[talk] Vixie meeting

Raul Cuza raulcuza at gmail.com
Wed Feb 26 15:30:53 EST 2020


On Wed, Feb 26, 2020 at 3:12 PM Charles Sprickman <spork at bway.net> wrote:
>
>
> >
> >> On Feb 26, 2020, at 8:26 AM, George Rosamond <george at ceetonetechnology.com> wrote:
> >>
> >>
> >>
> >> On 2/25/20 11:19 AM, George Rosamond wrote:
> >>> As some of you may know, the Vixie meeting next week should raise some
> >>> interesting issues with DoH and DoT... basically DNS lookups encrypted
> >>> over https or tls instead of clear text over UDP.
> >>>
> >>> The issue is a bit more complex than it seems on the surface.
> >>>
> >>> Most broadly, of course DNS lookups should be encrypted, but what's
> >>> disturbing is that US FF will be set to go to Cloudflare, who obviously
> >>> know this is a wonderful data-mining opportunity.
> >>>
> >>> The whole issue of "privacy" gets distorted too easily.  Yes, you should
> >>> have privacy in DNS lookups, but sending encrypted lookups to one
> >>> provider is a recipe for privacy from "the other" while centralizing a
> >>> few huge collectors of that data.
> >>>
> >>> Yes, more providers should be running DOT servers, but that in itself
> >>> isn't the answer.
> >>>
> >>> This link raises the issue, but misses the dangerous implications of DOH:
> >>>
> >>> https://techcrunch.com/2020/02/25/firefox-dns-https-default-united-states/
> >>>
> >>
> >> This paper is an example of how centralizing DNS lookups is dangerous in
> >> more "outlier" cases with more sophisticated adversaries on the Tor
> >> network for anyone interested in diving deeper (the cached PDF version
> >> should work):
> >>
> >> https://www.freehaven.net/anonbib/#dnstor-ndss2017
>
> If I were writing some dystopian sci-fi novel, Cloudflare would be an NSA-run
> front for data collection and general spying. “Hey, HTTPS is hard! Just send
> all your encrypted web traffic to our endpoints!”, “Hey, those dastardly ISPs
> are snooping your DNS, why not point all your DNS lookups to us! (please
> ignore ways your ISP can figure out where you’re going via looking at your
> destination IPs)”.
>
> Please, nobody show me stats on what percentage of web traffic that’s not
> the top 100 sites goes through Cloudflare…
>
> C
>

but all the destination IPs belong to Cloudflare.




More information about the talk mailing list