[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] DoH over non-HTTPS onion v3



George Kadianakis:
>> this is just a short heads-up.
>>
>> I'm currently tinkering about how we could
>> improve DNS security and privacy for tor clients. My idea write-up is not done
>> yet but since the IETF DoH WG [1] is proceeding towards their next steps
>> I wanted to move now before it might be to late and let you know that I
>> might ask them if they want to allow non-HTTPS uris in the case of
>> onion v3 addresses (currently HTTPS is required). This might be handy for TB in the future.
>> If you have objections let me know.
>>
>> I also reached out to Seth Schoen and asked him about his
>> efforts to make onion v3 DV certificates acceptable to the CA/Browser Forum 
>> (if that is possible then the HTTPS requirement isn't a problem for DoH over onion v3).
>>
> 
> IIUC, you are trying to persuade the working group that they can use
> HTTP v3 onions as DNS resolvers.
> 
> Sounds good to me! Let us know how we can support you with this :)

thanks for that kind offer but I think DoH draft authors made
some deliberate design decisions that are not in favor of
privacy by design or even privacy by default and so I did
not even start with the onion v3 topic on the WG ML since
the transport layer can not solve all the tracking problems
of higher layers (HTTP).

In the Tor context you might say - 
"we can address http layer privacy issues in DoH in Tor Browser"
but then you are probably better off just implementing DNS-over-TLS (DoT) 
which does not come with all the privacy problems of HTTP.

If you want to read more about the entire discussion on the DoH WG ML
this is the starting point (and it is not limited to this thread):
https://mailarchive.ietf.org/arch/msg/doh/vHjITrOMhWSdrozGFe4-eGNMEJc

Also: Seth Schoen got back to me regarding Domain Validated HTTPS
certificates for onion v3 - and even though it will not happen tomorrow
I have hope that it will be possible eventually (which makes my
original point - DoH over HTTP (not HTTPS) for onion v3 - unnecessary 
if everyone can get letsencrypt certs for their onions)

-- 
https://twitter.com/nusenu_
https://mastodon.social/@nusenu

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev