On 10/24/2014 06:14 AM, Hubert Kario wrote:
On Thursday 23 October 2014 14:30:59 John Nagle wrote:
To use Cloudflare you need to transfer the domain to Cloudflare. So it's
hardly a MITM. It's a forward proxy service.
Not quite. You have to aim the DNS at Cloudflare, not transfer the
ownership or control of the domain to them.
In this situation, Firefox should display the (O) field,
indicating that you're connected to Cloudflare. At least tell the
user they're being MITMed.
This isn't a theoretical problem. There's an attack:
https://bh.ht.vc/vhost_confusion.pdf
I'm trying to get data from one of the cert observatories to
see how prevalent this problem is. It's a big deal for those of
us who are trying to figure out who's really behind the web site.
John Nagle
SiteTruth
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
