basic auth request
Jon Ribbens
jon+usenet at unequivocal.eu
Wed Aug 25 11:47:26 EDT 2021
On 2021-08-25, Chris Angelico <rosuav at gmail.com> wrote:
> On Thu, Aug 26, 2021 at 12:48 AM Jon Ribbens via Python-list
><python-list at python.org> wrote:
>> Another attempt at combatting this problem is DNS CAA records,
>> which are a way of politely asking all CAs in the world except the
>> ones you choose "please don't issue a certificate for my domain".
>> By definition someone who had hacked a CA would pay no attention
>> to that request, of course.
>
> True, but that would still prevent legit CAs from unwittingly
> contributing to an attack. But it still wouldn't help if someone can
> do any sort of large-scale DNS attack, which is kinda essential for
> most of this to matter anyway (it doesn't matter if an attacker has a
> fake cert if all traffic goes to the legit site anyway).
That depends whether it's a large-scale attack or targeted at some
particular person or organisation, I suppose.
> Earlier I posited a hypothetical approach wherein the server would
> sign a new cert using the old cert, and would then be able to present
> that upon request. Are there any massive glaring problems with that?
That's a very similar idea to HTTP Public Key Pinning, and apparently
there were enough problems with that that they discontinued it.
> But, maybe we're just coming back to "it doesn't matter and nobody
> really cares".
People don't care until something goes wrong, and then suddenly they
care a great deal...
More information about the Python-list
mailing list