[dns-operations] Does DNSSEC provide any mitigation for SSL bugs, like Apple's?
Paul Wouters
paul at nohats.ca
Tue Feb 25 16:28:16 UTC 2014
On Mon, 24 Feb 2014, Paul Hoffman wrote:
> On Feb 24, 2014, at 10:28 AM, DTNX Postmaster <postmaster at dtnx.net> wrote:
>
>> I've been wondering whether DNSSEC would provide any mitigation for
>> such an attack, if there validating resolver between me and the
>> attacker?
>
> Not in this case. The Apple bug allows an MITM to use the real certificate for the attacked site, while simply making up a private key.
>
> Paul W's incorrect answer assumes a bug where the MITM needs to have a valid certificate. That is the most common case, but not the one relevant here; the Apple bug allowed a certificate for which the private key didn't match.
Indeed. I was wrong. Thank you for the correction.
Paul
More information about the dns-operations
mailing list