Re: debcheckroot v2.0 released

To: Lee <ler762@gmail.com>
Cc: debian-security@lists.debian.org
Subject: Re: debcheckroot v2.0 released
From: Elmar Stellnberger <estellnb@elstel.org>
Date: Sat, 4 Apr 2020 09:29:32 +0200
Message-id: <[🔎] ee440102-604f-b3cb-009f-a6e9c76222bd@elstel.org>
In-reply-to: <[🔎] CAD8GWsv1Nb8RdD8XqKbbSbrOR7V9c5=18eC4oVKNTep+pAZ4zg@mail.gmail.com>
References: <b2489138-53ee-e747-31cc-cdce48339dbe@zoho.com> <e0b4b492-afa2-7ee1-cb0f-12f887f1a9e2@gmail.com> <2e13d71d-f29b-3cb2-4147-5fcf9c8c6a3e@gmail.com> <2a3b7e9a-d483-e4c8-8761-6803b6faf011@gmail.com> <CAKTje6ExBrtZoW+J-pdDW2+r3EJV0dVjVyakTSNfz2WUs+EOVw@mail.gmail.com> <CAKTje6HY-+tAeDkcSZyHdBKKWk1AiSaVr2jQuFhobuiTgtuCxA@mail.gmail.com> <4d768eaf-4b60-c060-3e68-7bfcbaa334aa@elstel.org> <a96c3b9cbc6df435b6a1c6bc1e20eb2c21f8f524.camel@debian.org> <1f279581-fd7b-b054-013c-d0a527db59e0@elstel.org> <c0c4f2eb10e435f81f3ba8f1cd5e7c1fe9391500.camel@debian.org> <e5906e91-201e-6b91-5fad-b60b4ce33180@elstel.org> <[🔎] b74b1527-d500-6939-2a36-5361deeb5973@vheuser.com> <[🔎] CAKTje6GB+i5GNqhVq3+xzx17e5Dpp=RcwwSuMeY9o954XG+ioA@mail.gmail.com> <[🔎] CAD8GWssQWJ=xEadvEWduCs=6-MxoDX0qzB1N6xfZs8TRQ7EO1A@mail.gmail.com> <[🔎] f04fbbe7-59f4-c3ae-75ae-cb4c8169f067@elstel.org> <[🔎] e0f78864-46bb-a096-d756-15fb02177aa0@elstel.org> <[🔎] CAD8GWsv1Nb8RdD8XqKbbSbrOR7V9c5=18eC4oVKNTep+pAZ4zg@mail.gmail.com>



Am 04.04.20 um 00:46 schrieb Lee:

On 4/3/20, Elmar Stellnberger <estellnb@elstel.org> wrote:

Encryption can be a source of arbitrary code execution exploits if not
implemented properly. Encrypting DNS would have other application
purposes and makes sense as long as you use a proxy. If you connect
directly hiding the domain name is ineffective because someone who spys
at the connection also knows the IPs you connect to and via SNI the
cleartext of the domain you surf at.


Yes, but "trusting the answer" and "keeping my communications private"
are not quite the same thing.  If we're talking about "trusting the
answer" I'll take DoT or running my own dnssec enabled resolver.  When
I'm more concerned about "keeping my communications private" I'll take
TOR & accept the trade-off of slower speed.

I think we have to separate two issues here: authenticity assertingthat the answer is correct and confidentiality asserting that no oneelse knows about a message. Signing asserts authenticity whileencryption can guarantee confidentiality. With GnuPG encrypted messagesare also signed by default so that both features are provided. That doesnot tell however that both issues are clearly separated. Encryption byitself does not contribute anything to the authenticity of a reply, i.e.you do not know from whom it came. With signing the correctness of ananswer can be asserted but the answer itself can be read in cleartext byeveryone unless it is additionally encrypted.

Reply to:

References:
- Re: debcheckroot v2.0 released
  - From: "vince@vheuser.com" <vince@vheuser.com>
- Re: debcheckroot v2.0 released
  - From: Paul Wise <pabs@debian.org>
- Re: debcheckroot v2.0 released
  - From: Lee <ler762@gmail.com>
- Re: debcheckroot v2.0 released
  - From: Elmar Stellnberger <estellnb@elstel.org>
- Re: debcheckroot v2.0 released
  - From: Elmar Stellnberger <estellnb@elstel.org>
- Re: debcheckroot v2.0 released
  - From: Lee <ler762@gmail.com>

Prev by Date: Re: debcheckroot v2.0 released
Next by Date: Re: debcheckroot v2.0 released
Previous by thread: Re: debcheckroot v2.0 released
Next by thread: Re: debcheckroot v2.0 released
Index(es):
- Date
- Thread