From mboxrd@z Thu Jan  1 00:00:00 1970
From: erik quanstrom <quanstro@quanstro.net>
Date: Sun, 24 Jan 2010 17:20:22 -0500
To: 9fans@9fans.net
Message-ID: <9c691e6f5046087ab913668e1b42f8c8@ladd.quanstro.net>
In-Reply-To: <Pine.BSI.4.64.1001241211570.5454@malasada.lava.net>
References: <4B57048D.6040002@maht0x0r.net>
	<4f34febc1001231559s3ffb6037o2a193bf4689b961@mail.gmail.com>
	<eeae7618fa33fc4dd4519a70b4ed354f@ladd.quanstro.net>
	<dd6fe68a1001231652sbc2692bh75559cf7cca58ef6@mail.gmail.com>
	<8094c7f53bad7b2e0bed09ec4bfd41dc@ladd.quanstro.net>
	<dd6fe68a1001231711u6157bbdcv42c564722749b9de@mail.gmail.com>
	<40f353c957e2ac20128c149f8bb178aa@ladd.quanstro.net>
	<f4d8fa41001240519n5898a98cv26d100ad779415e1@mail.gmail.com>
	<e501cce65dc902858110bb028ab5314c@ladd.quanstro.net>
	<dd6fe68a1001241349t5584fecaj10d646547a4c56ce@mail.gmail.com>
	<Pine.BSI.4.64.1001241211570.5454@malasada.lava.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Subject: Re: [9fans] Are we ready for DNSSEC ?
Topicbox-Message-UUID: c64d1f9e-ead5-11e9-9d60-3106f5b1d025

On Sun Jan 24 17:15:17 EST 2010, newsham@lava.net wrote:
> > you are changing the topic.
> >
> > your original mail claimed to be worried
> > about man-in-the-middle attacks.  that means
> > the attacker can respond to arbitrary traffic;
> > the fact that you can verify the dns response
> > is irrelevant if when you try to connect to the
> > correct ip address the attacker handles it
> > and you don't take advantage of ssl certificates
> > to catch that.
>
> True, unless DNS provides a certificate that is bound
> to the session in some way.

if one misdirects the original connection via dns and
then uses the renegotiation bug, is this not a
mitm attack?

- erik