[dns-operations] Does DNSSEC provide any mitigation for SSL bugs, like Apple's?
Paul Hoffman
paul.hoffman at vpnc.org
Mon Feb 24 19:09:06 UTC 2014
On Feb 24, 2014, at 10:28 AM, DTNX Postmaster <postmaster at dtnx.net> wrote:
> I've been wondering whether DNSSEC would provide any mitigation for
> such an attack, if there validating resolver between me and the
> attacker?
Not in this case. The Apple bug allows an MITM to use the real certificate for the attacked site, while simply making up a private key.
Paul W's incorrect answer assumes a bug where the MITM needs to have a valid certificate. That is the most common case, but not the one relevant here; the Apple bug allowed a certificate for which the private key didn't match.
--Paul Hoffman
More information about the dns-operations
mailing list