Yet another Quadruple DNS?

Fri Mar 30 14:39:41 UTC 2018

On Fri, Mar 30, 2018 at 5:30 AM, Christopher Morrow
<morrowc.lists at gmail.com> wrote:
>
> On Thu, Mar 29, 2018 at 10:32 AM, Stephane Bortzmeyer <bortzmeyer at nic.fr>
> wrote:
>
> > Public DNS resolvers still help against "ordinary" adversaries. (If
> > your ennemy is the NSA, you have other problems, anyway.)

If you're individually targeted by such an org, yes.

If you want to raise the cost of slurping up everyone's traffic in
bulk and then sifting/analytic-ing through it later, then some effort
(encrypting/verifying everything feasible, using ciphers that support
forward secrecy, MFA, etc.) is worthwhile. Bulk encryption is a
reasonable response to bulk intercept.

Raising the chances of *detecting* attempts at such interception is
also warranted. I'm not aware of any browser extensions that
incorporate the technique used by https://mitm.watch/ (or even if it's
feasible at that layer), but that would be useful, too.

> I think there's ample evidence that everyone's enemy is 'the nsa' (or other
> nation-state-actors) isn't there?

s/"nation-state"/"anyone who can intercept, alter, or inject traffic
between you and your destination"/g.

Of course, that neither solves the problem of manipulative use of your
traffic *by* your destination (*cough*Facebook/everyone*cough*) nor
the problem of compromise of the endpoint. Increasing intercept
resistance does nothing for the former (only voting, or voting with
your dollar, can impact that) ... but it can help with the latter (by
making it harder for someone to compromise your endpoint by
manipulating/mimicking traffic from your destination).

(None of this is news to most of you, but IMO clarifying the breadth
of the landscape has value).

And of course, none of this is news to Stephane:

https://tools.ietf.org/html/rfc7816

:)

Royce