Re: [perpass] DNS confidentiality

Wed, 25 Sep 2013 12:38:38 -0700 

Yes, MITM can be prevented if you have a copy of the public certificate 
obtained through exteriour means to check the signature over the data.  If your 
certificate is provided by MITM you naturally lose that signature protection.

 

________________________________
 From: Hosnieh Rafiee <[email protected]>
To: 'Karl Malbrain' <[email protected]> 
Cc: 'perpass' <[email protected]>; 'Stephen Farrell' <[email protected]> 
Sent: Tuesday, September 24, 2013 2:08 PM
Subject: Re: [perpass] DNS confidentiality
  


MITM attack can be prevented by signing the data. Please check cga-tsig draft.
 
 
Hosnieh
 
 
From:[email protected] [mailto:[email protected]] On Behalf Of 
Karl Malbrain
Sent: Tuesday, September 24, 2013 10:31 PM
To: Stephen Farrell; perpass
Subject: Re: [perpass] DNS confidentiality
 
To obviate the harvesting of meta-data, we do need a secure interface to DNS.
 
MITM resistance (authentication) is also going to be required in DNS server 
connections. Maybe well known certificates for DNS servers incorporated into 
browser software
 
Given the reluctance of browser writers to implement DANE,  we're going to need 
something like encrypted QUIC available as a transport first.
 
Karl Malbrain  
 
From:Stephen Farrell <[email protected]>
To: perpass <[email protected]> 
Sent: Tuesday, September 24, 2013 1:43 AM
Subject: [perpass] DNS confidentiality


Hiya,

I've not seen mention of this so far here that I recall.

Even as we improve the security of loads of protocols, there
will still be issues with meta-data monitoring based on
DNS queries for example. This point was sort of raised on
the IETF list e.g. in [1].

DNSSEC doesn't provide any confidentiality. There are
proposals that do try do that.

Do we think this is worth looking at?
If so, anyone up for doing some work on that?
If so, how, or starting from what?

S.

[1] http://www.ietf.org/mail-archive/web/ietf/current/msg82696.html
_______________________________________________
perpass mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/perpass


_______________________________________________
perpass mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/perpass
_______________________________________________
perpass mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/perpass

Reply via email to