On 2/15/18, 2:45 AM, "dns-privacy on behalf of Stephane Bortzmeyer"
<[email protected] on behalf of [email protected]> wrote:
https://dnscrypt.info
You'll note that the FAQ <https://dnscrypt.info/faq/> includes a
comparison with IETF solutions. Some remarks:
1) dnscrypt "Cannot be MITM’d by standard tools" vs. DNS-over-TLS
"Readily compatible with industry-standard TLS interception/monitoring
devices"
This seems a strange approach of security. Using non-standard and
little-known tools in the hope there will be less ready-made kits for
script kiddies, works only on a very short term. It is a bit like "I
coded my own CMS in PHP, it is full of security holes but because it
is not the standard Wordpress / Drupal security holes, I'm secure".
Honestly, I'm not sure this is something I'd call out as a major benefit
personally, but not for the reasons you listed. It's the same as if you don't
install the root certificate I want you to on my network -- you just don't get
access at all. But in some cases, that's exactly what the end user wants.
The cryptography primitives behind DNSCrypt has been tested, evaluated, and are
published via IETF (RFC7539 & RFC7748.) The entire DNSCrypt protocol has been
published for some time (since 2011 iirc, version 2 in 2013.) I read this
section to be that DNSCrypt doesn't have a root certificate store that you can
install a custom root to -- the industry-standard way of TLS
interception/monitoring. You either have the private key matching the
fingerprint I want, or you don't. (Of course, if I'm retrieving that public
key from DNS/HTTP/etc, what proves that I have the right key...)
7) DoH "Uses standard HTTP/2, on the standard port (443)." Not sure it
is a good thing that all the Internet runs over port 443 :-(
Joke used to be that everything would run over port 80, I guess at least it's
now encrypted right?
-- Brian
_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy
