I like draft-ietf-dprive-bcp-op overall. A few comments related to fingerprinting:
1. In https://tools.ietf.org/html/draft-ietf-dprive-bcp-op-04#section-5.2.4 it mentions fingerprinting client OS by IPv4 TTL or IPv6 Hoplimit and TLS parameters. The protocol between those, TCP, isn't listed, but TCP parameters (window size, ECN support, SACK) are also reasonably unique to an operating system or the application that initiated the TCP connection. 2. What does 'tracking of TCP sessions' mean in this context? 3. OS fingerprinting is also possible via the DNS queries themselves, especially easy if the OS has built-in captive portal and Internet-connectivity detection mechanisms. For example, Apple iOS 13.1 queries both http://captive.apple.com/hotspot-detect.html and http://netcts.cdn-apple.com, Windows 10 queries http://www.msftncsi.com/ncsi.txt, and not sure about Android. iOS 13.1 and Windows 10 query DNS names unique to those purposes, so far as I am aware. OSs also fingerprint themselves by periodic checking for new OS versions which is usually another unique DNS query (MacOS queries swscan.apple.com whereas iOS appears to use su.itunes.apple.com, not sure about Windows; Linux would be fingerprintable down to the distribution). Should the I-D recommend discarding that DNS correlation data? 4. A user's machine can also be fingerprinted based on its DNS queries when it joins a network (IMAP accounts, instant messaging accounts) and its periodic 3rd and 1st party software update checks, but I guess that is sort of covered by the reference to RFC6973's Surveillance in Section 5.3? -d _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
