On Fri, Sep 22, 2017 at 3:12 PM, Christian Huitema <huitema@xxxxxxxxxxx> wrote:
On 9/22/2017 9:24 AM, Warren Kumari wrote:
> If Doh! is done right in my view it should be indistinguishable from
> other web traffic and / or the collateral damage from blocking it
> would be (hopefully!) politically untenable.
DoH! That is indeed the main reason for doing DNS over HTTPS. The
"_javascript_" use case is interesting, but not all that strong. We keep
hearing about _javascript_ in web pages, but that's somewhat marginal.
Flash scripts can certainly send UDP packets, so if there was use case
it would not take long before _javascript_s could send DNS queries over UDP.
Here is the thing. If the primary goal of a security technology is steganography it probably can't be a standard. Because once you make it a standard the authorities that you are trying to defeat have a fixed target.
We already have governments who are taking people's jobs away for having Signal on their mobile. They will not hesitate to tell Microsoft, Apple and yes, Mozilla what they can do to operate in their country. And if folk haven't noticed, the days of tech being able to ignore governments and route around them as damage are coming to an end as the Web becomes a bigger part of the economy. See what happened to Uber this week in London.
Since 'other web traffic' is increasingly going to mean QUIC, I am failing to see how the current proposal does more than produce a transitional technology that nobody is likely to ever want to use.
What we need to do is to sort out the discovery problem while taking explicit note of the fact that issues such as split DNS exist for good reason and must be supported and yes, even the fact that encryption everywhere is not always a good thing inside a network and that no, the fact that a device connects to my network does not mean it has any business connecting to the Internet or being contacted by it.
A lot of the discussion of these issues gets bogged down because the only use case people think of is a geek sitting in front of a desktop or laptop. Those are not the use cases that drive the Internet today. It is the partially sighted senior trying to use a light bulb, or call a cab or set the temperature in their apartment.
Don't anthropomorphize devices. No, a light bulb does not have a 'right' to an unrestricted, NAT free Internet connection. In fact if it doesn't need to connect to a device beyond its local hub, it should not have that ability.
Oh and we need to see more than one wolf. If you think the only threat here is the folk in Fort Meade then you have not been paying attention at all.