On 2012-10-02 8:49 PM, Stephane Bortzmeyer wrote: > On Tue, Oct 02, 2012 at 08:34:36PM +0000, > Paul Vixie <[email protected]> wrote > a message of 19 lines which said: > >> i don't think so. too many middleboxes unpack the tcp/443 stream using a >> wildcard certificate, > ??? If you are on a network where the router/proxy/middlebox managed > to obtain a wildcard certificate from a CA you trust (is there a CA > which seels that?), you're toasted anyway. DNSSEC is useless because > the middlebox can hack you at will.
actually, not. dnssec+dane can tell you that you're being MiTM's at the later SSL session. or, put another way, we're all mostly toast, but i'd like to know when and where. paul -- "It seems like the rules for automagic completion of incomplete names typed into browsers are going to start to look like those for the game of fizbin." --rick jones _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
