a czds dl, however, shows:
You're right, I checked again.
:; zgrep -E ^dns-auth.\.crocker\.com com.txt.gz
dns-auth1.crocker.com. 172800 in a 66.59.48.87
dns-auth2.crocker.com. 172800 in a 66.59.48.88
dns-auth3.crocker.com. 172800 in a 66.59.48.94
dns-auth
I think it is reasonably clear this was a reference to the Iroquois Theatre
fire where 602 people died.
Not at all. The actual quote is
The most stringent protection of free speech would not protect a man
falsely shouting fire in a theatre and causing a panic.
The Iroquois fire was unfortun
I see that www.cdc.gov is a CNAME for www.akam.cdc.gov. which in turn is a
CNAME for www.cdc.gov.edgekey.net.
But it appears that while www.cdc.gov is signed, www.akam.cdc.gov in
the same zone on the same server is not. Huh? What?
$ dig @ns1.cdc.gov www.cdc.gov +dnssec
;; ->>HEADER<<- opcode:
Same here. I have not publicised or updated my korea.services.net DNSBL
for over a decade and it's still getting over 100 qps.
On Fri, 26 Mar 2021, Sabri Berisha wrote:
- On Mar 26, 2021, at 8:20 PM, John Levine jo...@iecc.com wrote:
Hi,
Also keep in mind that "most blocklists" is mean
I have no problem paying an extra $3/year for my .com IF every domain
speculator must also pay an extra $3 for each of their .coms. Is that
what's happening here?
Yes. The contract very clearly says that everyone pays the same renewal
price to the registry.
Regards,
John Levine, jo...@taugh.
In article ,
Christopher Morrow wrote:
On Fri, Mar 6, 2020 at 11:05 PM Brian J. Murrell
wrote:
> So, if my telco can bill the callers for those premium calls, they
> surely know who they are, or at least know where they are sending the
> bill and getting payment from.
You are mistaken, billin
Most DNS registers avoid verifying customer information as long as the
payment clears (for a short time). DKIM (and DNSSEC) is built on top of
trusting tokens from third-parties which disclaim all liability.
Right. The only promise that DKIM makes is that if you have a stream of
mail signed
Indeed. They would send postcards to all their customers saying
"Comcast has said they will cut off your access to Netflix on April 1,
Call their president's office at 1-800-xxx- and tell them what you think."
Nope… Netflix is fully available on IPv6 and actually looks forward to ISPs
doing
OK, then Disney+ or Hulu or whoever. Peering wars never end well. Don't even
need postcards, just stick the flyer in with the bill.
Is that really cheaper and easier than deploying IPv6? Really?
The cost of putting flyers in the bills rounds to zero, so yes, really.
I expect these companie
As you noted John, its the plethora of software, support systems, tooling,
and most important in many environments - legacy customer management and
provisioning systems that can be the limiting factor. ...
Just looking around my office, I have a Cisco SPA112 two-port ATA. It's
been discontinue
The only effort involved on the IETF's jurisdiction was to stop squatting on
240/4 and perhaps maybe some other small pieces of IPv4 that could possibly
be better used elsewhere by others who may choose to do so.
The IETF is not the Network Police, and all IETF standards are entirely
voluntary
The only way IPv6 will ever be ubiquitous is if there comes a time where
there is some forcing event that requires it to be.
Unless that occurs, people will continue to spend time and energy coming up
with ways to squeeze the blood out of v4 that could have been used to get
v6 going instead.
I
On Wed, 9 Mar 2022, John Gilmore wrote:
Major networks are already squatting on the space internally, because they
tried it and it works.
Sounds like an excellent reason not to try to use it for global unicast.
Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Du
Um, are you suggesting there is sufficiently heavy use of 240/4 to
result in a significant security/stability issue if the address space is
allocated? I thought you were arguing too many systems would have to be
updated to even send/receive packets with 240/4 in the source or
destination field
And here are some actual test results:
https://www.rtca.org/wp-content/uploads/2020/10/SC-239-5G-Interference-Assessment-Report_274-20-PMC-2073_accepted_changes.pdf
People who understand radios don't think much of that report or the
similar AVSI one. If its claims were true, planes would be f
On Wed, 10 Aug 2022, Billy Croan wrote:
I think a much better answer to the nuisance of leap seconds (their
uncertainty), instead of dropping them all together, MIGHT be let them
build up for a century and deal with it every hundred years or every
thousand. Maybe every decade?
Sheesh. In pract
I assumed my point was obvious but evidently I overestimated my audience.
While it is stupid to assert that the only reason to circumvent DNS
filters is to look at child abuse material, it is equally stupid to assert
that the only reason to filter is to lie, or to censor.
There are plenty of
On Wed, 2 Oct 2019, Matt Harris wrote:
I think ultimately the perception of the work required to deploy IPv6 is a
much greater hurdle to IPv6 adoption than the actual work required to
deploy IPv6.
I'm describing my actual experience, so we'll have to disagree here.
Regards,
John Levine, jo...@
Yes, obviously they are trying multiple levers--but who gets to draw the
line, where are they going to draw it, and why do they get to decide for me?
What prevents an absurd 'solution' like "We can not only stop child
molestation, but rape in general if we just castrate everyone" from being
one of
In article ,
Stephen Satchell wrote:
My AT&T cell phone has both IPv4 and IPv6 addresses. The IPv4 address
is from my access point; the IPv6 address appears to be a public address.
My AT&T cellphone (via MVNO Tracfone) has a 10/8 IPv4 address and IPv6
address 2600:380:28be:8b34:2504:2096:6ac
Can I summarize the current round of objections to my admittedly
off-beat proposal (use basically URLs rather than IP addresses in IP
packet src/dest) as:
We can't do that! It would require changing something!
Nope. You can summarize it as "it doesn't scale", which is what has
killed endless
Though I agree that Gmail spam filtering is top grade, or close to be so,
it still sends to spam a statistically significant number of emails from
IETF and ICANN mailing lists I'm subscribed to. It depends as well on
which account I should receive those emails.
Yes, that's mostly the DMARC prob
Someone up-thread noted that my personal domain is hosted on google
groups. I've noticed in the past that the behaviour of gmail.com can be
very different from the behaviour of a paid mail domain like mine...
Google says that every user's spam filtering is different. It's not just
free vs. pa
PS: You also wouldn't believe how cheap the power is. California's
prices are high compared to most of the US, but it's still only about
€0.15 per KWh.
I don't know where you live, but I pay around 38 cents/KWh. Depending
on your rate, that can go up to 53 cents/KWh during peak times.
16x is
So maybe 10% of all cell phones are primarly used in the "wrong" area?
Out of curiosity, does anyone have a good pointer to the history of
how / why US mobile ended up in the same numbering plan as fixed-line?
The US and most of the rest of North America have a fixed length
numbering plan des
https://www.internetsociety.org/sites/default/files/01_5.pdf
The attack is triggered by a few spoofs somewhere in the world. It is not
feasible to stop this.
That paper is about reflection attacks. From what I've read, this was not
a reflection attack. The IoT devices are infected with botwa
It’s safe to ignore the silent minority that cannot really tell what is
happening in most cases, but that doesn’t mean it “works” for any standard I
would consider valid.
Huh. So you're saying Bill Woodcock doesn't have the skills to see how
his traffic is failing?
Regards,
John Levine, jo
If we're talking about networks with that kind of MRC, is it really that far
of a stretch to require PI space for this? Then again: If we're talking
about that kind of MRC, then I'm assuming ISP A can be coaxed to allow
explicit and well-defined exceptions on the customer's links.
Yes.
A) C
Therein lies the problem if the traffic does not look anomalous I suppose. But
even if it does look unusual, ISPs would be asking consumers to
trash/update/turn off a lot of devices in time – like when every home has 10s
or 100s of these devices.
ISP: Dear customer, looks like one of your light
This is where device profiles could help. If enough devices register
profiles with the local router, at some point the router's default
could be closed, so devices with no profile can't talk to the outside.
Are you thinking of MUD (
https://datatracker.ietf.org/doc/draft-ietf-opsawg-mud/) here,
This is where device profiles could help. If enough devices register
profiles with the local router, at some point the router's default
could be closed, so devices with no profile can't talk to the outside.
That would be nice, but a manufacturer who can't be bothered to take even the
most basi
On Sun, 9 Oct 2016, Florian Weimer wrote:
If we want to make consumers to make informed decisions, they need to
learn how things work up to a certain level. And then current
technology already works.
I think it's fair to say that security through consumer education has been
a failure every t
In article
,
Matthew Petach wrote:
Your 200mbit/sec link that costs you $300 in hardware
is going to cost you $4960/month to actually get IP traffic
across, in Nairobi. Yes, that's about $60,000/year.
Nonetheless, Safaricom sells entirely usable data plans. A one day
1GB bundle on a prepa
I am sure these third world nations have more important things to spend
their money on rather than data plans and data devices. Things like food
and medicine come to mind...
My goodness, aren't we condescending. Since we're talking about Kenya
here, a few milliseconds of research reminds us th
Can anyone recommend software that sends faxes over SIP? I have plenty of
inbound fax to email services, but now and then I need to send a reply and
it looks tacky to use one of the free web ones that put an ad on it.
I know that if I wanted to pay $15/mo there are lots of lovely services
but
You *can* get a fax across a G.711 connection if your throughput,
My SIP provider supports T.38. How much difference does that make?
Regards,
John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.l
And you won't really have a choice because unless you're willing to go
full Ted Kaczynski one in a hundred of those emails will be very, very
important to you ...
Yeah. E-mail remains the only scheme where the two parties
don't have to be introduced first, don't have to be online at the same
On Thu, 28 Feb 2019, Mark Andrews wrote:
Agreed. Additionally it suddenly went from something being done along
with a experiment to being “a experiment on can you transition to a new
type”. The transition to type99 was well underway. ...
No, really, we had numbers. Approximately nobody was u
FYI:
SMTP transitioned from A to MX.
No, it didn't. A surprising number of real mail hosts only publish an A,
and I lost the battle to say that MX shouldn't fall back to . It
does.
SPF could have been the same except people were impatient and had
unrealistic expectations of how long
If it’s such a reasonable default, why don’t any of the public resolvers (e.g.
1.1.1.1, 8.8.8.8, 9.9.9.9, etc.) do so?
Oh my, you walked right into that one.
https://www.quad9.net/service/threat-blocking/
https://blog.cloudflare.com/introducing-1-1-1-1-for-families/
I'm also surprised nobody
On Mon, 30 Oct 2023, Livingood, Jason wrote:
On 10/27/23, 19:01, "NANOG on behalf of Owen DeLong wrote:
If it’s such a reasonable default, why don’t any of the public resolvers (e.g.
1.1.1.1, 8.8.8.8, 9.9.9.9, etc.) do so?
DNS isn’t the right place to attack this, IMHO.
Are we sure that the
They are probably spoofed IPs. So those are the target IP IPs of a DDoS
What king of amplification factor does your DNS server have? I bet with the
changes you’ve made, it’s super high. People are looking for DNS servers like
that.
On the contrary, the reponse packets are tiny.
$ host -t
Did a bit of digging on Google's developer site and came across this:
https://developers.google.com/speed/public-dns/faq#locations_of_ip_address_ranges_google_public_dns_uses_to_send_queries
Looks like the IPs you mentioned belong to Google's public DNS resolver
based on that list on their site.
cational ISP/enterprise.
So what are most folks doing to survive crap like this? Nothing/waiting it
out? Oursourcing DNS? Scrubbing appliance? Poormans stuff like I mention
above?
-Michael
-Original Message-
From: NANOG On
Behalf Of John R. Levine
Sent: Sunday, December 3, 2023 1:18
Just set TC=1 for those clients. If you get queries over TCP then they where
not spoofed. If they are using DNS COOKIE (RFC 7873) you can send back
BADCOOKIE to the initial (client cookie only) UDP request with your server
cookie. Identifying real DNS clients has been possible for years now.
On Mon, 4 Dec 2023, Damian Menscher wrote:
have more redundancy/capacity). Based on these estimates, we haven't
treated mitigation of small attacks as a high priority. If O(25Kpps)
attacks are causing real problems for the community, I'd appreciate that
feedback and some hints as to why your ex
If anyone has contacts at either I would appreciate it.
https://developer.amazon.com/support/amazonbot
Um, that is the site I mentioned in the line above the one you quoted.
As I said, I wrote to the contact address, no reply.
probably returned as a result of searching "amazonbot" on you
That it's possible to implement network security well without using
NAT does not contradict the claim that NAT enhances network security.
I think we're each overgeneralizing from our individual expeience.
You can configure a V6 firewall to be default closed as easily as you can
configure a NAT
Yep, just had another one. Email to local election office silently
vanishes because it uses Office365 Cloud email.
I believe they're throwing your mail away, but it's not just because
you're small. Like I said, I'm just as small and my mail gets there OK.
