[liberationtech] DNSSEC to the rescue. Was: Snakeoil and suspicious encryption services
Guido Witmond
guido at witmond.nl
Tue Jul 22 11:12:13 PDT 2014
On 07/22/14 13:47, Aymeric Vitte wrote:
> I am thinking about these issues since quite some time, unfortunately I
> reached the conclusion that you can not secure the code loading.
A humble suggestion:
With https, a self signed server certificate, a DANE record of that
certificate in DNSSEC and a browser plugin (extended DNSSEC/DANE
validator of cz.nic) that validates the DANE record would make code
loading from the original site secure against a MitM.
That way you could host all your javascript at the site. (but not at the
CDN).
Now the question becomes: Do the users find a reason to trust peersm
with their business. Users are still vulnerable to a NSL delivered at
peersm.
with regards, Guido Witmond.
More information about the liberationtech
mailing list