-0741 Email Delivery Blog: https://wordtothewise.com/blog ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure.
On Tue, Jul 7, 2020 at 5:20 AM Stuart Henderson via mailop < mailop@mailop.org> wrote: > On 2020/07/07 10:27, Noel Butler via mailop wrote: > > On 07/07/2020 01:01, Johann Klasek via mailop wrote: > > > > > > I have been told that DoH is set into place to solve the privacy > > problem. On a small DNS workgroup meeting I saw a presentation on how > > they statistically identify users by their DNS traffic, and could > create > > a profile with interests and affectations these users have. I think > DNS > > is not that anonymous one would expect. > > > > > > > > Don't you think there is more chance of a perfect picture of you being > built from, ohh i dunno, > > long standing things like, netflow :) > > > > It will tell me a whole lot more about you than any DNS query could. > > Straying a bit off-topic but, with traditional DNS requests are often > aggregated first with other devices in your house/company by a local > forwarder or NAT, then again at your ISP with their other customers, > before being passed on to other servers with whom you don't have a > customer relationship. > > Looking at netflow data, it's at least aggregated with other devices > behind the same NAT IP, and a lot of it is just "tcp 443 to cloudflare" > or whatever which tells a lot less than DNS query data. > > With DoH the query stream immediately goes to somewhere that often > you don't have a customer relationship, and is separated nicely > per-application (not even per-device), so yes a DNS provider very > often does get a better picture of you than an ISP would have from > netflow data. > There seems to be a lot of mixing of the technical DOH vs the Mozilla implementation (push everyone to use certified providers). Ie, Chrome is defaulting to using DOH for the same DNS provider you're already using (if they support it), which doesn't seem like it makes much difference from the policy/privacy discussion here. Of course, Chrome also probably supports the enterprise policies to set DOH as well (though I haven't looked). And, especially for mobile clients, DOH means that DNS queries for Chrome will go through the same corp proxies you're already using, instead of leaking internal web requests to external dns providers. Mozilla is likely the same there. And I think this discussion is underestimating the number of users already being tracked at the DNS level by their ISPs. I know I may be odd here working for one of the big players, but I trust the privacy policies and statements of some of the "large centralized" providers you mention over my telco. I do agree that the concept of running DNS over HTTPS seems completely bonkers at a first pass. Brandon ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure. (was: Happy Holidays Everyone!)
On 2020-07-06 06:37:54, Matt Harris via mailop wrote: > > If said fascist regime has decided to muddle their DNS > infrastructure by serving bogus authoritative responses for some set > of domains they don't like, why would anyone think they wouldn't > just set up " use-application-dns.net" to force end-users to > continue to use their DNS servers which implement that blocking, > too? > On this episode of What Could Possibly Go Wrong: we use a centralized, government-controlled database of who's good and bad to fight fascism. Guess who's hanging out in your browser's root CA store? ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure.
On 2020/07/07 10:27, Noel Butler via mailop wrote: > On 07/07/2020 01:01, Johann Klasek via mailop wrote: > > > I have been told that DoH is set into place to solve the privacy > problem. On a small DNS workgroup meeting I saw a presentation on how > they statistically identify users by their DNS traffic, and could create > a profile with interests and affectations these users have. I think DNS > is not that anonymous one would expect. > > > > Don't you think there is more chance of a perfect picture of you being built > from, ohh i dunno, > long standing things like, netflow :) > > It will tell me a whole lot more about you than any DNS query could. Straying a bit off-topic but, with traditional DNS requests are often aggregated first with other devices in your house/company by a local forwarder or NAT, then again at your ISP with their other customers, before being passed on to other servers with whom you don't have a customer relationship. Looking at netflow data, it's at least aggregated with other devices behind the same NAT IP, and a lot of it is just "tcp 443 to cloudflare" or whatever which tells a lot less than DNS query data. With DoH the query stream immediately goes to somewhere that often you don't have a customer relationship, and is separated nicely per-application (not even per-device), so yes a DNS provider very often does get a better picture of you than an ISP would have from netflow data. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure.
