[liberationtech] RFC: comments on discovery mechanisms
Jacob Appelbaum
jacob at appelbaum.net
Fri Dec 3 12:12:47 PST 2010
On 12/03/2010 03:07 PM, Chris Palmer wrote:
> On 12/03/2010 12:00 PM, Jacob Appelbaum wrote:
>
>>> DNSSEC might prevent forgery, but cannot prevent blocking.
>>
>> This is my major point of frustration with DNSSEC. It is easy to provide
>> query privacy for clients and some important DNSSEC people don't
>> understand why this is important.
>>
>> My attempts to discuss this with DNSSEC people usually ends in
>> frustration. They see no point in privacy for a user's queries if they
>> intend to directly connect to the site. Of course if the site has TLS,
>> the game changes and DNSSEC becomes the weakest privacy link.
>
> As important as query confidentiality is, I still rate integrity and DNS
> server authentication higher simply because more people need them than
> need confidentiality. I'd certainly rather shoot for all three
> assertions, of course.
>
Of course. The frustrating thing is that we won't get query privacy in
our life times at the rate things are going. It doesn't help that people
working on DNSSEC don't even consider it to be a problem worth solving.
There is great irony though - part of the issue that makes DNSSEC so
important is that we see that people are watching and tampering!
> If it makes you feel any better ;) your browser is likely to leak the
> name and X.509 certificate of the site you are visiting when it checks
> the OCSP endpoint for certificate revocation. And what about the
> name/search autocomplete feature in the browser...
>
>
I'm fine with that if I'm using Tor or if I'm not using anything related
to a web browser.
All the best,
Jacob
More information about the liberationtech
mailing list