<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">On 4/24/2025 1:42 AM, Ron Garret wrote:<span
style="white-space: pre-wrap">
</span></div>
<blockquote type="cite"
cite="mid:30B48D70-0B93-43FA-8178-76CE0A3E7F06@flownet.com">
<blockquote type="cite">
<pre wrap="" class="moz-quote-pre">On Apr 22, 2025, at 5:32 PM, Paul Wouters <a class="moz-txt-link-rfc2396E" href="mailto:paul@nohats.ca"><paul@nohats.ca></a> wrote:
All the CAbal exists only because of browsers refusing to do DNSSEC,
</pre>
</blockquote>
<pre wrap="" class="moz-quote-pre">How is DNSSEC going to help mitigate a MITM attack? If I MITM you, I don't need to spoof your DNS. All I need to do is re-route your traffic to my server. Without certificates, I can make my server indistinguishable from the server you are trying to talk to.</pre>
</blockquote>
<p>Its DNSSECC+DANE that prevents MITM attacks [1]. A web browser
supporting DANE wont be vulnerable to the attacks you imagine at
all. I guess most people arguing against DNSSEC do not know that
DANE exists.<br>
</p>
<p>On the other hand, with traffic re-routing, you can get a SSL/TLS
cert from LE if you are on-path to the web server that the domain
name resolves to [2]. And then use that cert to do MITM on people
you lured to use your public hot spot.</p>
<p><br>
</p>
<blockquote type="cite"
cite="mid:30B48D70-0B93-43FA-8178-76CE0A3E7F06@flownet.com">
<pre wrap="" class="moz-quote-pre"> Indeed, even *with* certificates I can make my server indistinguishable from the one you are trying to talk to, it's just that I won't be able to actually read any of the content of the exchange, But without certificates, I can not only read the content (which is bad enough) but I can also *change* the content, which is even worse. So if you log in to your bank while connected to my network, I can not only steal your credentials and take all your money, as long as you are connected to my network I can make it appear to you as if everything is perfectly normal. I can even, if I'm clever and dedicated, intercept your IMAP traffic and hide or delete the emails that your real bank is sending you to verify that you are really t
rying to wire all your money to Panama.</pre>
</blockquote>
<p>DNSSEC+DANE also use certificates (even self-signed ones with
DANE-EE mode) with TLS. Its just that the certificate is backed up
with a DANE record which is protected by DNSSEC.<br>
</p>
<p><br>
</p>
<blockquote type="cite"
cite="mid:30B48D70-0B93-43FA-8178-76CE0A3E7F06@flownet.com">
<pre wrap="" class="moz-quote-pre">*That* is what certificates protect against. DNSSEC will not help you at all because as long as you are connected to my hot spot, I control the entire Internet from your point of view, not just DNS.
</pre>
</blockquote>
<p>DNSSEC will help protect with DANE. Controlling a hot spot does
not make it vulnerable.<br>
</p>
Its about time web browsers add support for DANE as an alternative
option for people who want to use it.<br>
<div class="moz-signature">
<p>
Regards,<br>
<b>Shreyas Zare</b><br>
<a href="https://technitium.com/">Technitium</a>
</p>
</div>
<div class="moz-cite-prefix">[1]
<a class="moz-txt-link-freetext" href="https://blog.technitium.com/2023/05/for-dnssec-and-why-dane-is-needed.html">https://blog.technitium.com/2023/05/for-dnssec-and-why-dane-is-needed.html</a></div>
<div class="moz-cite-prefix">[2]
<a class="moz-txt-link-freetext" href="https://arstechnica.com/information-technology/2022/09/how-3-hours-of-inaction-from-amazon-cost-cryptocurrency-holders-235000/">https://arstechnica.com/information-technology/2022/09/how-3-hours-of-inaction-from-amazon-cost-cryptocurrency-holders-235000/</a><br>
</div>
<p></p>
</body>
</html>