> Moving thread from ADD to DPRIVE. > > I would suggest reaching out to the authors of > https://tools.ietf.org/html/draft-dickinson-doh-dohpe-00 if you're > interested in advancing that line of work. > > One major challenge related to User-Agent is forming a workable threat > model. It seems likely that an interested server could easily identify > distinct user agents, even without this header field. For example, the Laperdrix et al. showed that the User-Agent field carries a non-trivial amount of entropy, especially on mobile devices.
Pierre Laperdrix, Walter Rudametkin, Benoit Baudry. Beauty and the Beast: Diverting modern web browsers to build unique browser fingerprints. 37th IEEE Symposium on Security and Privacy. May 2016, San Jose, United States. > TLS > fingerprint alone is sufficient to uniquely identify most TLS > implementations[1], and different HTTP/2 implementations produce different Figure 5 in the TLS fingerprint study[1] shows that 99.9% of the connections share 3,000 fingerprints and that 50% of connections share just 10 fingerprints. TLS fingerprints are certainly a source of entropy, however they appear to be less identifying than the User-Agent field. So if we force curious servers to stop relying on HTTP headers and use TLS fingerprints instead then devices will become more difficult to track and I think that will be an improvement. > framing patterns. Active probing (e.g. returning slightly invalid > responses and observing how the client reacts) would likely allow the > server to identify the client software completely. > > It's harder to motivate this kind of protection if it only works against > "friendly" servers, especially because the User-Agent is extremely useful > for server operations, capacity planning, etc. > DNS servers today don't get that information from clients. Instead of trying to justify the removal of HTTP header fields we should ask for evidence in support of any additional header fields beyond the mandatory ones. The DoH request examples in RFC 8484 appear to demonstrate the minimum necessary set of HTTP headers. > The DOHPE draft also contains several other suggestions (e.g. removing > locale and language preference information) that may be easier to justify. > > [1] https://tlsfingerprint.io/ > > On Thu, Apr 11, 2019 at 3:12 PM nusenu <[email protected]> wrote: > >> >> DNS never had something like a user-agent field and that is fine, >> but since browsers send one by default during their (non-DoH) operations >> it is likely that they and other DoH clients will send the user-agent >> along with their DoH queries. >> >> This exposes unnecessary metadata to the resolver, something that >> didn't exist on the resolver before DoH. >> >> Since RFC8484 does not require user-agent headers >> applications implementing DoH should not include >> such metadata by default. >> Some DoH implementations do it currently but it is early >> enough to improve that. >> >> >> DoH Privacy Enhancement: Do not set the user-agent header for DoH >> requests >> https://bugzilla.mozilla.org/show_bug.cgi?id=1543201 >> >> >> >> -- >> https://twitter.com/nusenu_ >> https://mastodon.social/@nusenu >> >> -- >> Add mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/add >> > _______________________________________________ > dns-privacy mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dns-privacy > _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
