Re: FYI: Short Nightly Shield Study involving DNS over HTTPs (DoH)

2018-03-18 Thread Eric Shepherd (Sheppy) 
I definitely see some easy ways this could be problematic from a public
relations perspective given things going on in the industry these days and
some of our own mistakes the in the past. It's definitely worth taking a
little while to consider the implications before throwing the switch.

On Sun, Mar 18, 2018 at 8:39 PM, Dave Townsend 
wrote:

> On Sun, Mar 18, 2018 at 5:27 PM Patrick McManus 
> wrote:
>
> > Obviously, using a central resolver is the downside to this approach -
> but
> > its being explored because we believe that using the right resolver can
> be
> > a net win compared to the disastrous state of unsecured local DNS and
> > privacy and hijacking problems that go on there. Its just a swamp out
> there
> > (you can of course disable this from about:studies or just by setting
> your
> > local trr.mode pref to 0 - but this discussion is meaningfully about
> > defaults.)
> >
>
> I believe that a good resolver makes all the difference. I'm just concerned
> about the privacy aspects of this, particularly since we're not really
> messaging this to users. Is there a reason we need a full 50% of Nightly
> population to get the data we need here?
>
> On that topic I'm interested in what data we expect to get, is it just
> comparing how the resolver performs from a variety of locations and for a
> variety of lookups?
> Is there some mechanism in place for users who's normal DNS resolver
> intentionally returns different results to global DNS (e.g. for region
> spoofing etc.)?
>
>
> > And in this case the operating agreement with the dns provider is part of
> > making that right choice. For this test that means the operator will not
> > retain for themselves or sell/license/transfer to a third party any PII
> > (including ip addresses and other user identifiers) and will not combine
> > the data it gets from this project with any other data it might have. A
> > small amount of data necessary for troubleshooting the service  can be
> kept
> > at most 24 hrs but that data is limited to name, dns type, a timestamp, a
> > response code, and the CDN node that served it.
> >
>
> Not retaining IP addresses is good. Can they perform aggregate tracking of
> hostname requests, or tie common hostname requests from an origin together
> somehow? What is our recourse if they break this agreement (the recent
> Facebook debacle seems likely to make folks jumpy).
> ___
> dev-platform mailing list
> dev-platform@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>



-- 

Eric Shepherd
Senior Technical Writer
Mozilla
Blog: http://www.bitstampede.com/
Twitter: http://twitter.com/sheppy
Check my Availability 
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: FYI: Short Nightly Shield Study involving DNS over HTTPs (DoH)

2018-03-18 Thread Dave Townsend 
On Sun, Mar 18, 2018 at 5:27 PM Patrick McManus 
wrote:

> Obviously, using a central resolver is the downside to this approach - but
> its being explored because we believe that using the right resolver can be
> a net win compared to the disastrous state of unsecured local DNS and
> privacy and hijacking problems that go on there. Its just a swamp out there
> (you can of course disable this from about:studies or just by setting your
> local trr.mode pref to 0 - but this discussion is meaningfully about
> defaults.)
>

I believe that a good resolver makes all the difference. I'm just concerned
about the privacy aspects of this, particularly since we're not really
messaging this to users. Is there a reason we need a full 50% of Nightly
population to get the data we need here?

On that topic I'm interested in what data we expect to get, is it just
comparing how the resolver performs from a variety of locations and for a
variety of lookups?
Is there some mechanism in place for users who's normal DNS resolver
intentionally returns different results to global DNS (e.g. for region
spoofing etc.)?


> And in this case the operating agreement with the dns provider is part of
> making that right choice. For this test that means the operator will not
> retain for themselves or sell/license/transfer to a third party any PII
> (including ip addresses and other user identifiers) and will not combine
> the data it gets from this project with any other data it might have. A
> small amount of data necessary for troubleshooting the service  can be kept
> at most 24 hrs but that data is limited to name, dns type, a timestamp, a
> response code, and the CDN node that served it.
>

Not retaining IP addresses is good. Can they perform aggregate tracking of
hostname requests, or tie common hostname requests from an origin together
somehow? What is our recourse if they break this agreement (the recent
Facebook debacle seems likely to make folks jumpy).
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: FYI: Short Nightly Shield Study involving DNS over HTTPs (DoH)

2018-03-18 Thread Patrick McManus 
Obviously, using a central resolver is the downside to this approach - but
its being explored because we believe that using the right resolver can be
a net win compared to the disastrous state of unsecured local DNS and
privacy and hijacking problems that go on there. Its just a swamp out there
(you can of course disable this from about:studies or just by setting your
local trr.mode pref to 0 - but this discussion is meaningfully about
defaults.)

And in this case the operating agreement with the dns provider is part of
making that right choice. For this test that means the operator will not
retain for themselves or sell/license/transfer to a third party any PII
(including ip addresses and other user identifiers) and will not combine
the data it gets from this project with any other data it might have. A
small amount of data necessary for troubleshooting the service  can be kept
at most 24 hrs but that data is limited to name, dns type, a timestamp, a
response code, and the CDN node that served it.



On Sun, Mar 18, 2018 at 11:51 PM, Dave Townsend 
wrote:

> On Sat, Mar 17, 2018 at 3:51 AM Patrick McManus 
> wrote:
>
>> DoH is an open standard and for this test we'll be using the DoH server
>> implementation at Cloudflare. As is typical for Mozilla, when we
>> default-interact with a third party service we have a legal agreement in
>> place to look out for the data retention/use/redistribution/etc interests
>> of both our users and Mozilla itself.
>>
>
> So my understanding of the study is that for those in the study branch
> (50% of Nightly users) we'll be sending every hostname they visit to
> Cloudflare. That sounds problematic to me. Can you give more details about
> the legal agreement?
>
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: FYI: Short Nightly Shield Study involving DNS over HTTPs (DoH)

2018-03-18 Thread Dave Townsend 
On Sat, Mar 17, 2018 at 3:51 AM Patrick McManus 
wrote:

> DoH is an open standard and for this test we'll be using the DoH server
> implementation at Cloudflare. As is typical for Mozilla, when we
> default-interact with a third party service we have a legal agreement in
> place to look out for the data retention/use/redistribution/etc interests
> of both our users and Mozilla itself.
>

So my understanding of the study is that for those in the study branch (50%
of Nightly users) we'll be sending every hostname they visit to Cloudflare.
That sounds problematic to me. Can you give more details about the legal
agreement?
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform