[dns-operations] Massive DNS poisoning attacks in Brazil
Paul Vixie
paul at redbarn.org
Tue Oct 2 21:16:57 UTC 2012
On 2012-10-02 8:49 PM, Stephane Bortzmeyer wrote:
> On Tue, Oct 02, 2012 at 08:34:36PM +0000,
> Paul Vixie <paul at redbarn.org> wrote
> a message of 19 lines which said:
>
>> i don't think so. too many middleboxes unpack the tcp/443 stream using a
>> wildcard certificate,
> ??? If you are on a network where the router/proxy/middlebox managed
> to obtain a wildcard certificate from a CA you trust (is there a CA
> which seels that?), you're toasted anyway. DNSSEC is useless because
> the middlebox can hack you at will.
actually, not. dnssec+dane can tell you that you're being MiTM's at the
later SSL session.
or, put another way, we're all mostly toast, but i'd like to know when
and where.
paul
--
"It seems like the rules for automagic completion of incomplete names typed into browsers are going to start to look like those for the game of fizbin." --rick jones
More information about the dns-operations
mailing list