On 07.07.20 06:59, Andrew C Aitchison via mailop wrote: >> Historically, 'choosing' to set your DNS provider at the OS was an end >> user choice, but with D'oh, it opens the door to the application layer >> to bypass firewall rules as well. > > ?? Historically the DNS provider was set by the machine's admin, > not by the user. On any multi-user system that difference mattered. And exactly that will happen on the desktop in enterprise environments with DNS or DOH as with any other setting. Regards, Thomas Walter -- Thomas Walter Datenverarbeitungszentrale FH Münster - University of Applied Sciences - Corrensstr. 25, Raum B 112 48149 Münster Tel: +49 251 83 64 908 Fax: +49 251 83 64 910 www.fh-muenster.de/dvz/ smime.p7s Description: S/MIME Cryptographic Signature ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure.
On 07/07/2020 15:11, Andrew C Aitchison via mailop wrote: > On Tue, 7 Jul 2020, Noel Butler via mailop wrote: > > On 07/07/2020 01:01, Johann Klasek via mailop wrote: > > I have been told that DoH is set into place to solve the privacy > problem. On a small DNS workgroup meeting I saw a presentation on how > they statistically identify users by their DNS traffic, and could create > a profile with interests and affectations these users have. I think DNS > is not that anonymous one would expect. > Don't you think there is more chance of a perfect picture of you being > built from, ohh i dunno, long standing things like, netflow :) On the whole yes. With shared hosting and content delivery networks ISPs have access to less of the relevant netflowdata - which means Cloudflare wins again ? perhaps, but they are trying to force a change on 99.999% of the world where the problem does not exist. Even here in Australia with meta data retention laws, web browsing and DNS are specifically excluded, like much of the rest of the western world, admins dont care, Australia, like Europe also have strong privacy laws. Mozilla and cloudfare centralising the internet might be fine if your from China or North Korea, but its unacceptable in the rest of the world. The world of shared hosting wont matter too much, because they will know which site on that IP your hitting, if they want to. At present there are work around yes, but if they take them away, there are still ways and means to deny DoH, and I guess it will mean way less support staff will be needed, reducing CSR operating costs, which should also result in less system admins simple IVR option " If you're calling about web site thats unreachable press 5" ivr-options-5 set announcement go-call-cloudfare-or-mozilla set end-call hr more profits hey thanks mozilla :) -- Kind Regards, Noel Butler This Email, including attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate any part of this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message.___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure.
On Tue, 7 Jul 2020, Noel Butler via mailop wrote: On 07/07/2020 01:01, Johann Klasek via mailop wrote: I have been told that DoH is set into place to solve the privacy problem. On a small DNS workgroup meeting I saw a presentation on how they statistically identify users by their DNS traffic, and could create a profile with interests and affectations these users have. I think DNS is not that anonymous one would expect. Don't you think there is more chance of a perfect picture of you being built from, ohh i dunno, long standing things like, netflow :) On the whole yes. With shared hosting and content delivery networks ISPs have access to less of the relevant netflowdata - which means Cloudflare wins again ? -- Andrew C. Aitchison Kendal, UK and...@aitchison.me.uk ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure.
