(This distribution list is too scattered and diverse. Be great if some AD or someone just picked one list for this. In the meantime...)
On 11/03/2019 20:43, nalini elkins wrote: > impact assessment that certain changes such as > DoH and TLS1.3 will have on enterprises, TLS1.3 will, I expect, noticeably improve security for an awful lot of enterprises in time. As for DoH, I wonder has anyone done studies on how split-horizon names and access patterns leak today? I don't recall having read that kind of study. I can imagine many ways in which that kind of stuff would leak. I'd be very surprised if it never happens. I don't know how often it does. For names, leaking once is kinda fatal. For access patterns, I guess one leak exposes an IP address that's interested in a name (e.g. secret-project.example.com) but more would be needed for broader access patterns to be exposed to "foreign" recursives and/or in-band networks. ISTM that it is quite possible that enterprises that deploy their own DoH services could potentially reduce such leakage and gain overall. (I'm assuming here that sensible browser-makers will end up providing something that works for browsers running in networks with split-horizon setups before those browsers turn on DoH as a default at scale.) Cheers, S.
0x5AB2FAF17B172BEA.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
