On 9/11/16, Nick Lamb <tialara...@gmail.com> wrote: > On Sunday, 11 September 2016 21:05:12 UTC+1, Lee wrote: >> does dns hijacking or dns cache poisoning count as mitm? > > A careful CA validator does DNS only by making authoritative queries, so > they're not subject to cache poisoning since they don't look at cached > answers.
Would a not careful CA be flagged on their yearly audit? > I think a successful DNS hijack against a CA validator would constitute a > MITM except in the case where the attacker is straight up subverting the > legitimate name owner's real systems. In /that/ case even DNSSEC doesn't > necessarily help you, if they've subverted your systems they can give out > DNS answers that check out as signed OK but say whatever they wish. > > In the former case DNSSEC would protect you, and I agree that where it has > been deployed CA validators should check it, but in a world where there are > still login HTML forms with no HTTPS behind them, how surprised are we > supposed to be that people don't all have DNSSEC for their domains ? Me personally? Not at all. I'm just asking if they _do_ have DNSSEC for their domains is there a way to leverage that to get a cert via an encrypted channel or at least do the domain validation via an encrypted channel instead of using email or tcp port 80? Regards, Lee _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy