From mboxrd@z Thu Jan  1 00:00:00 1970
MIME-Version: 1.0
In-Reply-To: <8094c7f53bad7b2e0bed09ec4bfd41dc@ladd.quanstro.net>
References: <4B57048D.6040002@maht0x0r.net>
	 <4f34febc1001231559s3ffb6037o2a193bf4689b961@mail.gmail.com>
	 <eeae7618fa33fc4dd4519a70b4ed354f@ladd.quanstro.net>
	 <dd6fe68a1001231652sbc2692bh75559cf7cca58ef6@mail.gmail.com>
	 <8094c7f53bad7b2e0bed09ec4bfd41dc@ladd.quanstro.net>
Date: Sat, 23 Jan 2010 17:11:11 -0800
Message-ID: <dd6fe68a1001231711u6157bbdcv42c564722749b9de@mail.gmail.com>
Subject: Re: [9fans] Are we ready for DNSSEC ?
From: Russ Cox <rsc@swtch.com>
To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Topicbox-Message-UUID: c5b26242-ead5-11e9-9d60-3106f5b1d025

On Sat, Jan 23, 2010 at 5:01 PM, erik quanstrom <quanstro@quanstro.net> wro=
te:
>> if the goal is avoiding ssl mitm attacks,
>> dns is the least of your worries. a mitm will
>> just take over the connection attempt for the
>> actual ip address. =C2=A0the solution there is
>> to implement proper ssl certificate chain checking.
>
> doesn't work with the recent renegotiation bug.

disable renegotiation.

> but i don't
> think one can dismiss dns as a non-issue.

dns is a non-issue if the rest of ssl is working.
dns is irrelevant if it isn't.

russ