|
|
|
|
|
|
by tptacek
2843 days ago
|
|
|
There's two ways to ensure the authenticity of data delivered over the Internet. You can authenticate the content or you can authenticate the channel. Overwhelmingly, practical security schemes on the Internet rely on channel security. We rely on TLS to ensure the integrity of the DOM on websites; we don't cryptographically sign the pages themselves. All things being equal, you'd like to be doing both things. You'd like to have cryptographically signed web page DOMs, for instance (among other things, it would make web crypto a lot more useful). But all things aren't equal: content authentication is difficult to manage in practice, and every security protocol we adopt has a cost. Long story short: if you can protect the channels used by DNS lookups, you can get by without protecting the content. That's roughly the idea behind DoH and DoTLS. The reality though is that all you really need is "DNS over TCP" (which, of course, we've had since basically the beginning). Practical forgery attacks against TCP DNS are difficult enough as to not be worth the trouble. |
|
|
In such a scenario a VPN is a more secure answer than DNS-over-TLS, but this isn’t a realistic answer for the average user. It has to be something that is free and easy to enable.