Executive summary: DoH is intended to reset the balance of control and data collection from ISPs, system and network administrators towards (browser) users. On Mon, 6 Jul 2020, Michael Peddemors via mailop wrote: One thing not mentioned so far in this thread, is data collection.. While many D'oh providers claim NOT to log or track, simply by using HTTPS opens up the door to exposing personal browsing habits.. No. They were already exposed. DoH allows whoever configures it (see below) to choose who gets to see the personal browsing habits. It is very easy to simply 'extend' any HTTPS request, to include other information in the request that can be used to uniquely identify the user. Only a matter of time.. Good point, that I hadn't heard before. DNS was just that, DNS.. and effectively anonymous. Technically anonymous, in that there is no official mapping from machine to user. In many environments the DNS provider had some access to that mapping, though DoH does expose the user as well as the machine. My tinfoil hat spidey sense tells me that this is a move towards both big brother, as well as data collection.. As I understand it, Mozilla (Firefox) is championing DoH because it wants *users* to be able to control who collects that data, not sysadmins, network admins or ISPs. On a related point, AM Vittorio Bertola said: making sure that the four browser makers that control >90% of the world's browsers get to choose who is allowed to provide DNS resolution to their users (including doing it themselves or requiring DNS providers to strike business deals with them before allowing them into their list). As I understand it, the browser user controls the DNS provider. Mozilla, at least, is striking deals to ensure that providers who share Mozilla's philosophy are available. Historically, 'choosing' to set your DNS provider at the OS was an end user choice, but with D'oh, it opens the door to the application layer to bypass firewall rules as well. ?? Historically the DNS provider was set by the machine's admin, not by the user. On any multi-user system that difference mattered. -- Andrew C. Aitchison Kendal, UK and...@aitchison.me.uk ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure.
On 07/07/2020 01:49, John Levine via mailop wrote: > In article <20200706150152.ga9...@tron.kom.tuwien.ac.at>, > >> I have been told that DoH is set into place to solve the privacy >> problem. On a small DNS workgroup meeting I saw a presentation on how >> they statistically identify users by their DNS traffic, and could create >> a profile with interests and affectations these users have. I think DNS >> is not that anonymous one would expect. > > It's not anonymous at all. The question is who's going to collect the data. > > I would not put Cloudflare at the top of that list. Many would. The original announcement on this said they WERE logging requests, for 30 days, then the data would be destroyed, magically, that announcement no longer existed a few weeks later, perhaps it was meant for internal. I dunno, even if Matthew Prince came here and said they were not logging, I still would be VERY skeptical and not take him at face value. I don't trust organisations that want to try centralise the Internet. But don't worry, I don't trust google facebook IBM or Cisco either. -- Kind Regards, Noel Butler This Email, including attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate any part of this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message.___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure.
On 07/07/2020 01:01, Johann Klasek via mailop wrote: > I have been told that DoH is set into place to solve the privacy > problem. On a small DNS workgroup meeting I saw a presentation on how > they statistically identify users by their DNS traffic, and could create > a profile with interests and affectations these users have. I think DNS > is not that anonymous one would expect. Don't you think there is more chance of a perfect picture of you being built from, ohh i dunno, long standing things like, netflow :) It will tell me a whole lot more about you than any DNS query could. -- Kind Regards, Noel Butler This Email, including attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate any part of this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message.___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure. (was: Happy Holidays Everyone!)
On 2020-07-06 06:39, Jaroslaw Rafa via mailop wrote: Dnia 5.07.2020 o godz. 14:13:03 Chris via mailop pisze: Not to mention DNS over HTTPS breaks or renders ineffective most types of content filtering. That's a secondary concern perhaps. I'm betting 99% of users don't have content filtering and don't want it. Corporates need it. Not all users are retail. But is content filtering - especially in corporations - really based on DNS? Yes, really. In a previous life I worked for Nortel in network security. You may have heard of it. We used it internally and were spinning up products (I was involved in functional specification writing) around it over a decade ago. Proofpoint and Microsoft, for example, have major anti-malware products based around it, and you'd be surprised at "big 5" level entities who are using them internally. Then of course there's RPZ. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure.
In article <20200706150152.ga9...@tron.kom.tuwien.ac.at>, >I have been told that DoH is set into place to solve the privacy >problem. On a small DNS workgroup meeting I saw a presentation on how >they statistically identify users by their DNS traffic, and could create >a profile with interests and affectations these users have. I think DNS >is not that anonymous one would expect. It's not anonymous at all. The question is who's going to collect the data. I would not put Cloudflare at the top of that list. R's, John -- Regards, John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure.
