MITM attack can be prevented by signing the data. Please check cga-tsig draft.
Hosnieh From: [email protected] [mailto:[email protected]] On Behalf Of Karl Malbrain Sent: Tuesday, September 24, 2013 10:31 PM To: Stephen Farrell; perpass Subject: Re: [perpass] DNS confidentiality To obviate the harvesting of meta-data, we do need a secure interface to DNS. MITM resistance (authentication) is also going to be required in DNS server connections. Maybe well known certificates for DNS servers incorporated into browser software Given the reluctance of browser writers to implement DANE, we're going to need something like encrypted QUIC available as a transport first. Karl Malbrain From: Stephen Farrell <[email protected]> To: perpass <[email protected]> Sent: Tuesday, September 24, 2013 1:43 AM Subject: [perpass] DNS confidentiality Hiya, I've not seen mention of this so far here that I recall. Even as we improve the security of loads of protocols, there will still be issues with meta-data monitoring based on DNS queries for example. This point was sort of raised on the IETF list e.g. in [1]. DNSSEC doesn't provide any confidentiality. There are proposals that do try do that. Do we think this is worth looking at? If so, anyone up for doing some work on that? If so, how, or starting from what? S. [1] http://www.ietf.org/mail-archive/web/ietf/current/msg82696.html _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