Needed to use Gmail instead.
On
Maybe Microsoft allows your small domain as an exception? In the mean time,
use Gmail or another cloud provider to get your email.
It may be because I have a few mailing lists that keep the volume up
enough to avoid falling off their radar.
It's kind of ironic that MS throws people's mail aw
On Mon, 22 Apr 2024, William Herrin wrote:
Respectfully, you're mistaken. Look up "tortious interference."
I'm familiar with it.
But I am also familar with many cases were spammers have sued network
operators claiming that they're falsely defamed, so the operator has to
deliver their mail.
Bill is absolutely correct. The spammers lost their case because they
were demonstrably spammers.
No, really they did not. I read the decisions. Have you? Hint: under
CAN SPAM a great deal of spam is completely legal so it didn't matter.
We’ve had accidental black hole cases with *US* prov
I'm not sure where you saw that message, but I got this message via email
after I submitted an unblock request with Spectrum Shield:
We have reviewed your request to unblock validin.com. This site was not
found to be blocked by Spectrum Shield and should be accessible from your
browser.
Sigh.
On Thu, 16 May 2024, William Herrin wrote:
The message content (including the message headers) is theoretically
not used for SPF validation. In practice, some SPF validators don't
have direct access to the SMTP session so they rely on the SMTP
session placing the envelope sender in the Return-pat
surprised nobody noticed for close to 10 days. I was away
from work and upon coming back I saw the little discussion there was ,
in my Spam folder.
On Thursday, 16/05/2024 at 18:56 John R. Levine wrote:
On Thu, 16 May 2024, William Herrin wrote:
The message content (including the message h
On Fri, 17 May 2024, William Herrin wrote:
That said, ICANN generates the root zone including the servers
declared authoritative for the zone.
Nope.
So they do have an ability to
say: nope, you've crossed the line to any of the root operators.
Very very nope.
ICANN as the IANA Functions Op
On Sun, 19 May 2024, David Conrad wrote:
They provide this to Verisign, the Root Zone Maintainer, who create the
root zone and distribute it to the root server operators.
Technically, IANA provides database change requests to Verisign. The actual
database is maintained by the Root Zone Maintai
It's a one way correlation. If the rDNS is busted, you can be pretty
sure you don't want the mail. If the rDNS is OK, you need more clues.
Pretty sure, but far from certain.
Even this one-way correlation is rather tenuous. It’s mostly harmless because
everyone knows that mail servers are filt
Yeah, that's what ARC is intended to do.
Hum. My understanding of ARC is that it's a way for a server to assert
things about what it received. - Where as my interpretation of what we were
discussing is the sender authorizing intermediary MTAs to send the message.
The former is after the f
In article <6134b4a7-9da8-2935-e9f6-e4374b3fd...@spamtrap.tnetconsulting.net>,
Grant Taylor via NANOG wrote:
https://datatracker.ietf.org/doc/draft-levine-dkim-conditional/
The only way that I can think of is for the originating mail server to
DKIM sign the message twice, 1st with the classi
Alas, these RBLs are often hard-coded into firewalls. Non-sophisticated
users just think they have a check box saying "block spam". Fixing those
IS hard.
I believe there are cases where people have made it hard, but there are
limits on how much I believe in protecting people from the consequen
How about validating whether a given AS is an acceptable origin for a set
of prefixes? Seems like a problem (route hijacking) that's still been
looking for a solution. Lots of BGP routers, RRs, prefix databases are
around, maintained and generally online. Current practices are incomplete
and for m
ocument the chain of
ownership, and conspiracy theories about how the evil RIRs are planning
to steal our precious bodily flu^W^WIPs, but "put it in a blockchain!"
Puhleeze.
R's,
John
On Tue, 23 Jan 2018, Jimmy Hess wrote:
On Tue, Jan 9, 2018 at 10:22 AM, William Herrin wrote:
On
This looks like a willy-waving exercise by Cloudflare coming up with the lowest
quad-digit IP. They must have known that this would cause routing issues, and
now suddenly it's our responsibility to make significant changes to live
infrastructures just so they can continue to look clever with the I
http://175.45.179.68/
If that's in the DPRK, you may have "slashdotted" an entire country.
Ooh. Maybe they'll be thrilled, or maybe they'll figure that it's an
attack. Probably both.
