Re: Browsers and .onion names from Adrien de Croy on 2015-11-30 (ietf-http-wg@w3.org from October to December 2015)

From: Adrien de Croy <adrien@qbik.com>
Date: Mon, 30 Nov 2015 00:56:08 +0000
To: "Richard Hartmann" <richih.mailinglist@gmail.com>, "Mark Nottingham" <mnot@mnot.net>
Cc: "Cory Benfield" <cory@lukasa.co.uk>, "Jacob Appelbaum" <jacob@appelbaum.net>, "Willy Tarreau" <w@1wt.eu>, "HTTP Working Group" <ietf-http-wg@w3.org>
Message-Id: <em4683a110-1c53-4f96-b8d9-b62992409913@bodybag>

what bugs me is this.

from draft-adpkja-dnsop-special-names-problem section 5 para 2

"In the case of [I-
D.ietf-dnsop-onion-tld], leakage of ONION queries on the Internet
might lead to disclosure of private information that, in some cases,
might pose a risk to the personal safety of end-users"

ok, so we're designing a protocol (onion TLD) in which badness can 
happen if lookups leak over the internet, and yet we expect the hundreds 
of millions of DNS resolvers out there to magically travel back in time 
and implement RFC6761 (from 2013) thereby treating the TLD as a 
"protocol switch" for resolution, even though the concept didn't exist 
when they were written.

It seems to me that relying on all these resolvers to be updated to not 
remain a security problem is completely bonkers.

Also it seems that the justification for adding new special use TLDs was 
the existence of "localhost" and ".local".  "localhost" has been in use 
for decades, and .local is NOT solely for MDNS as claimed, it's also 
used by unicast DNS on many corporate networks. These are not examples 
of protocol switching.

It also bugs me that the first para states there is IETF consensus on 
this.  for protocols with as wide ranging effect as this, maybe 
consensus should be required from a bigger group than just dnsop WG.

Adrien

------ Original Message ------
From: "Richard Hartmann" <richih.mailinglist@gmail.com>
To: "Mark Nottingham" <mnot@mnot.net>
Cc: "Cory Benfield" <cory@lukasa.co.uk>; "Jacob Appelbaum" 
<jacob@appelbaum.net>; "Willy Tarreau" <w@1wt.eu>; "HTTP Working Group" 
<ietf-http-wg@w3.org>
Sent: 30/11/2015 12:56:45 a.m.
Subject: Re: Browsers and .onion names

>On Sun, Nov 29, 2015 at 10:58 AM, Mark Nottingham <mnot@mnot.net> 
>wrote:
>>  If it's really bugging people, we can try to get an errata in, but I 
>>suspect the wording is going to be tricky, and likely quite verbose.
>
>It's not bugging me.
>
>That being said, what about the reasonably opaque "implementors who
>can reasonably expect some of their users to use Tor-enabled services
>[and/or to use .onion addresses by accident] etc. pp." as a middle
>ground?
>
>
>Richard
>

Received on Monday, 30 November 2015 00:56:42 UTC