Nxdomain redirect revenue

Matthew Palmer mpalmer at hezmatt.org
Tue Sep 27 19:26:45 CDT 2011


On Tue, Sep 27, 2011 at 05:08:42PM -0500, Jimmy Hess wrote:
> On Tue, Sep 27, 2011 at 8:27 AM, Christopher Morrow
> <morrowc.lists at gmail.com> wrote:
> 
> > how does tls/https help here? if you get sent to the 'wrong host'
> > whether or not it does https/tls is irrelevant, no? (save the case of
> > chrome and domain pinning)
> 
> Because the operator of the "wrong host"    cannot obtain a SSL
> certificate for the right host's domain from a legitimate CA.

Oh, if only 'twere true... even without control of the DNS for the domain,
there have been plenty of certificates erroneously issued.  With DNS
control, doing the necessary validation steps required for the issuance of a
certificate is child's play.

Then, of course, there's the issues with what constitutes a "legitimate" CA;
the list of CAs that I'd never want to trust, but which are in my browser by
default, is long and notorious.

- Matt




More information about the NANOG mailing list