Hi,
this is just a short heads-up.
I'm currently tinkering about how we could improve DNS security and privacy for tor clients. My idea write-up is not done yet but since the IETF DoH WG [1] is proceeding towards their next steps I wanted to move now before it might be to late and let you know that I might ask them if they want to allow non-HTTPS uris in the case of onion v3 addresses (currently HTTPS is required). This might be handy for TB in the future. If you have objections let me know.
I also reached out to Seth Schoen and asked him about his efforts to make onion v3 DV certificates acceptable to the CA/Browser Forum (if that is possible then the HTTPS requirement isn't a problem for DoH over onion v3).
regards, nusenu
[1] https://datatracker.ietf.org/doc/draft-ietf-doh-dns-over-https
nusenu nusenu-lists@riseup.net writes:
Hi,
this is just a short heads-up.
I'm currently tinkering about how we could improve DNS security and privacy for tor clients. My idea write-up is not done yet but since the IETF DoH WG [1] is proceeding towards their next steps I wanted to move now before it might be to late and let you know that I might ask them if they want to allow non-HTTPS uris in the case of onion v3 addresses (currently HTTPS is required). This might be handy for TB in the future. If you have objections let me know.
I also reached out to Seth Schoen and asked him about his efforts to make onion v3 DV certificates acceptable to the CA/Browser Forum (if that is possible then the HTTPS requirement isn't a problem for DoH over onion v3).
IIUC, you are trying to persuade the working group that they can use HTTP v3 onions as DNS resolvers.
Sounds good to me! Let us know how we can support you with this :)
George Kadianakis:
this is just a short heads-up.
I'm currently tinkering about how we could improve DNS security and privacy for tor clients. My idea write-up is not done yet but since the IETF DoH WG [1] is proceeding towards their next steps I wanted to move now before it might be to late and let you know that I might ask them if they want to allow non-HTTPS uris in the case of onion v3 addresses (currently HTTPS is required). This might be handy for TB in the future. If you have objections let me know.
I also reached out to Seth Schoen and asked him about his efforts to make onion v3 DV certificates acceptable to the CA/Browser Forum (if that is possible then the HTTPS requirement isn't a problem for DoH over onion v3).
IIUC, you are trying to persuade the working group that they can use HTTP v3 onions as DNS resolvers.
Sounds good to me! Let us know how we can support you with this :)
thanks for that kind offer but I think DoH draft authors made some deliberate design decisions that are not in favor of privacy by design or even privacy by default and so I did not even start with the onion v3 topic on the WG ML since the transport layer can not solve all the tracking problems of higher layers (HTTP).
In the Tor context you might say - "we can address http layer privacy issues in DoH in Tor Browser" but then you are probably better off just implementing DNS-over-TLS (DoT) which does not come with all the privacy problems of HTTP.
If you want to read more about the entire discussion on the DoH WG ML this is the starting point (and it is not limited to this thread): https://mailarchive.ietf.org/arch/msg/doh/vHjITrOMhWSdrozGFe4-eGNMEJc
Also: Seth Schoen got back to me regarding Domain Validated HTTPS certificates for onion v3 - and even though it will not happen tomorrow I have hope that it will be possible eventually (which makes my original point - DoH over HTTP (not HTTPS) for onion v3 - unnecessary if everyone can get letsencrypt certs for their onions)
-
George Kadianakis -
nusenu