Op 21-11-2023 om 08:34 schreef Schanzenbach, Martin:
We are happy to announce that our *The GNU Name System* (GNS) specification is now published as RFC 9498 [0].
in order to transparently enable this functionality for migration purposes, a local GNS-aware SOCKS5 proxy [RFC1928] can be configured to resolve domain names
Are you sure this is transparent? Consider the case where a website has a log-in system, and instead of being based on passwords, it is based on TLS client certificates (for example, https://ci.guix.gnu.org/ has such a system to decide who is allowed to adjust ‘specifications’ and ‘restart builds’).
Given that the SOCKS5 proxy is technically a MITM attack, and the client certificates instead of only server certificates, I would expect (and hope) that the SOCKS5 proxy can't convince the server that it is the client.
It's a somewhat niche use case, so mostly transparent, sure. But transparent, without qualifiers, I don't think so. Best regards, Maxime Devos
OpenPGP_0x49E3EE22191725EE.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
