In message <d8fbcdcb-bcd1-4847-9d23-d5745a5c6...@delong.com>, Owen DeLong write s: > On Aug 5, 2011, at 6:03 PM, Mark Andrews wrote: > > >=20 > > In message <4e3c9228.4050...@paulgraydon.co.uk>, Paul Graydon writes: > >> On 08/05/2011 02:53 PM, Brielle wrote: > >>> Until they start MitM the ssl traffic, fake certs and all. Didn't a = > certai > >> n repressive regime already do this tactic with facebook or some = > other major=20 > >> site? > >>>=20 > >> Syria did:=20 > >> = > https://www.eff.org/deeplinks/2011/05/syrian-man-middle-against-facebook<h= > ttp > >> s://www.facebook.com/note.php?note_id=3D10150178983622358&comments>=20= > > >=20 > > Which is countered by DNSSEC + DANE. A country may be able to fake = > everything > > under their tld but not the rest of the net. > >=20 > Unless they start proxying all queries and putting their own trust = > anchors on all the > results.
Which still won't work unless they can get a false trust anchor for the root installed. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
