On 10/22/23 1:56 PM, Taavi Eomäe via mailop wrote:
On 22/10/2023 16:08, Slavko via mailop wrote:
Hmm, and what about MUAs?
Without MUA-STS, it's up to the MUAs and only MUAs to enforce connection security. The next step
after that would be some kind of pinning.
Some have suggested DANE+DNSSEC, but DNSSEC operators can be coerced just as much as hosting
providers can be
This is only partially true. Yes, in theory a german warrant served against .de's management would
be able to swap the DS record, but in this case it was actually a .ru domain being hosted in
germany. So its unlikely any legal interception story would have worked at all in this case.
, but unlike with WebPKI, it wouldn't even leave a publicly visible trace amongst
other problems.
This is definitely not true. Its certainly possible to serve different DS (and NS) records to
different users in the DNS, but suggesting its trivial or that it would be done in response to a
legal interception warrant is dubious at best. More likely they'd simply replace the DS (and NS)
records, have to host alternative DNS zones for the victim, and now we're talking about a much more
visible attack (assuming they're actually monitoring, which of course they could with WebPKI as well).
Matt
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
