Yes, thanks -- that covers what I wrote. Thanks!
I have also noticed concern with HTTP headers disclosing client-identifying information so might want to also mention "HTTP headers (e.g., User-Agent, Accept, Accept-Encoding)" or similar. -d On Oct 29, 2019, at 5:47 AM, Sara Dickinson <[email protected]> wrote: >> On 24 Oct 2019, at 01:04, Dan Wing <[email protected]> wrote: >> >> I like draft-ietf-dprive-bcp-op overall. A few comments related to >> fingerprinting: >> >> 1. In https://tools.ietf.org/html/draft-ietf-dprive-bcp-op-04#section-5.2.4 >> it mentions fingerprinting client OS by IPv4 TTL or IPv6 Hoplimit and TLS >> parameters. The protocol between those, TCP, isn't listed, but TCP >> parameters (window size, ECN support, SACK) are also reasonably unique to an >> operating system or the application that initiated the TCP connection. >> >> 2. What does 'tracking of TCP sessions' mean in this context? >> >> 3. OS fingerprinting is also possible via the DNS queries themselves, >> especially easy if the OS has built-in captive portal and >> Internet-connectivity detection mechanisms. For example, Apple iOS 13.1 >> queries both http://captive.apple.com/hotspot-detect.html and >> http://netcts.cdn-apple.com, Windows 10 queries >> http://www.msftncsi.com/ncsi.txt, and not sure about Android. iOS 13.1 and >> Windows 10 query DNS names unique to those purposes, so far as I am aware. >> >> OSs also fingerprint themselves by periodic checking for new OS versions >> which is usually another unique DNS query (MacOS queries swscan.apple.com >> whereas iOS appears to use su.itunes.apple.com, not sure about Windows; >> Linux would be fingerprintable down to the distribution). >> >> Should the I-D recommend discarding that DNS correlation data? >> >> 4. A user's machine can also be fingerprinted based on its DNS queries when >> it joins a network (IMAP accounts, instant messaging accounts) and its >> periodic 3rd and 1st party software update checks, but I guess that is sort >> of covered by the reference to RFC6973's Surveillance in Section 5.3? > > Hi Dan, > > Thanks very much for these points. Does rewording the section as below better > cover this? > > "DNS Privacy Threats: > > * Fingerprinting of the client OS via various means including: IP > TTL/Hoplimit, TCP parameters (e.g. window size, ECN support, SACK), OS > specific DNS query patterns (e.g. for network connectivity, captive portal > detection or OS specific updates). > > * Fingerprinting of the client application or TLS library by e.g. TLS > version/Cipher suite combinations or other connection parameters. > > * Correlation of queries on multiple TCP session originating from the same > IP address > > * Correlating of queries on multiple TLS sessions originating from the same > client, including via session resumption mechanisms" > > Best regards > > Sara.
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
