[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

This DNS over HTTP thing

Subject: This DNS over HTTP thing
From: valdis.kletnieks at vt.edu (Valdis Klētnieks)
Date: Wed, 02 Oct 2019 05:45:57 -0400
In-reply-to: <[email protected]>
References: <[email protected]>

On Wed, 02 Oct 2019 01:55:13 -0600, "Keith Medcalf" said:

> It is a common fallacy that TLS connections are authenticated.  The vast
> majority of them are not authenticated in any meaningful fashion and all that
> can be said about TLS is that it provides an encrypted connection between the
> two communicating applications.  This is perhaps why it is call *transport*
> layer security ...

Another major disconnect is that TLS validates the hostname that the browser
decided to connect to, not the host you thought you were connecting to..

The end result is that if a phish directs you to nan0g.org, it can still show a
padlock and the user is none the wiser....
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20191002/cca2b7dc/attachment.sig>

Follow-Ups:
- This DNS over HTTP thing
  - From: jan at philippi.pw (Jan Philippi)
- This DNS over HTTP thing
  - From: mpalmer at hezmatt.org (Matt Palmer)

References:
- This DNS over HTTP thing
  - From: kmedcalf at dessus.com (Keith Medcalf)

Prev by Date: This DNS over HTTP thing
Next by Date: This DNS over HTTP thing
Previous by thread: This DNS over HTTP thing
Next by thread: This DNS over HTTP thing
Index(es):
- Date
- Thread