From mboxrd@z Thu Jan 1 00:00:00 1970 From: erik quanstrom Date: Sun, 24 Jan 2010 17:20:22 -0500 To: 9fans@9fans.net Message-ID: <9c691e6f5046087ab913668e1b42f8c8@ladd.quanstro.net> In-Reply-To: References: <4B57048D.6040002@maht0x0r.net> <4f34febc1001231559s3ffb6037o2a193bf4689b961@mail.gmail.com> <8094c7f53bad7b2e0bed09ec4bfd41dc@ladd.quanstro.net> <40f353c957e2ac20128c149f8bb178aa@ladd.quanstro.net> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Subject: Re: [9fans] Are we ready for DNSSEC ? Topicbox-Message-UUID: c64d1f9e-ead5-11e9-9d60-3106f5b1d025 On Sun Jan 24 17:15:17 EST 2010, newsham@lava.net wrote: > > you are changing the topic. > > > > your original mail claimed to be worried > > about man-in-the-middle attacks. that means > > the attacker can respond to arbitrary traffic; > > the fact that you can verify the dns response > > is irrelevant if when you try to connect to the > > correct ip address the attacker handles it > > and you don't take advantage of ssl certificates > > to catch that. > > True, unless DNS provides a certificate that is bound > to the session in some way. if one misdirects the original connection via dns and then uses the renegotiation bug, is this not a mitm attack? - erik