|
|
|
|
|
|
by phil21
3533 days ago
|
|
|
> - Attacker generates or acquires counterfeit facebook.com certificate. So you enabled an attack vector that has to be nullified by a deeper layer of defense? And in some cases possibly impacted by a user having to do the right then when presented with a security warning. Why would you willingly do that? Also I do find your assumption of ubiquitous TLS rather alarming - facebook is a poor example here, there are far softer and more valuable targets for such an attack vector to succeed. Edit: Also to keep my replies down... > I would personally like to configure my local caching resolver to hold onto last-known-good resolutions for a while. You can! All these tools are open source, and there are a number of simple stub resolvers that run on linux (I'd imagine OSX as well) which you can configure to ignore TTL. They may not be as configurable as you like, but again they are open source and I'm sure would welcome a pull request :) |
|
|