[145114] in North American Network Operators' Group
Re: Nxdomain redirect revenue
daemon@ATHENA.MIT.EDU (Matthew Palmer)
Tue Sep 27 20:28:57 2011
Date: Wed, 28 Sep 2011 10:26:45 +1000
From: Matthew Palmer <mpalmer@hezmatt.org>
To: nanog@nanog.org
Mail-Followup-To: nanog@nanog.org
In-Reply-To: <CAAAwwbWSRk_gtngLRg=nQHSQRGG80J__DY6fUhs_aHcxO5bMaw@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue, Sep 27, 2011 at 05:08:42PM -0500, Jimmy Hess wrote:
> On Tue, Sep 27, 2011 at 8:27 AM, Christopher Morrow
> <morrowc.lists@gmail.com> wrote:
>
> > how does tls/https help here? if you get sent to the 'wrong host'
> > whether or not it does https/tls is irrelevant, no? (save the case of
> > chrome and domain pinning)
>
> Because the operator of the "wrong host" cannot obtain a SSL
> certificate for the right host's domain from a legitimate CA.
Oh, if only 'twere true... even without control of the DNS for the domain,
there have been plenty of certificates erroneously issued. With DNS
control, doing the necessary validation steps required for the issuance of a
certificate is child's play.
Then, of course, there's the issues with what constitutes a "legitimate" CA;
the list of CAs that I'd never want to trust, but which are in my browser by
default, is long and notorious.
- Matt
