[talk] Vixie meeting

Charles Sprickman spork at bway.net
Wed Feb 26 14:46:48 EST 2020


> 
>> On Feb 26, 2020, at 8:26 AM, George Rosamond <george at ceetonetechnology.com> wrote:
>> 
>> 
>> 
>> On 2/25/20 11:19 AM, George Rosamond wrote:
>>> As some of you may know, the Vixie meeting next week should raise some
>>> interesting issues with DoH and DoT... basically DNS lookups encrypted
>>> over https or tls instead of clear text over UDP.
>>> 
>>> The issue is a bit more complex than it seems on the surface.
>>> 
>>> Most broadly, of course DNS lookups should be encrypted, but what's
>>> disturbing is that US FF will be set to go to Cloudflare, who obviously
>>> know this is a wonderful data-mining opportunity.
>>> 
>>> The whole issue of "privacy" gets distorted too easily.  Yes, you should
>>> have privacy in DNS lookups, but sending encrypted lookups to one
>>> provider is a recipe for privacy from "the other" while centralizing a
>>> few huge collectors of that data.
>>> 
>>> Yes, more providers should be running DOT servers, but that in itself
>>> isn't the answer.
>>> 
>>> This link raises the issue, but misses the dangerous implications of DOH:
>>> 
>>> https://techcrunch.com/2020/02/25/firefox-dns-https-default-united-states/
>>> 
>> 
>> This paper is an example of how centralizing DNS lookups is dangerous in
>> more "outlier" cases with more sophisticated adversaries on the Tor
>> network for anyone interested in diving deeper (the cached PDF version
>> should work):
>> 
>> https://www.freehaven.net/anonbib/#dnstor-ndss2017

If I were writing some dystopian sci-fi novel, Cloudflare would be an NSA-run
front for data collection and general spying. “Hey, HTTPS is hard! Just send
all your encrypted web traffic to our endpoints!”, “Hey, those dastardly ISPs
are snooping your DNS, why not point all your DNS lookups to us! (please
ignore ways your ISP can figure out where you’re going via looking at your
destination IPs)”.

Please, nobody show me stats on what percentage of web traffic that’s not
the top 100 sites goes through Cloudflare…

C

>> 
>> g
>> 
>> _______________________________________________
>> talk mailing list
>> talk at lists.nycbug.org
>> http://lists.nycbug.org:8080/mailman/listinfo/talk
> 
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 528 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.nycbug.org:8443/pipermail/talk/attachments/20200226/d8433b45/attachment.bin>


More information about the talk mailing list