On Mon, Jul 06, 2020 at 07:10:11AM -0700, Michael Peddemors via mailop wrote: > One thing not mentioned so far in this thread, is data collection.. > > While many D'oh providers claim NOT to log or track, simply by using > HTTPS opens up the door to exposing personal browsing habits.. > > It is very easy to simply 'extend' any HTTPS request, to include other > information in the request that can be used to uniquely identify the > user. > > Only a matter of time.. > > DNS was just that, DNS.. and effectively anonymous. I have been told that DoH is set into place to solve the privacy problem. On a small DNS workgroup meeting I saw a presentation on how they statistically identify users by their DNS traffic, and could create a profile with interests and affectations these users have. I think DNS is not that anonymous one would expect. DoH seems just an easy to grab solution, but may leading just out from the frying pan into the fire ... ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure.
One thing not mentioned so far in this thread, is data collection.. While many D'oh providers claim NOT to log or track, simply by using HTTPS opens up the door to exposing personal browsing habits.. It is very easy to simply 'extend' any HTTPS request, to include other information in the request that can be used to uniquely identify the user. Only a matter of time.. DNS was just that, DNS.. and effectively anonymous. My tinfoil hat spidey sense tells me that this is a move towards both big brother, as well as data collection.. Historically, 'choosing' to set your DNS provider at the OS was an end user choice, but with D'oh, it opens the door to the application layer to bypass firewall rules as well. Not to mention, DNS queries are faster/lighter than DoH, and the caching is usually closer to the end user, for more efficient look-ups. And as someone else pointed out in this thread, this was solving a problem that didn't exist for the vast majority of the internet, or that could be solved in other ways. Kind of a big mallet for a small nail.. IMHO On 2020-07-06 6:42 a.m., Joel M Snyder via mailop wrote: On 7/6/20 4:00 AM, Jaroslaw Rafa wrote: But is content filtering - especially in corporations - really based on DNS? Yes. There's a big company, Cisco (you may have heard of them) which bought OpenDNS and which is aggressively pushing their DNS-based filtering service (called Umbrella) as part of a 360-degree security portfolio. People are buying it left and right. And for people who like the idea but who don't like Cisco (or don't want to pay for it), Quad9 is ready to offer the same service. RFC purists can argue all they want about how DNS filtering is bad, erodes trust, breaks DNSSEC, etc, but no one cares. So, yeah, content filtering is based on whatever we can get our hands on because we are being overwhelmed by the bad guys. No matter what technical or political or philosophical barriers people are putting in place, IT managers in enterprises are stressed to the max and will accept these types of solutions to help reduce their security risk. jms -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure. (was: Happy, Holidays Everyone!)
On 7/6/20 4:00 AM, Jaroslaw Rafa wrote: > But is content filtering - especially in corporations - really based on DNS? Yes. There's a big company, Cisco (you may have heard of them) which bought OpenDNS and which is aggressively pushing their DNS-based filtering service (called Umbrella) as part of a 360-degree security portfolio. People are buying it left and right. And for people who like the idea but who don't like Cisco (or don't want to pay for it), Quad9 is ready to offer the same service. RFC purists can argue all they want about how DNS filtering is bad, erodes trust, breaks DNSSEC, etc, but no one cares. So, yeah, content filtering is based on whatever we can get our hands on because we are being overwhelmed by the bad guys. No matter what technical or political or philosophical barriers people are putting in place, IT managers in enterprises are stressed to the max and will accept these types of solutions to help reduce their security risk. jms -- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Senior Partner, Opus One Phone: +1 520 324 0494 j...@opus1.comhttp://www.opus1.com/jms ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure. (was: Happy Holidays Everyone!)
On Mon, Jul 6, 2020 at 3:48 AM Vittorio Bertola via mailop < mailop@mailop.org> wrote: > > The bad idea is taking an extremely marginal use case ("there is a > dissident in a third world country whose government is blocking access to > Wikipedia via DNS and we want to circumvent that block") and using it as an > excuse to break by default almost any DNS-based monitoring, debugging, > security and access control mechanism for any local network anywhere, also > making sure that the four browser makers that control >90% of the world's > browsers get to choose who is allowed to provide DNS resolution to their > users (including doing it themselves or requiring DNS providers to strike > business deals with them before allowing them into their list). > If said fascist regime has decided to muddle their DNS infrastructure by serving bogus authoritative responses for some set of domains they don't like, why would anyone think they wouldn't just set up " use-application-dns.net" to force end-users to continue to use their DNS servers which implement that blocking, too? I don't see how this case makes any sense whatsoever. Dissidents in fascist regions need to be using something like Tor, there's no logical argument here that pushing DoH as a default setting will help them in any meaningful way. Indeed, if they are found to be accessing the IP addresses associated with sites the regime does not like despite the DNS blocks, they may even end up getting into serious trouble, since DoH does nothing whatsoever to obscure or proxy the traffic being sent to those addresses, and there's no reason the regime could not monitor TCP connections at their international edge as well and keep a running list of those addresses. If that's the argument for DoH being a default setting, then it's not only a bad argument, it's a patently dangerous one. If they are advertising this to people living under oppressive governance as a means by which to circumvent local policies regarding prohibited internet content, then that's downright irresponsible. Matt Harris|Infrastructure Lead Engineer 816-256-5446|Direct Looking for something? Helpdesk Portal|Email Support|Billing Portal We build and deliver end-to-end IT solutions. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure. (was: Happy Holidays Everyone!)
Hello Jaroslaw, On 06.07.20 12:39, Jaroslaw Rafa via mailop wrote: > But is content filtering - especially in corporations - really based on DNS? yes. That's why systems like https://pi-hole.net/ exist, even for home users. In Germany ISPs were even forced by lawmakers to block specific DNS hostnames from resolving some years ago, because they thought it was an option to block access to unlawful websites. Regards, Thomas Walter -- Thomas Walter Datenverarbeitungszentrale FH Münster - University of Applied Sciences - Corrensstr. 25, Raum B 112 48149 Münster Tel: +49 251 83 64 908 Fax: +49 251 83 64 910 www.fh-muenster.de/dvz/ smime.p7s Description: S/MIME Cryptographic Signature ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure. (was: Happy Holidays Everyone!)
Dnia 5.07.2020 o godz. 14:13:03 Chris via mailop pisze: > >>Not to mention DNS over HTTPS breaks or renders ineffective most > >>types of content filtering. > > >That's a secondary concern perhaps. I'm betting 99% of users don't > >have content filtering and don't want it. > > Corporates need it. Not all users are retail. But is content filtering - especially in corporations - really based on DNS? In my previous job, I worked a bit with UTMs and other content filtering devices. None of them was based on DNS. They used URIBLs, signatures similarly to antivirus applications, and some bayesian or other heuristics to block content. Yes, there was that primitive and old method of content filtering, by putting domain names of unwanted hosts into /etc/hosts file (or equivalent in Windows) pointing eg. to 127.0.0.1. It was quite popular some years ago, but I thought nobody is using this anymore now... -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure. (was: Happy Holidays Everyone!)
> Il 06/07/2020 09:41 Andrew C Aitchison via mailop ha > scritto: > > I have mixed feelings about Mozilla defaulting the world (or the USA) to DoH > (technically I don't like it, but I sympathize with the philosophical > idea) but that doesn't explain why DoH itself is a bad idea. DoH is not a bad idea in itself (though, well, it is not a very significant progress for the people that use a resolver from their local network or ISP, which are the broad majority, as attacks on DNS traffic on the local loop are not common at all). The bad idea is taking an extremely marginal use case ("there is a dissident in a third world country whose government is blocking access to Wikipedia via DNS and we want to circumvent that block") and using it as an excuse to break by default almost any DNS-based monitoring, debugging, security and access control mechanism for any local network anywhere, also making sure that the four browser makers that control >90% of the world's browsers get to choose who is allowed to provide DNS resolution to their users (including doing it themselves or requiring DNS providers to strike business deals with them before allowing them into their list). -- Vittorio Bertola | Head of Policy & Innovation, Open-Xchange vittorio.bert...@open-xchange.com Office @ Via Treviso 12, 10144 Torino, Italy ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure. (was: Happy Holidays Everyone!)
