- From: Amos Jeffries <squid3@treenet.co.nz>
- Date: Wed, 11 Apr 2018 17:01:46 +1200
- To: ietf-http-wg@w3.org
On 11/04/18 08:20, Jeffrey Yasskin wrote: > > If the main problem is that Secondary Certificates make detecting > compromise more difficult, would it help to have clients make a parallel > connection to the DNS-discovered IP address that simply reports who's > using the server's identity? I think it's safe for this connection to > fail open, since if the attacker's network-privileged, they didn't need > to use Secondary Certs. I don't think it would help at all. Recall that DNS/BGP is already compromised in order to perform the attack at all. So any side connection is just as easily caught and faked as the original was. ( Time for a shameless plug about DNSSEC + DANE ? ) Amos
Received on Wednesday, 11 April 2018 05:02:46 UTC