undefined | Better HN

0 pointsbigiain9y ago0 comments

I wonder if this is a service Akamai/Amazon/Google/whoever-wlse-runs-lots-of-cdn-endpoints could sell to CAs? A kind of "reverse CDN request", where they can return (over TLS connections) a web page fetched from tens or hundreds of different edge servers all at once?

That'd at least mean an attacker would need to be MITMing the connection close to your server/loadbalancer instead of near to the CA?

Wouldn't help if someone was doing a Quantum Insert style attack from within your hosting infrastructure. (I wonder if there's pre-build AMIs to let you quickly spin up open source implementations of Qantum Insert on AWS already?)

0 comments

1 comments · 1 top-level

angry_octet9y ago

'All at once' is being DDOS'd so you wouldn't want that.

In general, you are going to be MITM'd near your endpoint (ISP level DNS tricks, or on your WiFi) or near the destination endpoint, very rarely somewhere in the core (although that has happened with some BGP hacking). To prevent the client being mitmd you can ask something else on the internet what their cert resolution chain was.

If the server can be mitmd with a valid cert the only solution is for all clients to contribute to a distributed consensus -- appending the cert chain they see to a distributed log.

j / k navigate · click thread line to collapse