On Sunday, 11 September 2016 21:05:12 UTC+1, Lee wrote: > does dns hijacking or dns cache poisoning count as mitm?
A careful CA validator does DNS only by making authoritative queries, so they're not subject to cache poisoning since they don't look at cached answers. I think a successful DNS hijack against a CA validator would constitute a MITM except in the case where the attacker is straight up subverting the legitimate name owner's real systems. In /that/ case even DNSSEC doesn't necessarily help you, if they've subverted your systems they can give out DNS answers that check out as signed OK but say whatever they wish. In the former case DNSSEC would protect you, and I agree that where it has been deployed CA validators should check it, but in a world where there are still login HTML forms with no HTTPS behind them, how surprised are we supposed to be that people don't all have DNSSEC for their domains ? _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
