On Mon, 24 Feb 2014, Paul Hoffman wrote:
On Feb 24, 2014, at 10:28 AM, DTNX Postmaster <[email protected]> wrote:
I've been wondering whether DNSSEC would provide any mitigation for
such an attack, if there validating resolver between me and the
attacker?
Not in this case. The Apple bug allows an MITM to use the real certificate for
the attacked site, while simply making up a private key.
Paul W's incorrect answer assumes a bug where the MITM needs to have a valid
certificate. That is the most common case, but not the one relevant here; the
Apple bug allowed a certificate for which the private key didn't match.
Indeed. I was wrong. Thank you for the correction.
Paul
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
