Right, which is exactly how it should be. If you want to perform a purposeful ma... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		shawnz on April 10, 2019 \| parent \| context \| favorite \| on: DNS-over-HTTPS Policy Requirements for Resolvers Right, which is exactly how it should be. If you want to perform a purposeful man in the middle attack on your clients, then you SHOULD be required to install your root cert on their workstations. With unencrypted DNS, it just means that you can perform the same attack with NO specific approval by the client workstation. How is that better?

snazz on April 11, 2019 [–]

You get an HTTPS error if someone performs a DNS MITM and you’re not set up specifically to trust their certificate. It’s equivalent to performing an HTTPS MITM without the root cert installed.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact