[dns-operations] Massive DNS poisoning attacks in Brazil

Paul Vixie paul at redbarn.org
Tue Oct 2 21:16:57 UTC 2012

On 2012-10-02 8:49 PM, Stephane Bortzmeyer wrote:
> On Tue, Oct 02, 2012 at 08:34:36PM +0000,
>  Paul Vixie <paul at redbarn.org> wrote 
>  a message of 19 lines which said:
>> i don't think so. too many middleboxes unpack the tcp/443 stream using a
>> wildcard certificate, 
> ??? If you are on a network where the router/proxy/middlebox managed
> to obtain a wildcard certificate from a CA you trust (is there a CA
> which seels that?), you're toasted anyway. DNSSEC is useless because
> the middlebox can hack you at will.

actually, not. dnssec+dane can tell you that you're being MiTM's at the
later SSL session.

or, put another way, we're all mostly toast, but i'd like to know when
and where.


"It seems like the rules for automagic completion of incomplete names typed into browsers are going to start to look like those for the game of fizbin." --rick jones

More information about the dns-operations mailing list