[Cryptography] Let's not talk about DoH, or Well, that only took ten years

[Phillip Hallam-Baker]

On Sat, Aug 17, 2019 at 5:31 PM John Levine <johnl at iecc.com> wrote:

> In article <CABrRNSVPC8N=TpN4G8r+d0JnmR8X7X8PdfLKFQ-eVr6=
> FOpzpw at mail.gmail.com> you write:
> >The next major advance in browser PKI is already here in Firefox. It is
> DNS
> >over HTTPS which needs to be manually turned on (separately, the default
> >resolver, provided by Cloudflare, also supports DNSSEC). ...
>
> For anyone who hasn't been paying attention, DoH is an incredible can
> of worms.  Yes, it protects your DNS query stream against snooping,
> but you can get that much more cheaply with DNS over TLS or DoT,
> described in RFC 8310.
>

+1

Although there are some uncontroversial uses of DoH (e.g. letting
> Javascript apps look up TXT and NAPTR records) its main point is to
> hide the DNS traffic in HTTPS traffic and circumvent networks' DNS
> filters.  If you believe that network managers are all malicious, a
> surprisingly popular viewpoint in the IETF, this is good.  Those of us
> who use DNS filters to keep our users away from malware droppers and
> botnet command and control hosts, and use split horizon DNS so our
> users can use local network resources, find it not good at all.
>

My specific problem with DoH is that it moves the control point from the
user to one of the sites they are visiting.

What we need to do is to move the control point to the USER or a party
chosen by the user.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20190818/0f411c1c/attachment.htm>