Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
chowells 4 days ago

Well, no. That's just not true.

I care that when I type walmart.com, I'm actually talking to walmart.com. I don't look at the browser bar or symbols on it. I care what my bookmarks do, what URLs I grab from history do, what my open tabs do, and what happens when I type things in.

Preventing local DNS servers from fucking with users is critical, as local DNS is the weakest link in a typical setup. They're often run by parties that must be treated as hostile - basically whenever you're on public wifi. Or hell, when I'm I'm using my own ISP's default configuration. I don't trust Comcast to not MitM my connection, given the opportunity. I trust technical controls to make their desire to do so irrelevant.

Without the identity component, any DNS server provided by DHCP could be setting up a MitM attack against absolutely everything. With the identity component, they're restricted to DoS. That's a lot easier to detect, and gets a lot of very loud complaints.

BrandoElFollito 4 days ago | parent [-]

You use words that are alien to everyone. Well, there is a small incertainity in "everyone" and it is there where the people who actually understand DHCP, DoS, etc. live. This is a very, very small place.

So no, nobody will ever look at a certificate.

When I look at them, as a security professional, I usually need to rediscover where the fuck they moved the certs details again in the browser.

chowells 4 days ago | parent [-]

Who said a word about looking at a certificate?

I said exactly the words I meant.

> I don't look at the browser bar or symbols on it. I care what my bookmarks do, what URLs I grab from history do, what my open tabs do, and what happens when I type things in.

Without the identity component, I can't trust that those things I care about are insulated from local interference. With the identity component, I say it's fine to connect to random public wifi. Without it, it wouldn't be.

That's the relevant level. "Is it ok to connect to public wifi?" With identity validation, yes. Without, no.

hedora 4 days ago | parent [-]

When you say identity, you mean “the identity of someone that convinced a certificate authority that they controlled walmart.com’s dns record at some point in the last 47 days, or used some sort of out of band authentication mechanism”.

You don’t mean “Walmart”, but 99% of the population thinks you do.

Is it OK to trust this for anything important? Probably not. Is OK to type your credit card number in? Sure. You have fraud protection.

chowells 4 days ago | parent [-]

So what you're saying is that you actually understand the identity portion is critical to how the web is used and you're just cranky. It's ok. Take a walk, get a bite to eat. You'll feel better.

hedora 3 days ago | parent [-]

I’m not the person you were arguing with. Just explaining your misunderstanding.