Op zondag 20 juli 2014 12:53:59 schreef Jeroen Dekkers: > At Sun, 20 Jul 2014 11:07:16 +0200, > > Wouter Verhelst wrote: > > Even ignoring that, assuming people trust that code off > > people.debian.org is "safe", if they run a validating DNS resolver they > > don't run more of a risk than if they use only HTTPS. > > I don't really follow that. A validating DNS resolver only makes sure > you connect to the right IP address. DANE can specifiy the certificate > to use for HTTPS, but you can't forward HTTP requests to HTTPS with > DANE as far as I know.
If someone manages to break DNSSEC in such a way that they can redirect your DNS requests to an IP address of their choosing, they can also replace DANE records out from under your feet. But I agree that the argument is somewhat weak. It's also not my core argument. > In the case of HTTP a MITM attack can send a fake response to the HTTP > request without the need for any key material/certificates or need to > fake DNSSEC. For HTTPS it would need to have a certificate for > people.debian.org that the client trusts. True. -- It is easy to love a country that is famous for chocolate and beer -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/4767887.t6llxl5...@grep.be
