[Cryptography] Apple's iCloud+ "VPN"
Paul Wouters
paul at nohats.ca
Sun Jul 11 23:45:33 EDT 2021
On Sat, 10 Jul 2021, Viktor Dukhovni wrote:
>> That, on the other hand, is a deficiency which had not been obvious to
>> me until you pointed it out, and now is. If you’re saying that you
>> believe DNS Extended Errors should include a mechanism for the server
>> generating the error to identify itself and sign the error message,
>> then I agree, and in retrospect this seems like an oversight which
>> should be remedied, and remembered for the future.
>
> I'm not convinced. Errors reporting is needed under adverse conditions,
> and authenticating the error message is typically not the highest
> priority in that case.
>
> The error messages are just diagnostic information, they do not change
> the semantics of the result. The most one should reasonably
> automatically do based on the error type is in some cases give up
> *faster*, because the error makes it clear that retries won't help.
The problem is, we only need to wait for another SiteFinder style
intercept using extended dns error messages to lure users to some
"helpful" error page whose only goal is user monetization.
Paul
More information about the cryptography
mailing list