At Sun, 20 Jul 2014 11:07:16 +0200, Wouter Verhelst wrote: > Even ignoring that, assuming people trust that code off > people.debian.org is "safe", if they run a validating DNS resolver they > don't run more of a risk than if they use only HTTPS.
I don't really follow that. A validating DNS resolver only makes sure you connect to the right IP address. DANE can specifiy the certificate to use for HTTPS, but you can't forward HTTP requests to HTTPS with DANE as far as I know. In the case of HTTP a MITM attack can send a fake response to the HTTP request without the need for any key material/certificates or need to fake DNSSEC. For HTTPS it would need to have a certificate for people.debian.org that the client trusts. Kind regards, Jeroen Dekkers -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87silwjo6w.wl%jer...@dekkers.ch