Regards,
John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider t
We do remember, don't we, that the domain that started this discussion
were shut down by Verisign, the registry, not a registrar?
interesting that in THIS case the registry just took the action, was
the domain registered through their registrar arm?
They haven't had a registrar arm since they
I think Verisign DBMS acts as a registrar for ccTLDs.
No, they're a registry. Not the same thing.
The registry holds the definitive database and manages the DNS zone.
Registrars face the public and use some sort of API to pass the changes to
the registry.
Regards,
John Levine, jo...@iecc.c
yea... so I wonder if the NCFTA folks would pony up warrants for
things like the content highlighted by www.abuse.ch ?
They do all sorts of stuff, but for obvious reasons they don't gossip
about it in public.
Regards,
John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummi
and we'll see endless arguments between buyers of IPv4 space and ARIN,
when ARIN refuses the updates to the address registry.
This would be "bad". I can think of few more effective ways of
destroying the RIR system than by refusing to update the address
registry.
I completely agree, but ther
I don't see ARIN recognizing bogus transfers in the registry -- if the
transfer policy wasn't followed, then no transfer occurred.
I expect the party that paid good money for the address space, and the
party who they paid, and their respective attorneys, will strenously
disagree with you, but
It seems thata hosts sending large amounts of NTP traffic over the
public Internet can be safely filtered if you don't already know that
it's one of the handful that's in the ntp.org pools or another well
known NTP master.
Speaking as one of the 3841 servers in the pool.ntp.org pool, I'm happy t
I was thinking that the ntp.org servers on any particular network are a small
set of exceptions to a general rule to rate limit outgoing NTP traffic.
www.pool.ntp.org allows any NTP operator to opt-in to receive NTP traffic
should their clock be available and accurate.
I believe you, but I d
If ISP has customer A with multiple *known* valid networks --doesn't matter
if ISP allocated them to customer or not-- and ISP lets them all out, but
filters everything else, ISP is still complying with BCP 38.
Of course. The question is how the ISP knows what the customer's address
ranges ar
I look forward to the ITU equitably allocating domain names and IP
addresses.
"NTIA will not accept a proposal that replaces the NTIA role with a
government or an inter-governmental organization solution."
Let's hope you're right, but I note that the ITU isn't an
inter-governmental organizat
The ITU is an agency of the United Nations.Which is an organization
created by treaty, of which various nations' governments are members.
Actually, the ITU is more than twice as old as the UN, and merged with the
UN in 1947. As noted in a previous message, the ITU has both government
What's the worst they can do at this point? Make .bobtodd and
.bubbagump TLDs? This is different from some of the crap we've got now
in what way??
Well, ICANN has come pretty close to delegating .HOME and .CORP to domain
speculators, despite the vast amount of informal use which would get badly
How long, exactly, do you expect 3.2 billion unicast addresses to provide
enough addressing for 6.8+ billion people?
Oh, I'd say a decade. Like I said, I have IPv6 on my server and my home
broadband, which mostly works, with the emphasis on the mostly.
We've just barely started to move from
Or he could just not like NSL and the fact the ISP's are required
to abide by them. If people want their email going through where
it can be snooped apon that is their perogative. Just don't force
people to have to use I-WILL-SNOOP-ISP!!!
Who said anything about being required to use your ISP'
None of this is REQUIRED. It is forced on people by a cartel of
email providers.
It must be nice to live in world where there is so little spam and other
mail abuse that you don't have to do any of the anti-abuse things that
real providers in the real world have to do.
Regards,
John Levine,
I would suggest the formation of an "IPv6 SMTP Server operator's club,"
with a system for enrolling certain IP address source ranges as "Active
mail servers", active IP addresses and SMTP domain names under the
authority of a member.
Surely you don't think this is a new idea.
R's,
John
It must be nice to live in world where there is so little spam and
other mail abuse that you don't have to do any of the anti-abuse
things that real providers in the real world have to do.
What is a real provider? And what in the email specifications tells us
that the email needs and solutions o
I'm not saying John Klensin shouldn't have a say in how the IPv6 address is
defined, but I do think it would be best for everyone to work it out in an
official place somewhere so that email software isn't doing the complete
opposite of everyone else.
Too late.
Regards,
John Levine, jo...@iecc
mailbox@[IPv6:2001:12:34:56::78:ab:cd]
You aren't allowed to use :: to abbreviate one zero hexadectet according
to RFC 5952.
http://www.rfc-editor.org/errata_search.php?eid=2467
Oh, look at that. I wonder how many people realized that it made an
incompatible change to RFC 4291 four years ag
Ergo, ad hominem. Please quit doing that.
