Discussion:
[tor-dev] DoH over non-HTTPS onion v3
nusenu
2018-06-17 00:15:00 UTC
Permalink
Hi,

this is just a short heads-up.

I'm currently tinkering about how we could
improve DNS security and privacy for tor clients. My idea write-up is not done
yet but since the IETF DoH WG [1] is proceeding towards their next steps
I wanted to move now before it might be to late and let you know that I
might ask them if they want to allow non-HTTPS uris in the case of
onion v3 addresses (currently HTTPS is required). This might be handy for TB in the future.
If you have objections let me know.

I also reached out to Seth Schoen and asked him about his
efforts to make onion v3 DV certificates acceptable to the CA/Browser Forum
(if that is possible then the HTTPS requirement isn't a problem for DoH over onion v3).

regards,
nusenu


[1] https://datatracker.ietf.org/doc/draft-ietf-doh-dns-over-https
--
https://mastodon.social/@nusenu
twitter: @nusenu_
George Kadianakis
2018-06-24 00:19:20 UTC
Permalink
Post by nusenu
Hi,
this is just a short heads-up.
I'm currently tinkering about how we could
improve DNS security and privacy for tor clients. My idea write-up is not done
yet but since the IETF DoH WG [1] is proceeding towards their next steps
I wanted to move now before it might be to late and let you know that I
might ask them if they want to allow non-HTTPS uris in the case of
onion v3 addresses (currently HTTPS is required). This might be handy for TB in the future.
If you have objections let me know.
I also reached out to Seth Schoen and asked him about his
efforts to make onion v3 DV certificates acceptable to the CA/Browser Forum
(if that is possible then the HTTPS requirement isn't a problem for DoH over onion v3).
IIUC, you are trying to persuade the working group that they can use
HTTP v3 onions as DNS resolvers.

Sounds good to me! Let us know how we can support you with this :)
nusenu
2018-06-24 09:32:00 UTC
Permalink
Post by George Kadianakis
Post by nusenu
this is just a short heads-up.
I'm currently tinkering about how we could
improve DNS security and privacy for tor clients. My idea write-up is not done
yet but since the IETF DoH WG [1] is proceeding towards their next steps
I wanted to move now before it might be to late and let you know that I
might ask them if they want to allow non-HTTPS uris in the case of
onion v3 addresses (currently HTTPS is required). This might be handy for TB in the future.
If you have objections let me know.
I also reached out to Seth Schoen and asked him about his
efforts to make onion v3 DV certificates acceptable to the CA/Browser Forum
(if that is possible then the HTTPS requirement isn't a problem for DoH over onion v3).
IIUC, you are trying to persuade the working group that they can use
HTTP v3 onions as DNS resolvers.
Sounds good to me! Let us know how we can support you with this :)
thanks for that kind offer but I think DoH draft authors made
some deliberate design decisions that are not in favor of
privacy by design or even privacy by default and so I did
not even start with the onion v3 topic on the WG ML since
the transport layer can not solve all the tracking problems
of higher layers (HTTP).

In the Tor context you might say -
"we can address http layer privacy issues in DoH in Tor Browser"
but then you are probably better off just implementing DNS-over-TLS (DoT)
which does not come with all the privacy problems of HTTP.

If you want to read more about the entire discussion on the DoH WG ML
this is the starting point (and it is not limited to this thread):
https://mailarchive.ietf.org/arch/msg/doh/vHjITrOMhWSdrozGFe4-eGNMEJc

Also: Seth Schoen got back to me regarding Domain Validated HTTPS
certificates for onion v3 - and even though it will not happen tomorrow
I have hope that it will be possible eventually (which makes my
original point - DoH over HTTP (not HTTPS) for onion v3 - unnecessary
if everyone can get letsencrypt certs for their onions)
--
https://twitter.com/nusenu_
https://mastodon.social/@nusenu
Loading...