|
|
Log in / Subscribe / Register

China, GitHub and the man-in-the-middle (Greatfire)

China, GitHub and the man-in-the-middle (Greatfire)

Posted Jan 31, 2013 17:36 UTC (Thu) by cesarb (subscriber, #6266)
In reply to: China, GitHub and the man-in-the-middle (Greatfire) by miekg
Parent article: China, GitHub and the man-in-the-middle (Greatfire)

> However this can push the Chinese goverment into faking the complete DNS(SEC) tree...

Not possible, since the root DNSSEC key is distributed with the software. There is no warning dialog box a user can easily dismiss; the software simply returns SERVFAIL. And there is a single root DNSSEC key, which is out of their reach, unlike the SSL model which has several root keys.

The most they can do is block DNSSEC requests, forcing all DNS resolution to fail. Since the root is signed, if a DNSSEC validating resolver cannot validate the root, it will return SERVFAIL for all queries.

to post comments

China, GitHub and the man-in-the-middle (Greatfire)

Posted Jan 31, 2013 22:05 UTC (Thu) by tialaramex (subscriber, #21167) [Link] (2 responses)

Of course the Chinese government _could_ require you (as a citizen, or if they were really wanting to make life difficult, a visitor) to use their software, with their version of the DNS root keys. That would be completely transparent, you'd know that you had the Chinese roots and therefore were seeing only the restricted Chinese Internet, but you wouldn't have any way of reliably escaping from this situation. To bootstrap you need DNSSEC keys for the legitimate root, and there's no reason the Chinese government would let you see those, or indeed even allow a search query looking for them.

China, GitHub and the man-in-the-middle (Greatfire)

Posted Feb 1, 2013 9:43 UTC (Fri) by job (guest, #670) [Link] (1 responses)

If the attacker requires you to use their special resolver software, you know what to expect. That could not get less transparent.

China, GitHub and the man-in-the-middle (Greatfire)

Posted Feb 1, 2013 11:06 UTC (Fri) by hummassa (guest, #307) [Link]

You choked me with your double (triple? quadruple?) negative. :-D


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds