[Cryptography] Apple's iCloud+ "VPN"
Ray Dillinger
bear at sonic.net
Sat Jul 17 11:46:50 EDT 2021
On 7/7/21 4:32 PM, Paul Wouters wrote:
>
> That won't help because these errors have no authentication. And if
> those errors can be used by the user/DNS software to mark these
> answers as "censored" to ask another resource, and thus circumventing
> the block, the courts will blame that on the DNS provider too, and
> would likely want them to stop returning these extended errors.
>
> The answer is, use DNSSEC. No one can mess with that without admitting
> they are messing with the data. The courts can't change that.
But what if they don't care whether you know the DNS data you
received was messed with?
If the attacker's intent is to prevent you from getting to a
particular web site, it doesn't matter to the attacker whether you know
that you failed to get the correct data. It doesn't matter to the
attacker whether your DNS provider *admits* that they are messing with
(filtering) the data.
It matters to the attacker only that you failed to get the correct
DNS data.
I want a network stack that gets incorrect DNS data to continue on
to the next DNS provider. I want a network stack that gets a 404 or
HTTPS authentication error from a site to try again, going on to the
next DNS provider. Basically if the network stack can tell you didn't
get the correct site, it should continue to look for the correct site.
Bear
More information about the cryptography
mailing list