Ted Lemon wrote:
You're talking about devices over which you have no control. So how
does it make a difference where the attack vector is on the device?
Why is DNS-over-HTTPS worse than entire-attack-vector-over-HTTPS?
i'm glad you asked. operating systems, web browsers, and endpoint
security has a pretty good handle today on data plane attacks, even if
delivered over https. they do not however have a handle on control plane
attacks, such as can be delivered or administered via DNS.
http://www.circleid.com/posts/20100728_taking_back_the_dns/
if ubiquitous perimeter security policy bypass via https becomes the
norm, then far more https will have to be intercepted or blocked than is
done today. the DOH WG is playing chicken with network operators. i wish
they could see down the road a bit further than they do.
--
P Vixie
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
