[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: RFC 9498: The GNU Name System
|
From: |
Maxime Devos |
|
Subject: |
Re: RFC 9498: The GNU Name System |
|
Date: |
Tue, 21 Nov 2023 18:55:42 +0100 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0 |
Op 21-11-2023 om 08:34 schreef Schanzenbach, Martin:
We are happy to announce that our *The GNU Name System* (GNS)
specification is now published as RFC 9498 [0].
in order to transparently enable this functionality for migration purposes, a
local GNS-aware SOCKS5 proxy [RFC1928] can be configured to resolve domain names
Are you sure this is transparent? Consider the case where a website has
a log-in system, and instead of being based on passwords, it is based on
TLS client certificates (for example, https://ci.guix.gnu.org/ has such
a system to decide who is allowed to adjust ‘specifications’ and
‘restart builds’).
Given that the SOCKS5 proxy is technically a MITM attack, and the client
certificates instead of only server certificates, I would expect (and
hope) that the SOCKS5 proxy can't convince the server that it is the client.
It's a somewhat niche use case, so mostly transparent, sure.
But transparent, without qualifiers, I don't think so.
Best regards,
Maxime Devos
OpenPGP_0x49E3EE22191725EE.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature