On Mon, Feb 20, 2017 at 4:19 PM, John Levine <jo...@taugh.com> wrote: > In article <alpine.deb.2.11.1702201458030.23...@grey.csi.cam.ac.uk> you write: >>Would it be easier or harder, instead of adding a new SNI RRtype, to use >>DANE TLSA records to identify the server's cert or key, and use a >>variation of TLS SNI to request the cert by digest instead of by name? > > I don't see how that would help. Using passive DNS it's easy to find > all the names that point to a server, which makes it easy to get all > of the TLSA records for those names so the bad guy knows the hashes.
http://www.bieberfever.com/ ("The Official Juston Bieber Fan Club") is hosted by Akamai on 23.38.103.18. According to DNSDB (IMO the best passive DNS service), there are 605 other sites *also* hosted on 23.38.103.18. No doubt pervasive monitors (and others) will use passive DNS systems to build a map of SNI DNS RRs, but I'd much much rather have the men in black thinking that I'm visiting www.precisiondoor.net, www.theman.in, or www.worldsleadingcruiselines.com than knowing my dirty little secret love of the Bieb... Even more embarrassing is my love of Kylie Minogue -- 162.249.104.157 [0] I'd much rather have anyone watching my TLS connections think that I'm a fan of www.artofnoiseofficial.com, lilyallen.de or one of the other 900+ sites on that IP address. Yes, maps of $site -> SNI *will* be made, and will be used for profiling -- but ... "I read Playboy for the articles" only works if they have articles -- I only went to www.worldsleadingcruiselines.com to read that, *not* to try buy the new poster, you know, the one where he's hair is *sooo* dreamy... W > > R's, > John > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
