colecmac at protonmail.com colecmac at protonmail.com
Mon Mar 1 01:48:02 GMT 2021
- - - - - - - - - - - - - - - - - - -
2) If 1 is invalid, let's (introduce something new here) check if
DNS doesn't have a TXT field with the certificate fingerprint and
see if it matches the current one, accept if OK
Unless your computer is using DoH or DoT (or DNSSEC?? Not sure) then your DNSlookup isn't secure either. If your adversary can sit in between your trafficand change a capsule's TLS certificate than I don't see why DNS would be verydifferent. Seems like this just adds complexity but without benefit.
makeworld