On 12/23/19 5:43 PM, D. Hugh Redelmeier via talk wrote:
| From: Giles Orr via talk <[email protected]> | Firefox now makes available DNS-over-HTTPS. I'm a big fan of security | and privacy, but I'm struggling to see the gains here: we stop some | hypothetical observer from finding out what domain name we're querying | ... and then immediately turn around and ask that domain for a web | page. You hid the destination in your first query ... only to | immediately expose it with your next query. I've not thought much about this so I probably have missed some issues. It is horrible that we haven't transitioned to DNSsec. DNS is the single worst technical weakness with no excuse. It's been 20 years of almost no adoption.
That's true. However the question is perhaps the cost of SSL encryption on older 20 year computers so too expensive. Actually most modern CPUs do encryption in instructions due to this. Not sure if SSL is as expensive as AES or SHA to compute but maybe it was. Also encryption or at least implementations of it in protocols was not taken that serious at that time. Perhaps society has changed too which is good, but a lot of people forget that the technical is dependent on other factors. Just stating its a weakness does not really matter but asking why I should care does. Look at Ipv6 or hardware supported memory sanitizing as a example which was just being added to hardware even through the issue has been known for the last 5 years.
Without DNSsec, active man-in-the-middle (MITM) attacks are easy and undetected. By "active", I mean: modify the query or query results, not just observe them. ISPs do active MITM attacks. Routers do them. Corporations do them for their employees. Governments do them. Invisibly. I'd rather trust Mozilla than everyone on my query's route. My network does not use outside recursive nameservers. I use my own in-house (literally) recursive nameserver. I could switch it to use HTTPS to talk to Mozilla's recursive nameserver if I chose to (it would involve a small matter of programming because the off-the-shelf programs don't currently support this). The fact that Mozilla put the resolver in the browser is a little ugly but understandable. - they control the browser - they have to modify one piece of software, not try to push a new feature on unwilling maintainers of perhaps a dozen pieces of software, the most important of which are closed source. This does not preclude those dozen pieces of software each adopting the new protocol. (I've been annoyed that so much of a resolver is embedded in glibc.)
That makes sense from any systems programmer who requires nameservers or DNS. At this point not having it is like not having a sockets library in my view. So the question is why don't you think this outside of glibc being already bloated in size compared to other c libraries like musl?
================ Conceptually, I don't like Mozilla being a single point of attack. This solution really must be replaced by something better. But will it?
Doubtful in the future probably due to security not being a "profit" to most companies sadly. You could set it up on the root DNS servers and have a legacy version for non DHSsec connections through. Granted this would require a major agreement from all involved parties and basically require rewriting core parts of the Internet.
There is a chance that a make-do solution like this will de-motivate possible adoption of DHSsec. That would be bad. ================ HTTPS has more setup time than UDP or TCP. But a single HTTPS pipe between your browser and Mozilla can carry many queries and responses (I assume that the DHS-over-HTTPS has been designed to support this). ================ My tentative conclusion is that this is a hack but it is a quick and simple way to somewhat better security. The slow but better ways are not working. --- Post to this mailing list [email protected] Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
Cheers, Nick --- Post to this mailing list [email protected] Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
