Ohta-san, I think the points you are making in response to what I have said are that
(1) it's easier for a government to fake a DNS delegation than to MiTM an IP connection, and (2) if it's a government that's faking your DNS, they can jail you for noticing. I think these are both valid points. However, I don't think they lead to the conclusion you are drawing. First, if the government really cares about censorship, it's probably going to do some degree of DPI for connections to IP addresses it has reason to care about. So you could in principle do a connection to a device that isn't on the government's radar and bypass their attack, for sure. But this is actually quite hard for a layperson to arrange, and impossible to automate, since any automatic mechanism would be known to the government in question. To the second question, this is also absolutely true, but at the same time, as we can see, just because something is illegal doesn't mean that it's not useful. E.g., the government in Russia has made it illegal to protest the war in Ukraine, and yet we see people protesting in the streets. Their goal is pretty clearly to bypass a government restriction on communication. Having a watchdog in software that notices when a certificate has been replaced by one that isn't valid isn't that hard, and while it might be made illegal after the fact, officially making it illegal would be a public act that would have to be announced by the government in order to be enforceable—otherwise software vendors would have no reason to know they were violating the law. By announcing it, the government in question is disclosing the status of your security, which is the whole point. Absent such a disclosure, citizens can continue to run such software, and continue to detect such attacks. In the presence of such a disclosure, citizens know that their traffic is not secure, which is obviously not great, but still represents success: the user now knows that the network isn't safe to use.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
