4 comments

[ 3.0 ms ] story [ 27.6 ms ] thread
This exemplifies why DoH is not enough, and why we need something like DNSSEC to prevent big brother from tampering with your internet connection.

Yes, DNSSEC as specified by the RFC is flawed and many TLDs/countries don't bother with it, let's skip the usual discussions, but something like it would make tampering obvious.

To prevent regular TLS MitM attacks, we have HTTPS pinning (though HKPK died in browsers), but most DNS, even with layered encryption on top of it, has "trust me bro" as an authenticity model.

It appears this was first discovered right here on Hacker News by user JXzVB0iA: https://news.ycombinator.com/item?id=45089708

Note that the CA which did this is trusted only by Microsoft. The other major root programs (Mozilla, Chrome, Apple) manage their root programs much better and don't trust CAs like this.

Also, this CA is part of the EU's Trust List, so had the EU's original eIDAS/QWAC proposal gone through, Mozilla, Chrome, and Apple would have been required by EU law to trust this CA also.