On Sun, 5 Jul 2020, Chris Lewis via mailop wrote: On 2020-07-05 15:19, Jay R. Ashworth via mailop wrote: An argument I could tolerate -- corporate IT types can be expected to diagnose smartly enough to deal with it... though it will still make things more difficult for them. Impossible for them, short of blocking HTTPS for everything. I was going to suggest that the canary domain "use-application-dns.net" https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet means that corporate IT can disable DoH without blocking all HTTPS, but I see that "this only applies to users who have DoH enabled as the default option. It does not apply for users who have made the choice to turn on DoH by themselves." Jay R. Ashworth also wrote: Everything on a machine should use the same OS provided facility for looking up DNS. I see no reason why the OS couldn't use DoH. Ubuntu dynamically rewrites resolv.conf every time I re-plug my ethernet cable so adding DoH to the mix isn't going to add much complexity. https://github.com/fanf2/doh101 includes a simple script to make requests over DoH, so you aren't limited to browsers. Additionally, nearly as I can tell, the aptly named D'oH is solving a problem that *users* don't have. But that's a separate issue. My impression is that the ordinary user either doesn't have, or doesn't think that they have, problems that DoH addresses, but that there is a small group of users who have reason to distrust the default DNS provider and should be allowed to choose their own. I use DoH with Firefox for android as it is the easiest way to override my ISP's net nanny DNS (which I want for my small son). I have mixed feelings about Mozilla defaulting the world (or the USA) to DoH (technically I don't like it, but I sympathize with the philosophical idea) but that doesn't explain why DoH itself is a bad idea. -- Andrew C. Aitchison Kendal, UK and...@aitchison.me.uk ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure. (was: Happy Holidays Everyone!)
- Original Message - > From: "Chris via mailop" > On 2020-07-05 15:19, Jay R. Ashworth via mailop wrote: > >> An argument I could tolerate -- corporate IT types can be expected to >> diagnose >> smartly enough to deal with it... though it will still make things more >> difficult for them. > > Impossible for them, short of blocking HTTPS for everything. It's possible you might have misunderstood my concern. If I'm an IT type, and I'm trying to diagnose why *you* can't get to a website, all my other tools -- which were built atop the system DNS resolver -- are likely going to give me false negatives... as the telco guys used to say, "the trouble's leaving here fine!" I can't *tell* why your problem is happening, because I don't have diagnostic tools built atop D'oH *and* configured for what invisible server your browser is using to do lookups -- which might be different from browser to browser. In short, this multiplies the complexity of diagnosing an everyday problem... and the complexity of my monitoring system actually *monitoring* anything... by between .5 and 2 orders of magnitude. That's an added workload for which my permission was neither sought nor granted, nor has my budget or staffing been increased. It is merely the latest (the adoption of systemd by substantially *all* the Linux distros being one of the earliest) example of small decisions with Big Impacts being taken in a fashion which seems to me not-at-ALL engineering driven... which is the way both Linux and the Internet *used* to run... which is how they got here. I really actually don't get it. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274 ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure. (was: Happy Holidays Everyone!)
On 2020-07-05 15:19, Jay R. Ashworth via mailop wrote: An argument I could tolerate -- corporate IT types can be expected to diagnose smartly enough to deal with it... though it will still make things more difficult for them. Impossible for them, short of blocking HTTPS for everything. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure. (was: Happy Holidays Everyone!)
