On Thu, Feb 6, 2020 at 12:09 PM Eric Rescorla <[email protected]> wrote: > > Second, the text in question is about the effect of attacks on DNS on the > Web "Users may be directed to bogus IP addresses for e.g. websites where > they might reveal personal information to attackers." >
I agree that the WebPKI can help here, but it cannot be viewed as a solid remediation. For one, browsers will still connect to non-HTTPS sites. Here is a large concrete example of an attack the matches what the draft describes: https://www.zdnet.com/article/brazil-is-at-the-forefront-of-a-new-type-of-router-attack/ Secondly, root certificate stores are not consistent. One example: https://www.cs.umd.edu/class/fall2017/cmsc818O/papers/tangled-mass.pdf Thirdly, it's not clear that misrouted traffic (either via DNS or lower level ways like BGP) won't encounter seemingly-legitimate certificates, because the number of people that can issue them is so large. I know Ekr knows all of this, and I do think that text on bogus IP addresses needs a caveat. But I'm not sure the text in the draft is totally misguided. thanks, Rob
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
