Daniel Kahn Gillmor <[email protected]> writes: > I have *not* done any analysis of the larger, less-corner-y cases to > see whether there's a strong argument for or against treating data > that came in under confidential cover differently once it's in the > cache.
Technically, it's near impossible to completely protect privacy unless you don't use a cache. Imagine the case where someone goes to a coffee shop first thing every morning that supports a TLS based resolver. A second "customer" 5 minutes later can then perform queries to the resolver (regardless of TLS or not) for a slew of names to find which were "in cache" and responding quickly. You now know that person #1 went to sites A, X and Y since they returned in < 5ms, but not the rest of the alphabet which returned in > 5ms. However, I don't think this changes the nature of whether or not the caches should be separate. If anything, it may argue for a shared cache so that normal traffic from non-privacy protected lookups will mean someone snooping caches for private-protected lookups won't know it came from a TLS-based user. [And, no, we shouldn't go down the road of "privacy requires you disable the cache"] -- Wes Hardaker My Pictures: http://capturedonearth.com/ My Thoughts: http://blog.capturedonearth.com/ _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
