[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] Dirmngr now supports hkps
From: |
Daniel Kahn Gillmor |
Subject: |
Re: [Sks-devel] Dirmngr now supports hkps |
Date: |
Fri, 09 May 2014 17:59:40 -0300 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.5.0 |
On 05/07/2014 03:51 PM, Werner Koch wrote:
> On Wed, 7 May 2014 18:17, address@hidden said:
>> I strongly suggest using the original hostname provided as SNI when
>> performing keyserver lookups, this is also consistent with current
>
> Okay. What about a dirmngr options to enable or disable the use of the
> pool name?
I agree with Kristian that the name given by the user should be the name
sent to the remote server, and should also be the name checked against
the certificate.
Using a DNS reverse lookup to modify the name supplied to the remote
host is a violation of the security assumptions that underpin the goal
of using TLS in this case.
If i understand the reverse DNS lookup Werner is describing correctly,
an attacker capable of spoofing the DNS should be able to modify the
name that the client expects.
C: Client
D: DNS resolver (could be compromised)
S: server
C→D: give me the address for keys.example.org
D→C: keys.example.org is at 192.0.2.3
C→D: what is the name for 192.0.2.3?
D→C: the name for 192.0.2.3 is evilsite.example
C→S: hi, i would like evilsite.example
S→C: sure, here is my certificate for evilsite.example
So any S just needs a certificate for *any* domain from a trusted X.509
root authority, if the attacker able to take over or poison D.
Kerberos used to do a similar DNS reverse lookup, and they no longer
recommend doing it because of the same security concerns.
--dkg
signature.asc
Description: OpenPGP digital signature
- Re: [Sks-devel] Changes to sks-keyservers.net pools, (continued)
- Re: [Sks-devel] Changes to sks-keyservers.net pools, Daniel Austin, 2014/05/06
- Message not available
- Message not available
- Message not available
- Re: [Sks-devel] Dirmngr now supports hkps, Kristian Fiskerstrand, 2014/05/07
- Re: [Sks-devel] Dirmngr now supports hkps, Werner Koch, 2014/05/07
- Re: [Sks-devel] Dirmngr now supports hkps, Kristian Fiskerstrand, 2014/05/07
- Re: [Sks-devel] Dirmngr now supports hkps, Phil Pennock, 2014/05/08
- Re: [Sks-devel] Dirmngr now supports hkps, James Cloos, 2014/05/08
- Re: [Sks-devel] Dirmngr now supports hkps, Werner Koch, 2014/05/15
- Re: [Sks-devel] Dirmngr now supports hkps, Werner Koch, 2014/05/19
- Re: [Sks-devel] Dirmngr now supports hkps,
Daniel Kahn Gillmor <=
- Re: [Sks-devel] Dirmngr now supports hkps, Werner Koch, 2014/05/15
- Re: [Sks-devel] Dirmngr now supports hkps, Kristian Fiskerstrand, 2014/05/15