What's to stop someone from writing that malware today? Keeping the net safe by reducing the expressiveness of what is carried over HTTP is already a lost cause, and would have been a slender reed to rely on for security in any case.
On Tue, Jul 12, 2016 at 4:33 PM, Allan Liska <al...@allan.org> wrote: > On 7/12/2016 at 4:10 PM, "Shane Kerr" <sh...@time-travellers.org> wrote: > > John, > > At 2016-07-11 23:50:05 -0000 > "John Levine" <jo...@taugh.com> wrote: > > I'd also want to change some of the motivation text. To me, by far > > the most likely scenario here is javascript applications that want to > > do DNS queries, e.g. for SRV, but can't because javascript doesn't let > > you do that. Now the server that provided the javascript blob can > > also be the DNS proxy. The javascript can't query random other DNS > > proxies due to cross-site scripting rules. > > As I think that I mentioned before, the current draft of DNS-over-HTTP > is poorly suited for JavaScript. Building and parsing DNS binary > messages in JavaScript seems like a really hard way to get at the few > tidbits of information that you actually want. > > OTOH, I am (obviously) not a web developer, so perhaps I overestimate > the difficulty in working with DNS binary-format. Maybe it's a > relatively compact set of JavaScript functions that can be used? > > Maybe I just found a project for the IETF Hackathon? Hm... :) > > > My first thought (and maybe this says more about me than the project) is > that this seems like the perfect way to make a fully self-contained piece > of malware. Ransom32 already proved that you can create ransomware > developed entirely in JavaScript, imagine if you combined a JavaScript DNS > library with a JavaScript TLS library ( > https://github.com/digitalbazaar/forge) you could create a piece of > malware that is significantly harder to detect because all of the network > indicators would be encrypted or not in places that security tools normally > look. Now, it would also be somewhat easy to detect because there are very > few legitimate reasons for someone to be emailing you 25+ Meg .js file. > > I am not saying something shouldn't be done simply because bad guys might > abuse it, otherwise we should have gotten rid of email a long time ago. > What I am asking is are there more legitimate uses for DNS over JavaScript > than there are illegitimate? I don't know the answer, but I don't know if > the "cool" factor outweighs the potential security risk. > > > > allan > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
