undefined | Better HN

0 pointsbtgeekboy11y ago0 comments

Is that any worse than what we have now? If I can hijack your DNS, I can certainly insert or replace enough infrastructure to acquire a basic cert from numerous providers. All I really need is to hijack the MX. Bonus points if I can do it without you knowing, such that mail is first delivered to me and then on to you.

In other words, if you could put a CA into a TXT record at the root of the domain and have browsers/etc trust it, how is it any less secure than what we have now?

0 comments

technomancy11y ago

The scenario you've described leaves an audit trail. If you don't have a CA, hijacking the DNS means you can pull off an attack completely silently.

j / k navigate · click thread line to collapse

0 pointsbtgeekboy11y ago0 comments

In other words, if you could put a CA into a TXT record at the root of the domain and have browsers/etc trust it, how is it any less secure than what we have now?

0 comments

technomancy11y ago

The scenario you've described leaves an audit trail. If you don't have a CA, hijacking the DNS means you can pull off an attack completely silently.

j / k navigate · click thread line to collapse