Sujet : Re: [LINK] Calling time on DNSSEC?
De : invalid (at) *nospam* invalid.invalid (Richard Kettlewell)
Groupes : comp.miscDate : 04. Dec 2024, 09:39:37
Autres entêtes
Organisation : terraraq NNTP server
Message-ID : <wwvjzcf6dva.fsf@LkoBDZeT.terraraq.uk>
References : 1 2 3 4 5 6 7
User-Agent : Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
Grant Taylor <
gtaylor@tnetconsulting.net> writes:
On 12/3/24 00:14, Lawrence D'Oliveiro wrote:
Nobody uses PKI.
>
Um.... I think I'm one of many, Many, MANY people that will have to
disagree with you on hat one.
Quite.
TLS has a hole in it, in that the SNI, “Server Name Indication” (the
“Host:” line in the HTTP request header) has to be sent unencrypted.
>
Two flags on the play:
>
1) Encrypted SNI is a thing.
>
2) "the "Host:" line in the HTTP request header" is *NOT* the SNI.
The Host: header is part of the HTTP request that's inside of the TLS
connection.
Quite.
The SNI hello message does include something similar, but it's not the
Host: header. And there's also ESNI to protect it.
Better than nothing, although in many cases I’d expect that traffic
analysis could be used to narrow down which site was being visited even
without name information being available.
This allows eavesdroppers, like authoritarian Government regimes, to
determine when you are trying to access a prohibited service, and
block it before the encrypted connection can be set up.
>
Those are examples of the very things that ESNI is designed to defend
against.
If there’s multiple sites served by a single IP address then the attack
can just indiscriminately block all of them. Encrypting name information
can’t prevent that.
-- https://www.greenend.org.uk/rjk/
[LINK] Calling time on DNSSEC?
Re: [LINK] Calling time on DNSSEC?