Merge branch 'main' into publish

Author: sebix

README.md

@@ -2,6 +2,8 @@
 
 Security analysis of the defo2 project + HOWTO for web admins
 
+Rendered version: https://certtools.github.io/defo-security-analysis/
+
 ## Deliverable text
 
 Deployment Scenarios Analysis:  there are many variations in how ECH can be deployed and the varying relationships between the client and server entities involved. There therefore remains a need to map out residual privacy leaks in such scenarios and how to plug those, given the existence of additional privacy mechanisms such as Qname Minimization, Oblivious DNS-over-HTTPS, and MASQUE.

questions.txt

@@ -42,6 +42,29 @@ I already purchased all China could offer me. However, I have a wicked new plan:
 
 win.
 
+# General questions
+
+ZF <-> CFS / Backend: publishing lots of updated zone files generates lots of notifies in DNS. Are we sure we want this?
+
+
+Split mode:
+* what happens in the situation where I use a CDN for DDOS protection but keep my DNS zones myself?
+
+Idee:
+indirection point in the PTR record rein geben, dann ein forward lookup machen, dann kommt an an den key, der fuer den Split-Mode relevant ist.
+Ist das nicht besser als SVCB?
+
+Don't we get more metadata because of DoH heartbeat?
+
+The bigger ones win... that's a PROBLEM.
+They have more data, this allows them to correlate.
+
+Why does Tor not use DoH? Because of centralization in DoH. 
+Centralization leads to no need for registry anymore. 
+
+How about the following: make a certificate for the IP address of the server and then use that for bootstrapping the ESNI
+
+If the encryption has a known plaintext attack , then we could precompute ... Probably not feasible....
 
 
 

report/deployment/overview.md

@@ -4,21 +4,22 @@ This section addresses ECH deployment considerations. Where relevant, it will li
 
 ## Process overview
 
-![WKECH flow](wkech-flow.png)
-
-### Client process
+This is a simplified overview of the workflow involved in the browser opening an ECH-protected website.
 
-I. To request a website, the browser first queries the A/AAAA record and the ECHConfig from the configured DoH/DoT server. The DoH/DoT server is either provided by the network owner or by a large CDN.
 
-II. The DoH server queries the information at the autoritative DNS server via DNS, managed by the website operator.
-
-II. The information is sent from the DNS server to the DoH server and potentially cached.
+![WKECH flow](wkech-flow.png)
 
-IV. The information is passed on to the client
+### Client process
 
-V. Using the A/AAAA record and the ECHConfig, the browser requests the website from the web server
+<ol>
+<li style="list-style: upper-roman;">To request a website, the browser first queries the A/AAAA record and the ECHConfig from the configured DoH/DoT server. The DoH/DoT server is either provided by the network owner or by a large CDN.</li>
+<li style="list-style: upper-roman;">The DoH server queries the information at the autoritative DNS server via DNS, managed by the website operator.</li>
+<li style="list-style: upper-roman;">The information is sent from the DNS server to the DoH server and potentially cached.</li>
+<li style="list-style: upper-roman;">The information is passed on to the client</li>
+<li style="list-style: upper-roman;">Using the A/AAAA record and the ECHConfig, the browser requests the website from the web server</li>
+</ol>
 
-FIXME: do the DoH servers fetch their data via DNS or DoH? Protocol Upgrades?
+The DoH servers query the autoritative DNS servers mostly via traditional unencrypted UDP-based DNS (Do53), however DoT and DoH are increasingly adopted in this area too. Protocol upgrades (opportunistic or via SVCB records) are also used.
 
 ### Server process