As a side note I happen to run my own mail server without spam filters
-- it works for me. I might not be the norm, but then again, is there
really a norm? (A norm that transcends SMTP RFC reach, that is --
I know a lot of people who run a lot of mail sy
> Don't forget "Vanquish was a complete failure, so why would this be
> any different?" and "do I want Phil Raymond to sue me for violating
> the patent on this exact scheme?"
That was a specific reply by me to a specific suggestion of a
mechanism refunding e-postage to the sender if one wanted a
The numbers you list in your argument against a micropayment
system being able to function are a fraction of the number of
transactions Facebook deals with in updating newsfeeds for
the billion+ users on their system.[0]
... which is completely irrelevant because they don't have a double
spend
As noted about a zillion messages ago, one of the concerns about IPv6 mail
is whether DNSBLs will be workable, with one of the questions being
whether the lookups will blow away DNS caches. As far as I can tell,
there is basically no research on DNS cache behavior other than a few very
old pap
" Contrary to the commonly held belief that this is fundamentally
impossible, we propose several solutions that do achieve a reasonable level
of double spending prevention"
Yes, that's Bitcoin's claim to fame.
Perhaps the number of zeroes doesn't make a difference; but solving the
double spend
The most "sane" out-of-mind response should only be sent *if* the
out-of-mind person is named explicitly as a recipient in the RFC822
To: header. Anything To: somelist@somehost does not qualify :)
This highly effective trick was in the procmail example vacation script in
1991, and doubtless go
2: introduce an "Original Authentication Results" header to indicate
you have performed the authentication and you are validating it
This was someone's hack that doesn't work. The idea is that you make an
RFC5451 Authentication-Results header for the incoming message, change the
name to origi
This highly effective trick was in the procmail example vacation script in
1991, and doubtless goes back much farther than that. It's a little
dismaying to hear that there are still people writing autoresponders who
don't know about it.
what is procmail?
The scriptable mail delivery agent tha
On Wed, Apr 9, 2014 at 6:11 PM, wrote:
and just how is an algorithm supposed to detect that
is a single human and not a list?
If the autoresponder is sane, it looks for:
List-Id: North American Network Operators Group
Yes, there are a lot of headers that give you a hint t
On 4/9/2014 5:45 PM, George Michaelson wrote:
procmail is a rewrite of MMDF mailfilter. badly.
Thanks, but I believe it slightly preceded MMDF's equivalent facility. On the
average, Allman put comparable features into sendmail sooner than I did.
Procmail's user interface, if you can call it
I find the /50 particularly odd as it's not a nibble boundary and very
close to /48. It's almost certain this is an operator who fails to grasp
that they could have easily gotten a larger allocation from their RIR if
they just asked for it and provided the appropriate justification in
terms of
run by agencies of the US government, who knows what will happen in
the future.
I'm not so sure volunteer root operators are in a position to editorialize
and for that to have a positive effect. ICANN could go down the
path of stating that this causes internet stability (due to operators
publi
And your technical solution to ensure "http://apple/"; always resolves
to "apple." and doesn't break people using "http://apple/"; to reach
"http://apple.example.net/"; is?
Whatever people have been doing for the past decade to deal with
http://dk/ and http://bi/.
As I think I said in fairly
By the way, the ICANN board just voted to approve the new gTLD program.
Time to place bets on what the next move will be.
My money is on lawsuits by US trademark lawyers.
Regards,
John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment befo
All they need -- or, I suspect, need to assert -- is to have
multiple physical networks. They can claim a production net, a DMZ,
a management net, a back-end net for their databases, a developer
net, and no one would question an architecture like that
My impression is that this is about a c
However, the procedures required to exploit these weaknesses are
slightly more complicated than simply producing a self-signed
certificate on the fly for man in the middle use -- they require
planning, a waiting period, because CAs do not typically issue
immediately.
Hmmn, I guess I was ri
Are you, at this moment, able to acquire a falsely signed certificate
for www.herrin.us that my web browser will accept?
Me, no, although I have read credible reports that otherwise reputable SSL
signers have issued MITM certs to governments for their filtering
firewalls.
Regards,
John Levin
1 - 100 of 179 matches
Mail list logo