- Original Message - > From: "Andy Ringsmuth via mailop" >> On Jul 5, 2020, at 6:00 AM, Adam Moffett via mailop >> wrote: >>> Not to mention DNS over HTTPS breaks or renders ineffective most types of >>> content filtering. >>> >> That's a secondary concern perhaps. I'm betting 99% of users don't have >> content >> filtering and don't want it. > > As a parent, I ABSOLUTELY want content filtering. And as a sysadmin for > $DAYJOB > I want it as well. Sure. And no one wants you not to have it. But that's a strawman, a couple clicks to the left of the argument "should browsers unilaterally deploy a replacement for DNS", for which the engineering answer remains "hell, no". Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274 ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure. (was: Happy Holidays Everyone!)
- Original Message - > From: "Chris via mailop" > On 2020-07-05 07:00, Adam Moffett via mailop wrote: >>> Not to mention DNS over HTTPS breaks or renders ineffective most types >>> of content filtering. > >> That's a secondary concern perhaps. I'm betting 99% of users don't have >> content filtering and don't want it. > > Corporates need it. Not all users are retail. An argument I could tolerate -- corporate IT types can be expected to diagnose smartly enough to deal with it... though it will still make things more difficult for them. But this argument does *not* justify Mozilla offering it to me -- as a default choice no less -- on new fresh installs. As they are. Cheers, - jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274 ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure. (was: Happy Holidays Everyone!)
> On Jul 5, 2020, at 6:00 AM, Adam Moffett via mailop wrote: > > >> >> Not to mention DNS over HTTPS breaks or renders ineffective most types of >> content filtering. >> >> >> -Andy >> > That's a secondary concern perhaps. I'm betting 99% of users don't have > content filtering and don't want it. > As a parent, I ABSOLUTELY want content filtering. And as a sysadmin for $DAYJOB I want it as well. -Andy ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure. (was: Happy Holidays Everyone!)
On 2020-07-05 07:00, Adam Moffett via mailop wrote: Not to mention DNS over HTTPS breaks or renders ineffective most types of content filtering. That's a secondary concern perhaps. I'm betting 99% of users don't have content filtering and don't want it. Corporates need it. Not all users are retail. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure. (was: Happy Holidays Everyone!)
In article you write: >>Not to mention DNS over HTTPS breaks or renders ineffective most types of >>content filtering. >That's a secondary concern perhaps. I'm betting 99% of users don't have >content filtering and don't want it. When the content being filtered is phish and malware, you bet they do. On my network, I filter a lot of ad providers. My users don't seem to miss them. Doing at the DNS level seems to avoid a lot of those "turn off your ad blocker" popups. R's, John ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure. (was: Happy Holidays Everyone!)
Not to mention DNS over HTTPS breaks or renders ineffective most types of content filtering. -Andy That's a secondary concern perhaps. I'm betting 99% of users don't have content filtering and don't want it. ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Re: [mailop] Is DNS-over-HTTPS bad? Sure. (was: Happy Holidays Everyone!)
> On Jul 4, 2020, at 2:52 PM, Jay R. Ashworth via mailop > wrote: > > - Original Message - >> From: "Andrew C Aitchison via mailop" > >> On Tue, 30 Jun 2020, Michael Peddemors via mailop wrote: >> >>> * Stop promoting DNS over HTTPS as a good thing.. ;) >> >> Care to elaborate ? > > Sure. At it's most fundamental level, giving web browsers a different way to > do DNS lookups overcomplicates debugging of problems by at least a couple > orders of magnitude, even before you multiply it by "trying to get a straight > answer out of the end user". > > Everything on a machine should use the same OS provided facility for looking > up DNS. > > Additionally, nearly as I can tell, the aptly named D'oH is solving a problem > that *users* don't have. But that's a separate issue. Not to mention DNS over HTTPS breaks or renders ineffective most types of content filtering. -Andy ___ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop