[liberationtech] RFC: comments on discovery mechanisms
Chris Palmer
chris at eff.org
Fri Dec 3 12:07:18 PST 2010
On 12/03/2010 12:00 PM, Jacob Appelbaum wrote:
>> DNSSEC might prevent forgery, but cannot prevent blocking.
>
> This is my major point of frustration with DNSSEC. It is easy to provide
> query privacy for clients and some important DNSSEC people don't
> understand why this is important.
>
> My attempts to discuss this with DNSSEC people usually ends in
> frustration. They see no point in privacy for a user's queries if they
> intend to directly connect to the site. Of course if the site has TLS,
> the game changes and DNSSEC becomes the weakest privacy link.
As important as query confidentiality is, I still rate integrity and DNS
server authentication higher simply because more people need them than
need confidentiality. I'd certainly rather shoot for all three
assertions, of course.
If it makes you feel any better ;) your browser is likely to leak the
name and X.509 certificate of the site you are visiting when it checks
the OCSP endpoint for certificate revocation. And what about the
name/search autocomplete feature in the browser...
--
Chris Palmer
Technology Director, Electronic Frontier Foundation
More information about the liberationtech
mailing list