Re: people.debian.org will move from ravel to paradis and become HTTPS only
Op zondag 20 juli 2014 12:53:59 schreef Jeroen Dekkers:
> At Sun, 20 Jul 2014 11:07:16 +0200,
> Wouter Verhelst wrote:
> > Even ignoring that, assuming people trust that code off
> > people.debian.org is "safe", if they run a validating DNS resolver they
> > don't run more of a risk than if they use only HTTPS.
> I don't really follow that. A validating DNS resolver only makes sure
> you connect to the right IP address. DANE can specifiy the certificate
> to use for HTTPS, but you can't forward HTTP requests to HTTPS with
> DANE as far as I know.
If someone manages to break DNSSEC in such a way that they can redirect
your DNS requests to an IP address of their choosing, they can also
replace DANE records out from under your feet. But I agree that the
argument is somewhat weak. It's also not my core argument.
> In the case of HTTP a MITM attack can send a fake response to the HTTP
> request without the need for any key material/certificates or need to
> fake DNSSEC. For HTTPS it would need to have a certificate for
> people.debian.org that the client trusts.
It is easy to love a country that is famous for chocolate and beer
-- Barack Obama, speaking in Brussels, Belgium, 2014-03-26