> On 24 Oct 2019, at 01:04, Dan Wing <[email protected]> wrote:
>
> I like draft-ietf-dprive-bcp-op overall. A few comments related to
> fingerprinting:
>
> 1. In https://tools.ietf.org/html/draft-ietf-dprive-bcp-op-04#section-5.2.4
> it mentions fingerprinting client OS by IPv4 TTL or IPv6 Hoplimit and TLS
> parameters. The protocol between those, TCP, isn't listed, but TCP
> parameters (window size, ECN support, SACK) are also reasonably unique to an
> operating system or the application that initiated the TCP connection.
>
> 2. What does 'tracking of TCP sessions' mean in this context?
>
> 3. OS fingerprinting is also possible via the DNS queries themselves,
> especially easy if the OS has built-in captive portal and
> Internet-connectivity detection mechanisms. For example, Apple iOS 13.1
> queries both http://captive.apple.com/hotspot-detect.html and
> http://netcts.cdn-apple.com, Windows 10 queries
> http://www.msftncsi.com/ncsi.txt, and not sure about Android. iOS 13.1 and
> Windows 10 query DNS names unique to those purposes, so far as I am aware.
>
> OSs also fingerprint themselves by periodic checking for new OS versions
> which is usually another unique DNS query (MacOS queries swscan.apple.com
> whereas iOS appears to use su.itunes.apple.com, not sure about Windows; Linux
> would be fingerprintable down to the distribution).
>
> Should the I-D recommend discarding that DNS correlation data?
>
> 4. A user's machine can also be fingerprinted based on its DNS queries when
> it joins a network (IMAP accounts, instant messaging accounts) and its
> periodic 3rd and 1st party software update checks, but I guess that is sort
> of covered by the reference to RFC6973's Surveillance in Section 5.3?
Hi Dan,
Thanks very much for these points. Does rewording the section as below better
cover this?
"DNS Privacy Threats:
* Fingerprinting of the client OS via various means including: IP
TTL/Hoplimit, TCP parameters (e.g. window size, ECN support, SACK), OS specific
DNS query patterns (e.g. for network connectivity, captive portal detection or
OS specific updates).
* Fingerprinting of the client application or TLS library by e.g. TLS
version/Cipher suite combinations or other connection parameters.
* Correlation of queries on multiple TCP session originating from the same IP
address
* Correlating of queries on multiple TLS sessions originating from the same
client, including via session resumption mechanisms"
Best regards
Sara.
_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy
